Fake EigenLayer / Symbiotic / Karak / etherfi / Renzo restaking slash-recovery drainer — "operator slashed, claim recovery / re-delegate withdrawal credentials / emergency re-delegate within 48 hours" targeting LRT restakers + AVS operators; signed message gives attacker withdrawal-credentials authority. Real LRT slash recovery happens through the protocol's native UI, never via emailed link. Distinct from EIP-7702 delegation drainer (general account abstraction) and R14 LRT-signup phish (onboarding shape, not slash-recovery). Source: GC1 R8 multiagent council top-5 (S4 crypto specialist).
fake-eigenlayer-symbiotic-restaking-slash-recovery-lure
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Fake EigenLayer / Symbiotic / Karak / etherfi / Renzo / Puffer / Kelp / Swell liquid-restaking-token (LRT) slash-recovery drainer. Targets restakers + AVS (Actively Validated Service) operators with a "your operator was slashed, claim recovery / re-delegate withdrawal credentials / emergency re-delegate within 48 hours or lose your full stake" narrative. The signed message gives the attacker withdrawal-credentials authority, allowing them to drain the LRT on the next withdrawal cycle. Slashing IS a real LRT primitive (operators can be penalized for downtime, double-signing, censoring, or AVS-specific violations) and 2026 saw the first wave of large-dollar LRT slash events (post-AVS-mainnet launches across EigenLayer, Symbiotic, Karak Q4 2025 - Q2 2026), which is why the phish converts: restakers genuinely DO get slashed and DO need to re-delegate. The lure rides on the real anxiety. Real LRT slash recovery happens through the protocol's native UI at eigenlayer.xyz / app.symbiotic.fi / app.karak.network, never via emailed link. LRT TVL across the major restaking protocols was $20B+ at peak 2025, and average per-restaker exposure ranges from $1K to $10M+, so attacker ROI on a successful drain is extreme. Distinct from `fake-eip-7702-account-abstraction-delegation-lure` (general account-abstraction drainer, no LRT framing) and from earlier R14 LRT-signup phish (onboarding shape: "deposit to restake," not slash-recovery). Fires when body references EigenLayer / Symbiotic / Karak / restaking / LRT / AVS / withdrawal credentials / operator-slash / operator-re-delegate AND contains slashed / claim-recovery / recover-stake / re-delegate / emergency-re-delegate / connect-wallet urgency. Excludes eigenlayer.xyz, symbiotic.fi, karak.network, etherfi.io, renzoprotocol.com, puffer.fi, kelpdao.xyz, swellnetwork.io. Auto-classified as danger via the `-lure` suffix. Source: GC1 R8 multi-agent council top-5 (S4 crypto specialist).
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started