Over the last couple of months, several Tangem Wallet holders have been experiencing a strange issue. Some users spotted transactions of a few USDT in the TRON network explorer, which they hadn't executed. Looking at the history, one would think that the users made the transactions, and the funds were sent to wallets they owned.
Upon closer inspection, it would transpire that the address the cryptocurrency was allegedly sent to was a different wallet, albeit very similar to the user's wallet. It also turned out that it wasn't USDT but something called UDST. Let's look at how this scam works, where the transactions are coming from, and why you should (or shouldn't) be concerned.
The essence of the scam
At its core, this is a phishing attack. Here, however, the scammers use fake transactions instead of fake emails. They target users who transfer cryptocurrency to the same wallets regularly. When doing this, people often copy their address from their transfer history. If scammers can add their addresses to the history, there is a chance that a careless victim will copy it and send their money to the scammer. The scammer's wallet address usually has the same first few characters as the actual address. This is because the attackers are banking on the fact that many users only check the first few characters.
There are two ways that these scammers operate. The first involves sneaking a fake transaction into the address history and waiting for the user to make a mistake. The second consists of making several "real" transactions to a similar wallet and then pushing several transactions to "random" addresses in the blockchain explorer, giving the impression that the wallet has been compromised. The victim may then panic and mistakenly copy "their" address from the "real" transaction and transfer all assets to it, believing they are transferring the funds themselves.
How transactions show up in explorers
It's all connected to the standards used by networks compatible with the Ethereum Virtual Machine (EVM) and, more specifically, how transaction histories are created and subsequently read by blockchain explorers.
When transferring funds online, an event is created and displayed in the blockchain explorer. This event is generated even if the value of the transferred assets is zero. And since nothing is being transferred, the sender doesn't need to consent to the smart contract to send nothing from their account. Imagine your friend visits you and, after discovering you aren't home, leaves a note reading "I borrowed 20 nothing from you. Peter".
Now we've looked at how transactions appear in the blockchain explorer, let's talk about what exactly it is that the attackers are doing.
To begin with, they create a scam token with a value of zero and give it a name that looks similar to the name of a real token. UDST is one example:
They then monitor the target network and identify users who regularly transfer cryptocurrency to the same addresses. When the victim is chosen, the scammer creates a crypto wallet with an address that shares the first and last characters with the target address to which the user often transfers money.
The malicious smart contract then triggers a transfer of 10 UDST from the user's address to the scammer's wallet, and the "transaction" appears in the victim's blockchain explorer. Sometimes, these transfers are created immediately after the user sends real USDT, meaning that the transactions appear next to each other in the history.
Are there other schemes like this?
The attack we've described here is an evolution of the TransferFrom Zero Transfer scam, which peaked in 2022. Scammers exploited the same "flaw" in the network logic, but the mechanics were different. They didn't use fake tokens; instead, they used the TransferFrom function, which is required to operate smart contracts and fulfills the automatic transfer of funds.
The fraudsters simply carried out zero-value transactions from the victim's wallet to their own. As a result, the list of transactions included a transfer worth 0 of genuine USDT. Unlike the scam we've described, the TransferFrom Zero Transfer scam was cheaper as it didn't require network commissions or the creation of scam tokens and smart contracts. Nevertheless, a zero-value transaction is much easier to spot in a user's main transaction history. That doesn't mean it didn't work, of course. Take, for example, the story of the Bitcoin Forum user who lost USD 100,000 after copying a wallet address from a transaction of 0 BNB.
Alternative approaches
Scammers aren't always trying to get you to send crypto to their wallets. It's easy to envisage a version of a multi-stage attack that targets a seed phrase. The user would be bombarded with fake transactions at first and then, on behalf of a crypto wallet or DEX's developers, receive an email about the hack, ostensibly after a leak. To protect their assets, the victim must follow a link and enter their seed phrase in a form.
A more complex version involves sending the user to a fake website using DNS spoofing or a man-in-the-middle (MITM) attack, after which the user rushes to the crypto wallet website in a panic so that they can "at least do something."
How to stay safe
As with phishing, you can protect yourself from attacks of this kind by following a couple of simple rules.
Firstly, always check the recipient's address in full when making a transaction. If you regularly transfer crypto to the same wallets, save the addresses in a password manager and copy them from there every time.
Secondly, don't panic if you notice outgoing transfers you didn't make, don't panic. Just make sure you don't follow links from emails. Make sure you first study the transaction details carefully and then act. Panic is your worst enemy.
If you're a Tangem Wallet user, you can relax. Without your card, which is where the private key is stored (and remains without being shared anywhere), nobody can do anything with your assets.