I was looking to make a purchase from someone, but they wanted me to scan/check my wallet address using a website. When I checked it out, the site prompted me to connect my wallet for 'AML security checks.' So I’ve got a few questions:
1- Are these tools really safe? If so, what are some reputable and trusted sites?
2- Why do they ask you to connect your wallet instead of just giving them your address and letting you make a direct payment?
3- If these sites are scams, how do they usually operate?
4- If I had actually connected my wallet before, does that mean they only had access at that time, or is there a lasting effect?
1. If you have to connect your wallet? I would be concerned. Blockchair seem to do that for you when you search for your address (through third party apps), AMLBot also give you one scan for free (through telegram I believe). I'm not sure there are any advanced tools that are free to use.
2. You're asking the right questions.
3. When the service ask you to connect your wallet, you're more likely to confirm or sign a transaction you shouldn't have and that's when the scammer could get access to your funds. (You could be signing a transaction that's sending all of your balance to the scammer's address).
Feel free to share the website so we can confirm this.
It is as simple as what OmegaStarScream posted, do not connect your wallet. Connect noncustodial wallet scam has been very common since more than 2 years ago.
AML check does not have to do with connecting wallet, only the address that you want to check is what that is needed for it, not connecting your wallet.
First of all your wallet shouldnt even be online except thats not your primary wallet for storage. So it been online is actually not safe talk more of connecting to any site. No one can actually gurantee the authenticity of it, because there is possibility of it falling into the wrong hands (hackers).
So my outright answer is, its not safe
A seller and buyer (if p2p) has no business with each others wallet or connection, except youre buying from all this DApps which asks you to connect wallet and it is very dangerous as most of them are for scammers and they can be trick you into sign a transaction that hand overs your wallet details to them. This is same as phishing attacks
Be very careful because most of them are scam, while some AML checker are legitimate, like chainanalysis, Elliptic, both are used by exchange and other regulated institutions, but does not require your wallet connection, any site or services that ask you connect your wallet is a big red flag sign, because their have full access to control your wallet the moment you have it connected to their service.
If he connects his wallet, the next step is the scammer to only trick him to sign a transaction on the wallet and his money gone just like that. It is good that he asked the question on this forum, else he would have been scammed. But we can not conclude that this is the same as phishing attack if we did not know how the scam began. If ALMN searched for it online and see the scam site or if he is the one that looked for the scammer, it is not a phishing attack.
Hell nah, that's suspicious AF. Never connect your wallet to those sites. Honestly, if you have connected, whether you have leftover funds or nah, always assume it is compromised and abandon the walletmove funds to a safe wallet if any.
You could also use bitmixlist's AML checker, this is made my someone reputed on bitcointalk, see their thread: https://bitcointalk.org/index.php?topic=5477452.0
It is not free but still at cheap price IMO. Probably has better privacy terms too as oppose to other means who probably tracks your IP and browser fingerprints.
1. I use a tool once that's being used by other members here too but it didn't require me to sign anything. I think they're safe if you don't have to actually sign with anything. Check @btc_aml_bot on telegram, they are 100% safe and legit.
2. Because they are scam and they might want to inject or hack your device.
3. I think that signing stuff is a bit sketchy, that is a common red flag. I wouldn't dare to be curious more than that by testing it, maybe on a device that you haven't used before and don't have any assets or files that may be compromised after experimenting with that site.
4. Could be both, best to perform a security check (moving funds to a new wallet) or revoking your wallet from that site. Check revoke(.)cash for that.
Thats already shouting scam. Whats the connection between your wallet and their so-called verification. If they really want to check something, it should be based on the address youre using, not by asking you to connect your wallet.
Dont fall for that. The moment you connect your wallet, its basically like saying goodbye to your money.
Its just common sense. We dont even feel safe leaving our funds in exchanges sometimes, so why would you trust an unknown platform asking you to connect your wallet under the excuse of KYC. If you fall for that, youre just putting your funds at risk.
the fact that you are asking these questions before you connect you wallet, you already been suspecting something will happen. there have been incidents like this before where wallet connected to a dapp and the ETH inside the wallet was gone after few minutes of logging in.
sure there are scams like this. the mechanism i believe is that when you login, you input your seed which if you do this, the seed will be saved to a text file somewhere in their server which the malicious user can just login the wallet and swept them all.
The best solution is not to link your wallet to any website you don't trust. However, there are steps you can take to minimize the risk, such as:
- Checking the website using ---> https://www.virustotal.com/
- Linking a new wallet with a small amount, for example, $1, to check if the website is scam.
- Do not link a wallet with a large balance to any unknown website.
Its public blockchain. You don't need access to a wallet to perform anti money laundering checks. You don't even need permission, you have the address, everything is checkable on the blockchain.
For me, there is no reason, and without proof, I would 100% say its a malicious attempt against you.
Check with an actual AML service if you want to understand how it works. Like AMLBot, all they need is an address. Businesses pay per address check.
In my years of trading or reading post about wallets and whatever policies out there that's meant to prevent money laundering activities, I have never come across an AML check that's done via a third party site and your intuition is probably right because this smells like a scam.
It could be a phishing scam that you unintentionally give access to and this could be a money drainer for your hard earned and well kept currency in your wallet.
Don't make the mistake to give permission to approve a trade you didn't initiate even if your wallet asks you to, as long as you are connected with your hardware wallet for the brief moment.
A lot of people are concerned about AML risks today, especially when doing P2P trades. Somebody requesting that you check your wallet before trading wouldnt sound too unreasonable. What does seem strange is that the website would ask you to connect your wallet. Checking the AML score of an address shouldnt require anything more than pasting your address into a text input field and clicking enter. Some services have a Telegram bot where you can submit your address. If that is not enough to get the information you need, then I wouldnt trust that website.
Some websites can detect if you have an active wallet and automatically log you in to their web app. Connecting a wallet to a website is itself not enough to compromise your wallet, but this can be the first step in trying to get you to sign something malicious, revealing your seed, or downloading malware. You should be vigilant and do your research before interacting with a website you know nothing about.
1 it's really hard to say that all are not scam (and I am not seeing any list). Personally I would never make any of this check and moreover connecting anything.
2 Ok its scam
3 They get your money and provide nothing or a very low quality result. Worst, once you connect your wallet, signing a message... you're granting accesso To ALL of your wallets...
4 We don't know what site, and if you haven't already being compromisead sounds legit. Anyway what have you signed once connecting your wallet? They can just watch and wait the right amount on your wallet. Yes I would see as compromised and considering how it could be easy and withouth risk moving assets, I would act IMMEDIATELY in any case.
Thank you all for all helpful responses. Your insights have confirmed my suspicions as CONNECTING WALLET FOR AML IS SCAM.
Regarding the questions some of you asked:
The Website Link: Unfortunately, I don't remember the URL as this happened quite a while ago. I only recalled the incident after seeing a recent comment mentioning AML check tools and decided to ask to understand the mechanics behind it.
The Interaction: I first got in touch with the person via Telegram.
Connecting/Signing: Out of curiosity, I actually went ahead and connected my wallet and signed the transaction. However, I used a completely empty wallet specifically for this purpose just to see what would happen.
Im glad I followed my intuition back then and didn't use my primary wallet. Your explanations about 'signing' vs. 'connecting' and how these scams drain funds were eye-opening. I hope this thread serves as a warning to others who might encounter similar 'AML security check' requests.
Thanks again for looking out for the community!