* warning to founders/ business- elaborate crypto drain ring*
We are a German business (cosmetic products) that received an email offering a potential partnership out of the blue. They said they were the middle-man for a client who would pay a large sum for the products (retail price), and then they would receive their commission from us (but only in crypto). So we would get wired a large amount, and we would have to send them their commission. Later we learned they wanted this commission in crypto. They first impersonated a real company in the UK with this email signature, but a Spanish number which was odd:
Mr. Russell Morris
Mrs. Emma L. Morris
Dream Property Holdco Limited
Barn Cottage, Botany Lane, Lepton HD8 0NE, Huddersfield England
Company number: 10638851
Phone: +34 610 757763 (also via WhatsApp)
Email: [email protected]
The company registration matches real directors and a real address but the email domain and phone number do not match anything on record. The first thing that gave it away was that the domain dream-property-holdco.com showed only a "coming soon" placeholder. Holding companies like this often lack public-facing operations, focusing instead on internal asset management. This absence of a public presence makes it easier for fraudsters to impersonate legitimate micro-companies rarely register long, hyphenated domains matching their exact legal name just for email.
They then referred us to this company to "work out the details" of the contract with another impersonated company "CFT Swiss":
https://www.cft-swiss.com/
Once again, the domain was registered on October 18, 2025 and is hosted in Lithuania, not Switzerland (hence the ludacris "-Swiss.com" domain). The real company is Compagnie Financière Tradition (CFT), a massive Swiss interdealer broker. Their legitimate website is tradition.com. The names on the website were a mixture of real and fake people:
Both of these domains were registered HOSTINGER operations, UAB, who has since taken them down, and provided the registration information to the Swiss and Spanish polive.
Eventually, after months of long calls, they wanted to meet suddenly in Barcelona. The urgency came from them wanting to spend the funds by the end of the year. Several people were involved with this scam- supposedly a father and son included. We met a German-speaking middle aged man who spoke fluent German (he claimed to be half Greek, half Swiss but probably Albanian or Serbian) and claimed to be the son of the man we were supposed to meet with. We luckily snuck a picture at the meeting, and have sent this picture to the Spanish and Swiss Authorities. He spoke fluent German but did not have a specifically Swiss accent, another mismatch in his story.
They wanted their fee to be in Crypto. He swore he had been scammed so many times, and wanted to confirm the wallet had the coins (that the bank actually allowed our transfer).
A week later, they tried to pressure us live on a Google Call to follow a QR code to "confirm the account". It was a picture of another phone that had the QR code displayed. Very sketchy to begin with, since this is obviously done to mask the metadata trail. We stripped the code using a safe QR decoder:
wc:387b98840d043403e7d640f47622b1cb415ad5c2a8dc3e71ae30b31b0e696401@2?relay-protocol=irn&symKey=3ca831d23b3529a0fdec57d6a3bb837bb32c93e4e6d9862c2ed0b3f711188639&expiryTimestamp=1767022423
You can see they removed the Security Method from the Wallet Connect ULI, allowing their next fake DApp request for 1 USDC to actually allow unrestricted access. So it would look like we are sending only one coin, but in reality drain the account.
Their attack had two stages:
↓ Stage 1: WalletConnect URI (The Connection) This has the security parameters stripped out, but otherwise perfectly normal.
↓ Stage 2: DApp Approval (The Theft) Here is where they would have us send 1 USDC
After research, this is a variation of a very long history of scammers in Spain targeting Swiss and German companies. The family piece of the story (father/ son) might have been true since we were probably dealing with a sub-set or variety of the "Italo-Croatian" Rip Deal Clans. These are large, extended families who are from the Balkans (often Croatia or Serbia) but have lived for generations in Germany, Austria, and Switzerland. This explains why they speak fluent German but often have "Eastern" or "Swiss-mix" accents. They will claim to be Swiss, but are geographically located in places like Spain, where the authorities are less organized.
We are a German business (cosmetic products) that received an email offering a potential partnership out of the blue. They said they were the middle-man for a client who would pay a large sum for the products (retail price), and then they would receive their commission from us (but only in crypto). So we would get wired a large amount, and we would have to send them their commission. Later we learned they wanted this commission in crypto. They first impersonated a real company in the UK with this email signature, but a Spanish number which was odd:
Mr. Russell Morris
Mrs. Emma L. Morris
Dream Property Holdco Limited
Barn Cottage, Botany Lane, Lepton HD8 0NE, Huddersfield England
Company number: 10638851
Phone: +34 610 757763 (also via WhatsApp)
Email: [email protected]
The company registration matches real directors and a real address but the email domain and phone number do not match anything on record. The first thing that gave it away was that the domain dream-property-holdco.com showed only a "coming soon" placeholder. Holding companies like this often lack public-facing operations, focusing instead on internal asset management. This absence of a public presence makes it easier for fraudsters to impersonate legitimate micro-companies rarely register long, hyphenated domains matching their exact legal name just for email.
They then referred us to this company to "work out the details" of the contract with another impersonated company "CFT Swiss":
https://www.cft-swiss.com/
Once again, the domain was registered on October 18, 2025 and is hosted in Lithuania, not Switzerland (hence the ludacris "-Swiss.com" domain). The real company is Compagnie Financière Tradition (CFT), a massive Swiss interdealer broker. Their legitimate website is tradition.com. The names on the website were a mixture of real and fake people:
| Roger Krause | STOLEN IDENTITY | Real CFT Management AG director | Identity theft |
| Maximilian Krause | FAKE | No connection to Swiss finance | Fabricated |
| Ioannis Petropoulos | FAKE | Real Geneva eye surgeon, but no billionaire investor | Identity theft |
| Sebastian Krause | FAKE | No connection to CFT/finance | Fabricated |
| Nikos Petropoulos | FAKE | No Swiss finance connection | Fabricated |
| Alexander Tehlei | FAKE | Zero existence anywhere | Completely invented |
| Hans Muster | PLACEHOLDER NAME | = "John Doe" in German/Swiss | Placeholder name from the template they used |
| Natalie Schreiber | FAKE | No Swiss wealth management | Fabricated |
[th]
Name
[/th][th]Status
[/th][th]Evidence
[/th][th]Verdict
[/th]Eventually, after months of long calls, they wanted to meet suddenly in Barcelona. The urgency came from them wanting to spend the funds by the end of the year. Several people were involved with this scam- supposedly a father and son included. We met a German-speaking middle aged man who spoke fluent German (he claimed to be half Greek, half Swiss but probably Albanian or Serbian) and claimed to be the son of the man we were supposed to meet with. We luckily snuck a picture at the meeting, and have sent this picture to the Spanish and Swiss Authorities. He spoke fluent German but did not have a specifically Swiss accent, another mismatch in his story.
They wanted their fee to be in Crypto. He swore he had been scammed so many times, and wanted to confirm the wallet had the coins (that the bank actually allowed our transfer).
A week later, they tried to pressure us live on a Google Call to follow a QR code to "confirm the account". It was a picture of another phone that had the QR code displayed. Very sketchy to begin with, since this is obviously done to mask the metadata trail. We stripped the code using a safe QR decoder:
wc:387b98840d043403e7d640f47622b1cb415ad5c2a8dc3e71ae30b31b0e696401@2?relay-protocol=irn&symKey=3ca831d23b3529a0fdec57d6a3bb837bb32c93e4e6d9862c2ed0b3f711188639&expiryTimestamp=1767022423
You can see they removed the Security Method from the Wallet Connect ULI, allowing their next fake DApp request for 1 USDC to actually allow unrestricted access. So it would look like we are sending only one coin, but in reality drain the account.
Their attack had two stages:
↓ Stage 1: WalletConnect URI (The Connection) This has the security parameters stripped out, but otherwise perfectly normal.
↓ Stage 2: DApp Approval (The Theft) Here is where they would have us send 1 USDC
After research, this is a variation of a very long history of scammers in Spain targeting Swiss and German companies. The family piece of the story (father/ son) might have been true since we were probably dealing with a sub-set or variety of the "Italo-Croatian" Rip Deal Clans. These are large, extended families who are from the Balkans (often Croatia or Serbia) but have lived for generations in Germany, Austria, and Switzerland. This explains why they speak fluent German but often have "Eastern" or "Swiss-mix" accents. They will claim to be Swiss, but are geographically located in places like Spain, where the authorities are less organized.