The Fake Binance Telegram Support DM That Drained 47K USDT

The Telegram DM that almost worked

August 2025. A holder in Austin gets a DM on Telegram from @Binance_Support_US, complete with a verified-looking shield icon and 14,000 followers. The opening line: "We detected a suspicious login from Lagos on your account. To freeze the session, please verify your wallet via our security bot." The bot then asks for the 12-word seed phrase.

The holder lost 47,000 USDT in under nine minutes. The phrase went into the "bot," which was a human operator running a hot wallet drainer.

The five tells, in order

• Binance never DMs first. Real Binance US support replies only through the in-app ticket system at binance.us/support. Any unsolicited Telegram or WhatsApp message claiming to be Binance is a scam, regardless of the username.
• Verified shields can be bought. Telegram's blue check requires only a paid Premium subscription plus a name match — it does not verify business legitimacy.
• "Security bot" + seed phrase is impossible. No legitimate exchange will ever ask for your seed phrase. Coinbase, Kraken, Gemini, and Binance.US all state this explicitly in their security pages.
• Urgency language is the giveaway. "Freeze in 10 minutes or funds are lost forever" exists to short-circuit the part of your brain that would otherwise check the URL.
• Follower count is theatrical. Scam channels buy 10,000–50,000 fake followers in a single batch to look established. Cross-reference against Binance's own official channel list at binance.com/en/community.

If you already typed the 12 words

Move every asset out of the seeded wallet immediately, in this order: stablecoins first (highest value-per-byte for the attacker), then liquid majors (ETH, BTC, SOL), then long-tail tokens. Create a fresh seed on a hardware device — the old seed is permanently compromised the moment one human has ever seen it. File an IC3 report at ic3.gov; the FBI cannot recover funds, but the report builds the case file for future prosecutions and may help if the drainer wallet later gets frozen at a CEX.

What I do now

I keep a single line taped above my monitor: "Binance does not DM. Coinbase does not call. Ledger does not email about firmware." Every time I see a message that contradicts that line, it is a scam. No exceptions in three years.