Unveiling a New Scam: Malicious Modification of RPC Node Links to Steal Assets

4 min readApr 25, 2024



According to feedback from our partner imToken, a new type of cryptocurrency scam has recently emerged. This scam typically occurs in the context of physical transactions offline and uses USDT as the method of payment. The fraud involves modifying Ethereum node Remote Procedure Calls (RPC) to deceive users.

Modus Operandi

The SlowMist security team has analyzed these scams, and the specific process used by the fraudsters is as follows:

First, the scammer persuades the target user to download the legitimate imToken wallet and gains the user’s trust by transferring 1 USDT and a small amount of ETH as bait. Next, the scammer guides the user to redirect their ETH RPC URL to a node controlled by the scammer (https://rpc.tenderly.co/fork/34ce4192-e929-4e48-a02b-d96180f9f748).

This node has been modified by the scammer using Tenderly’s Fork feature. As a result, the user’s USDT balance is falsified to appear as though the scammer has deposited funds into the user’s wallet. When the user sees the balance, they mistakenly believe the funds have been credited. However, when they attempt to transfer out miner’s fees to cash out the USDT, they realize they have been deceived. By this time, the scammer has already vanished without a trace.

In fact, besides the ability to modify displayed balances, Tenderly’s Fork feature can even alter contract information, posing an even greater threat to users.


Understanding RPC

So, what exactly is RPC? To interact with the blockchain, we need a way to access network servers through general options, and RPC is one method that facilitates this connection and interaction. It enables us to access network servers and perform actions such as checking balances, creating transactions, or interacting with smart contracts. By embedding RPC capabilities, users can make requests and interact with the blockchain. For example, when users access decentralized exchanges through wallets like imToken, they are essentially communicating with blockchain servers via RPC. Generally, all types of wallets are set to connect to secure nodes by default, and users need not adjust anything. However, trusting and connecting your wallet to untrusted nodes can lead to malicious modifications of the displayed balance and transaction information in your wallet, resulting in financial losses.

MistTrack Analysis

We utilized the on-chain tracking tool MistTrack to analyze a known victim’s wallet address (0x9a7…Ce4) and observed that this victim’s address received a small amount of 1 USDT and 0.002 ETH from another address (0x4df…54b).

Looking at the financial activities of address (0x4df…54b), it was found that it had transferred 1 USDT to three different addresses, indicating that this address has already committed the scam three times.

Tracing further, this address is associated with multiple trading platforms and has interactions with addresses flagged as “Pig Butchering Scammers” by MistTrack.


The cunning aspect of such scams lies in exploiting psychological weaknesses of users. Users often focus only on whether funds have been credited to their wallets, overlooking potential risks. Scammers take advantage of this trust and negligence, using believable tactics such as transferring small amounts of money to deceive users. Therefore, the SlowMist security team advises users to remain vigilant during transactions, enhance their self-protection awareness, and be skeptical of others to avoid financial harm.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.