Over the last couple of months, several Tangem Wallet holders have been experiencing a strange issue. Some users spotted transactions of a few USDT in the TRON network explorer which they hadn’t executed. Looking at the history, one would think that the transactions were made by the users themselves and the funds were sent to wallets they owned.
Upon closer inspection, it would transpire that the address the cryptocurrency was allegedly sent to was a different wallet, albeit very similar to the user’s actual wallet. It also turned out that it wasn’t USDT at all, but something called UDST. Let’s take a look at how this scam works, where the transactions are coming from, and why you should (or shouldn’t) be concerned.
The essence of the scam
At its core, this is a phishing attack. Here, however, the scammers use fake transactions instead of fake emails. They target users who transfer cryptocurrency to the same wallets on a regular basis. When doing this, people often copy their address from their transfer history. If scammers can add their addresses to the history, there is a chance that a careless victim will copy it and send their money to the scammer. The scammer’s wallet address usually has the same first few characters as the real address. This is because the attackers are banking on the fact that many users only check the first few characters.
There are two ways that these scammers operate. The first involves sneaking a fake transaction into the address history and waiting for the user to make a mistake. The second involves making several “real” transactions to a similar wallet, and then pushing a number of transactions to “random” addresses in the explorer, giving the impression that the wallet has been compromised. The victim may then panic and mistakenly copy “their” address from the “real” transaction and transfer all assets to it, believing that they are transferring the funds to themselves.
How transactions show up in explorers
It’s all connected to the standards used by networks that are compatible with the Ethereum Virtual Machine (EVM) and, more specifically, how transaction histories are created and subsequently read by blockchain explorers.
When transferring funds online, an event is created and displayed in the explorer. This event is generated even if the value of the transferred assets is zero. And since nothing is being transferred, the sender doesn’t need to give consent to the smart contract to send nothing from their account. Imagine your friend visits you and, after discovering that you aren’t at home, leaves a note reading “I borrowed 20 nothing from you. Peter”.
Now we’ve looked at how transactions appear in the explorer, let’s talk about what exactly it is that the attackers are doing.
To begin with, they create a scam token with a value of zero and give it a name that looks similar to the name of a real token. UDST is one example:
They then monitor the target network and identify users who regularly transfer cryptocurrency to the same addresses. When the victim is chosen, the scammer creates a crypto wallet with an address that shares the first and last characters with the target address to which the user often transfers money.
The malicious smart contract then triggers a transfer of 10 UDST from the user's address to the scammer's wallet, and the "transaction" appears in the victim's explorer. Sometimes these transfers are created immediately after the user sends real USDT, meaning that the transactions appear next to each other in the history.
Are there other schemes like this?
The attack we’ve described here is an evolution of the TransferFrom Zero Transfer scam, which reached its peak in 2022. Scammers exploited the same “flaw” in the network logic, but the mechanics were different. They didn’t use fake tokens, instead simply using the TransferFrom function, which is required in order to operate smart contracts and fulfils the automatic transfer of funds.
The fraudsters simply carried out zero-value transactions from the victim’s wallet to their own. As a result, the list of transactions included a transfer worth 0 of genuine USDT. Unlike the scam we’ve described, the TransferFrom Zero Transfer scam was cheaper as it didn’t require network commissions or the creation of scam tokens and smart contracts. Nevertheless, a zero-value transaction is much easier to spot in a user’s main transaction history. That doesn’t mean it didn’t work, of course. Take, for example, the story of the Bitcoin Forum user who lost USD 100,000 after copying a wallet address from a transaction of 0 BNB.
Scammers aren’t always trying to get you to send crypto to their wallets. It’s easy to envisage a version of a multi-stage attack that targets a seed phrase. The user would be bombarded with fake transactions at first and then, on behalf of a crypto wallet or DEX’s developers, receive an email about the hack, ostensibly after a leak. To protect their assets, the victim would need to follow a link and enter their seed phrase in a form.
A more complex version involves sending the user to a fake website using DNS spoofing or a man-in-the-middle (MITM) attack, after which the user rushes to the crypto wallet website in a panic so that they can “at least do something”.
How to stay safe
As with phishing, you can protect yourself from attacks of this kind by following a couple of simple rules.
Firstly, always check the recipient address in full when making a transaction. If you regularly transfer crypto to the same wallets, save the addresses in a password manager and copy them from there every time.
Secondly, if you notice outgoing transfers that you didn’t make, don’t panic. Just make sure you don’t follow links from emails. Make sure that you first study the details of the transaction carefully and only then take action. Panic is your worst enemy.
If you’re a Tangem Wallet user, you can relax. Without your card, which is where the private key is stored (and remains, without being shared anywhere), nobody can do anything with your assets.