
The finding
When our website engine rendered PancakeSwap's live Terms of Service, it read the listed contact address as info@pancakeswap.come. The problem is the final letter: .come is not a real top-level domain. Mail to it doesn't reach a mistyped inbox — it fails to resolve and bounces. The real address is info@pancakeswap.com. You can see the current verdict for the site on our PancakeSwap report.
Why a dead support inbox is an attack surface
On a domain with PancakeSwap's history this is benign — no funds are at risk from the typo itself. What it illustrates is that the frontend is part of the security perimeter, and a broken official support channel creates a vacuum that scammers are designed to fill:
- A user emails the address in the Terms of Service — and it silently bounces.
- Anxious about their funds, they search Google, Telegram or Reddit for “PancakeSwap support”.
- They land on a look-alike clone — a typosquat with a valid SSL certificate and no history.
- The clone asks them to connect a wallet and sign a token approval; the moment they do, an approval-drainer sweeps the balance.
How TrustSniffer caught it — and how you can
Our page module quotes the exact address it found and raises a suspicious_contact_email_tld signal — a contact email on an invalid or typo top-level domain. The broader lesson is procedural: verify the domain before you trust the brand. A real website checker scores a site's age, certificate origin and reputation, so a fresh clone with no history is exposed in seconds — long before a wallet is ever connected. Before approving any transfer, run the counterparty through a wallet risk check too.
What to do as a user
- Reach official support only through a domain you typed yourself or bookmarked — never a link from a search result or a DM.
- Treat any “support” address or agent that contacts you first as hostile.
- Check a site with a website checker before connecting a wallet, and set token approvals to the exact amount rather than unlimited.
- Browse flagged high-risk crypto sites and verified-legitimate ones in the directory.


