Phishing Campaign Abuses Incident Management Platform to Impersonate Trust Wallet

Threat actors are constantly evolving their tactics, and in this recent phishing campaign observed in early 2026, a legitimate incident management platform was misused to increase the credibility of the attack.

‍

How the attack works

The phishing campaign begins with the misuse of a legitimate subscription confirmation email originating from incident.io, an incident management platform used to manage and communicate technical incidents. The email contains a subscription confirmation to a threat-actor-controlled incident status page, impersonating Trust Wallet by using the brand’s name and imagery (Figure 1). Trust Wallet is a well-known cryptocurrency wallet, making it a valuable target for attackers seeking to steal digital assets.

From the initial phishing mail onwards, the attack goes through the following steps:

1. Subscription confirmation page

When the recipient clicks the subscription confirmation link, they are taken to a status page hosted on incident.io confirming their subscription to the “URGENT SECURITY” incident (Figure 2). The page also includes an option to view the incident that the recipient has now subscribed to.

2. Fake incident page

Clicking “View Incident” redirects the user to an incident page (Figure 3) created by the threat actor on the legitimate incident.io platform. At first glance the incident may appear real, due to being hosted on a trusted domain. The incident is labeled as an urgent “Security Attack” type incident, aiming to cause a sense of urgency in the reader.

However, this is not a genuine Trust Wallet security incident. Instead, the incident is controlled by the threat actor, and claims that:

• A security attack is affecting Trust Wallet functionality
• Mandatory security updates have been released
• Immediate action is required

Users are urged to click “Update your wallet now.”

3. Credential harvesting on a look-alike domain

Clicking the “Update your wallet now” link takes the user to a recently registered look-alike Trust Wallet domain. The malicious site claims a new update is available and prompts the user to proceed (Figure 4).

When the user clicks “Update now”, they are asked to sign in using their Trust Wallet credentials (Figure 5), as well as complete additional authentication by providing their 12-word secret recovery phrase (Figure 6).

The final step confirms that the campaign’s objective is complete wallet compromise. With both the password and the secret recovery phrase, attackers can fully take over the user’s cryptocurrency wallet and drain its funds.

‍

Why this attack is effective

This campaign is effective because it

• Leverages a legitimate SaaS platform, incident.io
• Misuses real incident pages hosted on a trusted domain
• Exploits urgency with a “security attack” narrative, fitting the incident theme
• Targets cryptocurrency users, where recovery of stolen funds is often impossible

By utilizing the combination of trusted infrastructure with brand impersonation and urgency, attackers significantly increase the credibility of this lure.

‍

Key takeaways

• Legitimate services can be misused to host or send attacker controlled content
• Always verify security alerts directly through official communication channels
• Legitimate cryptocurrency wallet providers will never ask for your secret recovery phrase
• Never enter recovery phrases on external websites

As attackers continue to weaponize trusted services, user awareness and strong email security controls remain critical defenses against credential harvesting and loss of funds.