Title: 🚨 SECURITY ALERT: The “Imposter VC” Trap & The Sleeper Domain
Severity: High (Targets Project Treasuries & Founder Personal Wallets) Active Vector: Telegram Connectors, Bought Social Accounts, Sleeper Domains
Executive Summary
Web3 founders are currently being targeted by highly sophisticated “Imposter VC” rings. Scammers are impersonating legitimate investment firms to trap early-stage projects looking for funding.
A recent attempt targeted the ShieldGuard Protocol leadership directly. A Telegram “marketer” introduced our team to a fake firm using a domain (consensuscapitalholdings.com) to impersonate a real, unrelated UK company. Because our team runs deep threat intelligence sweeps on every contact—including auditing their social media history and domain aging tactics—the attempt failed immediately.
This report details exactly how this scam works so other founders can recognize the signs before losing their treasury.
The Anatomy of the “Imposter VC” Attack
This scam relies on desperation and the illusion of authority. Here is the playbook:
Stage 1: The Hook (The “Connector”) A “marketer” or “advisor” contacts you on Telegram. They claim to have direct connections to VCs looking to deploy capital immediately and create a group chat with the “VC partner.”
Stage 2: The “Sleeper Domain” (Identity Theft) The scammers find a real, respectable, non-crypto company with a generic name. They register a lookalike domain, but instead of using it immediately, they let it age.
- The Reality: During the ShieldGuard investigation, we discovered the scammers registered the fake domain in July 2025, letting it sit dormant for 7 months. This is an Advanced Persistent Threat (APT) tactic designed to bypass standard security filters that automatically block newly registered domains.
Stage 3: “Bought Authority” (The Fake X Account) This is where the scam gets even more sophisticated. We audited the VC’s “Official” X (Twitter) account. It looked perfectly legitimate—it had a blue verified checkmark and a join date of 2016.
- The Reality: The scammers purchased a dormant 2016 account on the black market to inherit its “age.” We tracked 6 recent username changes, and noted the “Verified” status was only purchased in January 2026. It was a fabricated reputation.
Stage 4: The Kill Shot (Advance Fee Fraud) They invite you to a Calendly call, offer a Term Sheet, and then introduce a final hurdle before they wire the funds:
- “We need a small 1% deposit for legal due diligence.”
- “You need to connect your wallet to our escrow contract to receive the USDC.” If you pay the fee, you lose your deposit. If you connect to the contract, your treasury is drained.
🛡️ ShieldGuard Preventive Education: Founder Protocols
When seeking funding, paranoia is a virtue. Adopt these protocols for inbound VC interest:
Rule 1: Audit Social Media History Never trust a blue checkmark or an account creation date. If an account claims to be a top-tier VC but has a history of deleting old tweets or sudden username changes, it is a bought account.
Rule 2: Mandatory Domain Diligence Run a “WHOIS” search on their domain. Do not just look at when it was registered, but how it has been used. A domain registered months ago with zero web history or public announcements is likely a “Sleeper Domain” waiting to be weaponized.
Rule 3: Never Pay to Get Paid Real Venture Capitalists never ask founders to pay upfront fees for due diligence, legal costs, or KYC onboarding. Any request for a deposit prior to investment is an immediate indicator of Advance Fee Fraud.
Scammers hunt for desperate founders. Stay vigilant, run your intel, and trust code over promises. – The ShieldGuard Security Team
