SlowMist: Be Wary of the TransferFrom Zero Transfer Scam

4 min readDec 1, 2022


Not long after the last announcement of the “Another Airdrop Scam, But With a Twist,” we’ve identified a very similar scam based on reports from victims.

According to the reports of many victims, transfers of 0 USDT from unrecognized addresses continued to show in the address transaction history of TRON network users, with the TransferFrom function being called in each instance.

Pic 1

Clicking on a random transaction to view its details, as depicted in Pic 1 for the transaction with tx 701e7 in the red box.

Pic 2

This transaction is a call to the function TransferFrom, which allows the address beginning with TCwd to transfer 0 USDT from the address beginning with TAk5 to an address starting with TMfh.

This indicates that the culprit was the address beginning with TCwd;

Let’s examine this address:

Pic 3

Evidently, this address is calling TransferFrom multiple times every second.

Next, we will examine the USDT transfers from this address.

Pic 4

The majority have records of transferring out 0.001 amounts. This reminded us of a similar scam involving airdrop scams consisting of addresses with identical end numbers.

The address beginning with TCwd could be one of the primary addresses, distributing 0.001 to multiple addresses that might all be used by the attacker for the airdrop. To verify this, the address TMQy….6ZRMK was used.

Pic 5

TADXT……Lhbuo and further down are all of the USDT receiving addresses.

Pic 6

Pic 6 demonstrates that the address TADXT… Lhbuo had two regular transfers with the TMQ… address. This person was being harassed not only by airdrops with the same last number, but also by the 0 transferFrom method described in this article. It is also reasonable to assume that the same organization is responsible for these two methods.

It is possible to initiate a transfer of 0 from any user’s account to an unauthorized account without failure, as the TransferFrom function of the token contract does not require that the approved transfer amount be greater than 0. This condition is utilized by the malicious attacker to repeatedly launch TransferFrom actions to active users in order to trigger these transfer events.

Apart from TRON, we cannot help but worry if the same scenario would occur on the Ethereum network.

So we ran a little test on the Ethereum network.

Pic 7

The test calls were successful, applying the same rule to the Ethereum network.

Unavoidably, if a user discovers a transaction record that is not his or her own, he or she may fear that his or her wallet has been compromised. When a user attempts to alter his or her wallet or re-download it, he or she runs the danger of being scammed and robbed; conversely, if a user’s transaction history is “hijacked” by an attacker, the user may lose assets by copying the wrong transfer address.

SlowMist would like to remind you that due to the immutability of blockchain technology and the irreversibility of on-chain transactions, you should double-check the address before executing any activities. Additionally, if you see any unexpected transactions occurring from your address, please exercise caution and analyze it thoroughly. Feel free to contact us if you have any questions, our DM is always open.




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.