SlowMist, in collaboration with imToken, has uncovered a new breed of cryptocurrency scam that targets users in physical offline transactions, utilizing USDT as the mode of payment.
This fraudulent scheme operates by tampering with Ethereum node Remote Procedure Calls (RPC) to defraud unsuspecting victims.
Initially, the scammer persuades the target to download the legitimate imToken wallet and fosters trust by transferring 1 USDT and a small amount of ETH as bait.
Subsequently, the scammer instructs the user to redirect their ETH RPC URL to a node controlled by the former, particularly using the modified node. Through this manipulation, the bad actor then falsifies the user’s USDT balance to make it seem as though funds have been deposited.
However, when the user attempts to transfer out the USDT, they discover they’ve already been deceived. But, by then, the scammer has disappeared without a trace, according to SlowMist’s findings.
The blockchain security firm also revealed that Tenderly’s Fork feature is not only capable of modifying balances but also contract information thereby posing an even graver threat to users.
As such, understanding RPC is crucial in comprehending the mechanism of such scams, SlowMist observed. RPC serves as a medium to interact with blockchain networks, enabling users to perform various actions such as checking balances and creating transactions. Typically, wallets connect to secure nodes by default, but connecting to untrusted nodes can lead to malicious modifications, resulting in financial losses.
Further analysis by MistTrack revealed the depth of the scam’s operations. Investigation into a known victim’s wallet address (0x9a7…Ce4) shows that they received 1 USDT and 0.002 ETH from another address (0x4df…54b).
This address, in turn, has transferred 1 USDT to multiple addresses, indicating repeated fraudulent activities. These addresses are flagged as “Pig Butchering Scammers” by MistTrack, and are associated with various trading platforms, and implicated in multiple scam incidents.