Topic: Someone sent ERC20 from my cold storage (Read 287 times)
Be aware of the scammers who send tokens to the wallet, usually they include the URL and then ask us to connect to the wallet so that when we connect then they have gotten our private key, the best step is to immediately move assets to other wallets if they have already connected to websites that we don't know .
Yes I didn’t know that you could make transactions from any address as long as it’s 0 and make it appear like a legit transaction.
Either way the nonce is not needed to do this apparently because the nonce is skipped with the 0 erc20 transaction. Why they did this who knows. Maybe for some smart contract feature. Either way it provided a huge scare to see it come out from my cold storage wallet.
Either way the nonce is not needed to do this apparently because the nonce is skipped with the 0 erc20 transaction. Why they did this who knows. Maybe for some smart contract feature. Either way it provided a huge scare to see it come out from my cold storage wallet.
I lost by this vulnerability 100000 dollars.
https://bitcointalksearch.org/topic/i-got-scammed-out-of-100000-dollars-by-fake-0-dollars-withdrawal-on-bsc-5425022
https://bitcointalksearch.org/topic/i-got-scammed-out-of-100000-dollars-by-fake-0-dollars-withdrawal-on-bsc-5425022
This transaction is suspicious and after reading some replies, I there are some scams like this. The wallet address is actually different, but they have the beginning and also last characters that are similar. Can someone copy and make quite a similar wallet address? If this is available, well, I am a little bit worried because commonly, we will only focus on some first and last characters of our wallet. We may also not focus on correcting all characters on the wallet, right? So, when we are seeing the transaction, we can copy and paste again the wallet address and search for the replacement or find a tool to ensure that the wallet is exactly the same or not. But, exactly, if we are not careful enough, we will directly think that this is our transaction in a similar wallet and we may panic about the situation certainly.
Can people transfer money from cold wallet? Without having them? Isnt it the main purpose of Cold Wallets to keep assets safe?
Mate, cold wallets are safe, there is no need for panic, and it is good that you saw such a topic in order to know this trick that the scammer did so that you and everyone else do not fall victim to it, we just have to focus and take some time and not copy the addresses of the wallets that we received from or sent to from the transaction history, because most likely there will be a scammer’s wallet that we will think is a safe wallet to transfer our funds to and it is not, so we have to carefully copy the deposit wallets from the exchange platforms or from the person to whom the funds are to be transferred, with careful focus, without resorting to the transaction history, because the scammer takes advantage of the victim's inattention and lack of focus in order for the victim to copy his wallet address which is similar to the addresses of the victim's wallet in the transaction history. 
Can people transfer money from cold wallet? Without having them? Isnt it the main purpose of Cold Wallets to keep assets safe?
No they can't , luckily.
Thread title is a bit misleading, if you read carefully opening post you first line says :
This is not my address but its a similar transaction.
Basically attackers create and use very similar addresses to the ones the victim of the attack is sending money to , so that a "malicious" address is stored in tx history of the victim : if the victim doesn't doublecheck carefully every address they are sendin money to but lazily copy them from theiy TX history they risk to lose their funds.
Can people transfer money from cold wallet? Without having them? Isnt it the main purpose of Cold Wallets to keep assets safe?
It is a bug, not an exploit, for sure it shouldn't be an intended implication of the developer's intent. This also should not be on purpose. Allowing a transaction to be accepted without user consent seriously harms the ecosystem. In the first place, things like this should be considered if they are aware of the current flawed implementation occurrence. Thus it makes no sense if the smart contract developers were allowing this to happen.
Of course they knew, they were the ones who created this backdoor and vulnerability in the first place. Read the code, they made the code that accepts transactions without signature of the owner of the address. Without private keys. Other crypto like BTC or XRP don't have this backdoor.
Honestly, I give the benefit of the doubt to the developers. By mean developer the initial development made by the OpenZeppelin dev, do note that as an ecosystem everyone who comprehends code can see the implication of this flawed code, but, nobody bats an eye until this flaw mechanism is being used by a scammer. The code is also used by another developer, the one who made the smart contract implementation which used the OpenZeppelin library. Though it is indeed concerning when many developers allowed this to happen, I wonder what is their reasoning.
Nothing new to me. I’ve received such scam tokens deposited into my multiple wallets (even cold storage) and I just simply ignored them. But back then, I could have almost fallen victim but good thing I took time to research and doing my due diligence.
You just simply do not claim them nor touching it. Just leave it as it is and nothing happens.
You just simply do not claim them nor touching it. Just leave it as it is and nothing happens.
This is the opposite. Token are moved FROM you wallet, not to your wallet. It's 0 tokens though.
Nothing new to me. I’ve received such scam tokens deposited into my multiple wallets (even cold storage) and I just simply ignored them. But back then, I could have almost fallen victim but good thing I took time to research and doing my due diligence.
You just simply do not claim them nor touching it. Just leave it as it is and nothing happens.
You just simply do not claim them nor touching it. Just leave it as it is and nothing happens.
It is a bug, not an exploit, for sure it shouldn't be an intended implication of the developer's intent. This also should not be on purpose. Allowing a transaction to be accepted without user consent seriously harms the ecosystem. In the first place, things like this should be considered if they are aware of the current flawed implementation occurrence. Thus it makes no sense if the smart contract developers were allowing this to happen.
Of course they knew, they were the ones who created this backdoor and vulnerability in the first place. Read the code, they made the code that accepts transactions without signature of the owner of the address. Without private keys. Other crypto like BTC or XRP don't have this backdoor.
This scam is different because it makes it seem like the token transfer came out of your wallet. At first you think your seed is compromised however when you look closer it seems like its some exploit, which it is.
It is not exploit, it is a feature implemented by ETH devs, also copied to BSC. This was created on purpose, Ethereum virtual machine is coded to accept transactions from your wallet without private keys. Absolutely anyone can send any tokens from any wallet, as long it's 0.
It is a bug, not an exploit, for sure it shouldn't be an intended implication of the developer's intent. This also should not be on purpose. Allowing a transaction to be accepted without user consent seriously harms the ecosystem. In the first place, things like this should be considered if they are aware of the current flawed implementation occurrence. Thus it makes no sense if the smart contract developers were allowing this to happen.
This scam is different because it makes it seem like the token transfer came out of your wallet. At first you think your seed is compromised however when you look closer it seems like its some exploit, which it is.
It is not exploit, it is a feature implemented by ETH devs, also copied to BSC. This was created on purpose, Ethereum virtual machine is coded to accept transactions from your wallet without private keys. Absolutely anyone can send any tokens from any wallet, as long it's 0.
Unique way how to scam us by sending 0 USDT, but this first cases I heard because last week my friend update received 0 USDT amount but with BSC chain network not ERC20. I can't explain yet how this possibility happen, have different label fake USDT and real USDT or not? Still looking for with scammer how exploit our main wallet by sending fake USDT with 0 amount, actually have different contract with real stable coins with fake stable coin and right now scammer one step forward with their smart ideas how to scam us.
it's similar case but on BSC network Binance smart chain and 0 dollars transactions attack
transactions https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70
transactions https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70
I wonder how they did this that's why it feels strange when my wallet received some shit tokens and I ended up not using it anymore cause I've been using my BSC wallet on NFT games and others back then. It might be the same reason they got my wallet address and decided to send me those traps. They are really getting updated with their scams as well and if we don't read and learn from here, we might end up falling into their trap one day.
Getting scam tokens depossited into your wallet is nothing knew. Its been going on for years. Basically they deposit some fake token like USDT Coin and give you like 1,000,000 tokens and they list some scam website, in the same website you can exchange 1,000,000 of the token for $1,000,000 but the trick is to get your private key, this is obviously an old scam and not the same.
This scam is different because it makes it seem like the token transfer came out of your wallet. At first you think your seed is compromised however when you look closer it seems like its some exploit, which it is.
If this is just an old way to scam you then better not to look at it, or ignore it because many says if you make transaction about that specific token, then your details will be corrupted and you’ll get hacked.
Those who do it know what they want to achieve and it is something that will not favour the wallet owner. I have noticed similar thing in my trust wallet and it used to scare me until I understood that since am not claiming the suspicious tokens nothing bad happens to my wallet. I have learned to just ignore it whenever I notice it nowadays. Criminals everywhere online seeking who to swallow.
I saw the same events just as what happened to you and to my surprise:
That's already a lot if they've gained this much by doing this. I think to have a better exposure to this type of attack, the crypto news media should have their initiative to have it covered in their articles especially the most popular ones.
Crazy how so far they gained almost $2M cheating people this way.
That's already a lot if they've gained this much by doing this. I think to have a better exposure to this type of attack, the crypto news media should have their initiative to have it covered in their articles especially the most popular ones.
it's similar case but on BSC network Binance smart chain and 0 dollars transactions attack
transactions https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70
transactions https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70
I wonder how they did this that's why it feels strange when my wallet received some shit tokens and I ended up not using it anymore cause I've been using my BSC wallet on NFT games and others back then. It might be the same reason they got my wallet address and decided to send me those traps. They are really getting updated with their scams as well and if we don't read and learn from here, we might end up falling into their trap one day.
Thanks for posting that article. It all makes sense now.
I am really surprised that etherscan makes the transaction appear out of my wallet. And I also found it very odd that the destination address of mine was very similar with the first and last characters identical.
Crazy how so far they gained almost $2M cheating people this way.
I am really surprised that etherscan makes the transaction appear out of my wallet. And I also found it very odd that the destination address of mine was very similar with the first and last characters identical.
Crazy how so far they gained almost $2M cheating people this way.
Anyone know why they are doing this? Seems to be wasting fees. Is it just an etherscan bug?
As Ratimov posted link stated. That is for preparation to make you make a mistake if somehow you copy-pasted an address from your history. If you don't copy-paste an address from your transaction history, then you are safe.
So this is like creating an opportunity for the sender to make a mistake and send the amount to the address that is created specifically for this attack.
So to avoid being a victim of this Address Poisoning Attack,
Make sure you don't copy the address from your transaction history.
Jump to: