PancakeSwap's Terms of Service lists info@pancakeswap.come — an invalid .come TLD — and the phishing funnel a broken support channel creates
The finding, and why it matters: a bounced support email pushes an anxious user toward a search result, a look-alike clone, and an approval-drainer.

The finding

When our website engine rendered PancakeSwap's live Terms of Service, it read the listed contact address as info@pancakeswap.come. The problem is the final letter: .come is not a real top-level domain. Mail to it doesn't reach a mistyped inbox — it fails to resolve and bounces. The real address is info@pancakeswap.com. You can see the current verdict for the site on our PancakeSwap report.

Why a dead support inbox is an attack surface

On a domain with PancakeSwap's history this is benign — no funds are at risk from the typo itself. What it illustrates is that the frontend is part of the security perimeter, and a broken official support channel creates a vacuum that scammers are designed to fill:

  1. A user emails the address in the Terms of Service — and it silently bounces.
  2. Anxious about their funds, they search Google, Telegram or Reddit for “PancakeSwap support”.
  3. They land on a look-alike clone — a typosquat with a valid SSL certificate and no history.
  4. The clone asks them to connect a wallet and sign a token approval; the moment they do, an approval-drainer sweeps the balance.

How TrustSniffer caught it — and how you can

Our page module quotes the exact address it found and raises a suspicious_contact_email_tld signal — a contact email on an invalid or typo top-level domain. The broader lesson is procedural: verify the domain before you trust the brand. A real website checker scores a site's age, certificate origin and reputation, so a fresh clone with no history is exposed in seconds — long before a wallet is ever connected. Before approving any transfer, run the counterparty through a wallet risk check too.

What to do as a user

  • Reach official support only through a domain you typed yourself or bookmarked — never a link from a search result or a DM.
  • Treat any “support” address or agent that contacts you first as hostile.
  • Check a site with a website checker before connecting a wallet, and set token approvals to the exact amount rather than unlimited.
  • Browse flagged high-risk crypto sites and verified-legitimate ones in the directory.

Frequently asked questions

Is PancakeSwap unsafe because of this?

No. It is a harmless typo in a support email on an established, trusted domain — no funds are at risk from the typo itself. It matters as an illustration of how a broken support channel can be exploited by phishing clones, not as a flaw in the protocol.

What is a .come domain?

There is no .come top-level domain — it is a common misspelling of .com. An address ending in .come cannot receive mail and bounces. A scammer could, however, register a look-alike domain to impersonate a brand.

How can I tell a real crypto site from a clone?

Check its domain age, SSL certificate origin and reputation with a website checker before you trust it or connect a wallet. A convincing clone almost always has a brand-new domain and no history — which a scan exposes immediately.