Over $40M in losses– that’s the eye-popping sum lost to a relatively new, craftily designed zero transfer phishing scam.

Now, you might be familiar with phishing scams, the age-old trickery that preys on unsuspecting victims, but this new player takes it up a notch. This scam comes as an intricate twist in the ongoing saga of cybercrimes in web3. 

Curious about what this scam is all about and how it works? Well, you’re in the right place. We’re about to break it down for you and show you how to keep your digital assets safe from this crafty scam. Let’s dive in!

Key Insights on Zero-Value Token Transfer

Ethereum addresses are represented as 40-character hexadecimal strings. And guess what? Most people tend to fixate on the first and last few characters, leaving the middle part as an afterthought. 

For example, addresses are long strings of seemingly random characters which may look like this: 0x3c11F6265Ddec22f4d049Dde480615735f451646

Now, here’s where the plot thickens. Scammers take advantage of this human tendency by creating what’s known as a vanity address.

A vanity address is a crypto address customized with specific characters or patterns, making it easier to remember and, in some cases, even visually appealing.

These vanity addresses are commonly used by legitimate users and serve various legitimate purposes. For instance, when crafting a vanity address, users can choose specific patterns they’d like their new address to include. They often generate these addresses multiple times until they get one they’re satisfied with.

Now, back to the scammers. They’re after one thing: creating a vanity address that tricks their potential victims. Let’s say you recently sent tokens to the address 0x3c11F6265Ddec22f4d049Dde480615735f451646. 

The attacker might cook up an address starting and ending with the same characters – 0x3c11 and 5f4516 – with a mix of characters in the middle.

These addresses might seem strikingly similar to the unsuspecting eye, especially when many wallet apps and block explorers only display the first and last few characters.

So, by this, scammers trick the victim into accidentally sending tokens to this spoofed address belonging to the attacker instead of the legitimate address. Now let’s get into its working.

A simple breakdown of the Zero transfer scam

The zero-value token transfer scam unfolds following the pattern below.

Step 1: Watch out for the victim

The attacker keeps a close watch on on-chain token movements, waiting for the right target to strike.

Step 2: Sifting Through Transactions

The attacker delves into the victim’s ERC20 token transactions, focusing on one critical aspect: the recipient address used in previous transactions. This address is the key to launching their attack.

Step 3: Copy Paste

With the recipient’s address in hand, the attacker creates a fake address that looks similar to the one the victim has used before but with a few minor changes.

Step 4: Deceptive Transaction

The next step involves the attacker initiating a transaction that entails sending 0 USDC tokens from the victim’s address as the source to the newly created vanity address as the destination. 

Step 5: Falling into the Trap

The final act is accomplished as the victim reviews their transaction history. They come across the fake recipient address, which looks just like one they’ve used before. Thinking it’s the right address, they select it and send their cryptocurrency.

Little do they know, the cryptocurrency they intended to send to a trusted recipient ends up in the scammer’s hands. 

Source: Coinbase

Getting Inside The Heads of Scammers

Zero-value token Transfer scams exploit our natural tendency to trust and move quickly in the world of cryptocurrencies. Let’s decipher the psychology behind how scammers trick users into such scams.

• The Need for Speed: Many cryptocurrency users tend to skim through addresses swiftly, assuming their blockchain or wallet app will validate them. 
• Trusting the Past Log: Victims often rely on their transaction history to confirm addresses without verifying them diligently.
• Zero-Value Deception: Scammers initiate transactions with zero-value tokens, bypassing the need for the victim’s approval. The transaction still gets recorded on the blockchain without the victim’s consent, making it seem like a legitimate interaction.

Stay tuned as we explore the defensive strategies and how to equip ourselves better to spot and avoid these deceptive tactics.

The real-world attack scenario

A daring heist shook the crypto world where a scammer executed a zero transfer phishing attack, making off with a staggering $20M worth of Tether (USDT) on August 1, 2023.

The clever play

The victim had initially planned to send the funds to address 0xa7B4BAC8f0f9692e56750aEFB5f6cB5516E90570. 

However, the scammer intercepted the transaction, redirecting it to a nearly identical phishing address: 0xa7Bf48749D2E4aA29e3209879956b9bAa9E90570.

The scam unfolded when the victim’s wallet received $10M from a Binance account. Shortly after, the victim sent it to another address. Seizing the opportunity, the scammer engineered a counterfeit Zero USDT token transfer from the victim’s account to the fraudulent address. A few hours later, the victim unwittingly sent a whopping 20M USDT to the scammer, believing it was destined for the original recipient.

Swiftly, Tether, the stablecoin’s issuer, sprung to action by freezing the wallet. The incident baffled many due to its remarkable speed.

Precautionary Tales

What You Must Do As A User?

1. Exercise Caution with addresses involved in zero-value token transfers. They are typically muted and marked with a grey warning icon on Etherscan.

2. While using wallet apps, always double-check that the displayed addresses precisely match the one you intend to transact with. 

3. When performing transactions, examine the addresses both above and below the one you are interacting with, as scam addresses might impersonate the victim’s address before or after it in the transaction history.

4. Ensure the entire address is accurate, as attackers may have generated vanity addresses that closely resemble legitimate ones.

5. Using secure explorers and wallets will have features to flag or filter malicious transactions and addresses, providing an additional layer of security in identifying potentially harmful activities.

What Can The Wallets And Exchanges Do To Prevent?

• Implement mechanisms to flag or filter transfer events with a value of 0. Additionally, consider the potential for exploitation in non-ERC-20 transfer events, such as NFT transactions and staking activities.
• Utilize address mask collision detection to identify addresses that exhibit similarities, suggesting they were not generated randomly. This might involve analyzing the first and last characters of addresses to spot patterns indicative of malicious intent.
• When shortening addresses for user convenience, include more characters on each side (e.g., 0x987654…123456) to hinder the mass generation of vanity addresses, which scammers often exploit.
• Send user alerts when they initiate transfers to new or unknown addresses. This warning can help users exercise caution and verify the destination address.

Final words

As you navigate the exciting but potentially risky waters of Web3, remember that vigilance and informed decision-making are your potent weapons against scams. 

QuillAudits, a trusted name in the Web3 realm, stand with you in securing your web3 journey. 

With our top-tier web3 security services, cutting-edge tools, and real-time scam updates by your side, sailing across Web3 is not just Secure but Unstoppable.