Recently, a new phishing scam has caught our attention. This scam typically occurs in chat applications like Telegram, beginning with off-exchange transactions. Before the actual transaction, the scammer asks the victim to transfer a small amount, say 0.1 USDT, to verify if their address poses any risks. The scammer then sends a so-called “public chain” address for the transfer, emphasizing that it must be entered in the wallet browser for the transaction to proceed. Unfortunately, once the victim enters this “public chain” address in their browser, they discover that all tokens in their account have been stolen.
So what exactly happened?
Analysis of the Scam
Upon analyzing the information provided by the victims, we discovered that this is not a case of simple transfer theft. Note: Addresses have been obscured to protect the victims’ information.
Based on our experience, this appears to be a phishing theft caused by authorization. The contract caller (TK…Gh) transferred 271,739 USDT from the victim’s address (TX…1W) to the scammer’s address (TR…8v) by invoking the transferFrom function.
At this point, we focused on the “public chain” address mentioned by the scammer: 0x2e16edc742de42c2d3425ef249045c5c.in
At first glance, the address seems unproblematic. But a closer look reveals significant issues! First, the transfer occurred on TRON, but this is an address starting with 0x; secondly, upon further inspection, it turns out that this is not an address but a website ending with .in.
Upon analyzing this website, we found that it was created a month ago (October 11th) with the associated IP being 22.214.171.124:
Similar websites exist under this IP, all created within the last month:
Currently, only 0x2e16edc742de42c2d3425ef249045c5b.in is accessible. When searched in a wallet browser, this page only allows the selection of the TRON network.
After entering an amount and clicking next, it shows as a contract interaction.
We decoded the data in the Data section and found that the scammer (TYiMfUXA9JcJEaiZmn7ns2giJKmToCEK2N) lures users into signing an increaseApproval. Once the user clicks Confirm, their tokens can be stolen by the scammer using the transferFrom method.
An analysis of this scammer’s address reveals that users have already been tricked.
Most of the victim’s USDT was transferred to the address TLdHGHB8HDtPeUXPxiwU6bed6wQEH25ZKQ.
Using MistTrack to check this address, we found it received over 3,827 USDT.
Further analysis of other addresses is not discussed in detail.
This article starts with an actual theft case and introduces a new type of scam that disguises phishing websites as transfer addresses. SlowMist Security Team reminds everyone that since blockchain technology is immutable and on-chain operations are irreversible, it is crucial to carefully verify addresses before any operation. Understanding the risk profile of the target address, such as checking its risk score and malicious tags on MistTrack, is essential to avoid financial losses. If you notice any unusual transactions on an address, be vigilant, and calmly check. If needed, contact us or submit a form at https://aml.slowmist.com/recovery-funds.html for assistance.
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.