Topic: Watch out for this NEW TransferFrom Zero Transfer Scam! (Read 388 times)

Just a quick update

I came across an article where Metamask team also addressed this issue discussed in this thread that hackers are using zero value transactions to scam us and they have made an update to prevent this

https://coingape.com/crypto-news-etherscan-feature-stop-address-poisoning-attacks/

finally all these scammy/spammy zero value transaction will be not visible by deafult

we have talked mainly about TRON (TRC20) transactions but from what I have read ERC20 can also be vulnerable, so watch out.

if you check OP again you will see screens and there warning messages in TronScan explorer, I will forward them for you here.

https://tronscan.org/#/transaction/c9362f62af918f6197d15301de5277ff733d7b9a3f06dfa0919271bd15bea1d8

https://tronscan.org/#/transaction/71f021d17154a7a476597854d1bcf0af192da2b040cdf56bcbffa1ae38b66bd6

There are clickable links in both warning messages with more info about these scams:

https://slowmist.medium.com/slowmist-be-wary-of-the-transferfrom-zero-transfer-scam-c64ba0e3bc4d

Apologize for replying a 3 week inactive thread, I just got here after reading some thread on Wallet Software board^[1], from a confused user for a zero amount transfer.

Quoting this message and checked the bscscan and etherscan explorer doesn't have such warning on the transaction page but just labeled the wallet address "Fake_PhishingXXXX" X = number, which i guess is not enough and should have a warning text as well.

---

Well, for the past several years of making crypto transactions, never been i tried to use past transaction and copy there the wallet address im trying to send with. Mostly i go to the platform say exchange, copy the deposit wallet address, paste it on the wallet and check if it's correct before sending it. Because i feel like im always going to a different mode ^{(crypto sending mode)} when im trying to send payments with crypto, because i always thought that there's no room for mistakes when making crypto transactions, else, goodbye to your coins.

[1] https://bitcointalk.org/index.php?topic=5433063.new#new

Do people also never triple check bank account (or credit card) characters when spending or transferring money somewhere?  Does nobody check the amount before sending to make sure they are not sending 10 times the amount by accident?  Do they not check if the change they received at the shop is correct?  I can not wrap my head around this.  If they triple check bank account transfer details multiple times, why not check a Bitcoin transfer worth a freaking luxury car!

For large BTC transfers I check the address like 5 to 10 times just to make sure.  If my Wallet asks me to confirm afterwards, I check it multiple times AGAIN.  Because look what can happen!  All of this can be avoided by just following one (and one of the most important) step.  Check the address before you send.  Correct?

-
Regards,
PrivacyG

this is also beyond my comprehension. I try to justify him by saying that he was probably an inexperienced user, don't know haven't read his full story.


you are right I will add "edited" next time

EDITED

I call it laziness because "I don't have 30 seconds to double-and-triple-check a $100k tx" sounds like laziness. Not saving the request for payment to a certain address (essentially part of your contract with the other party) is also asking for trouble for other reasons, e.g. if you get accused of scamming and you have no record of being asked to send money to that address. This is all either a made up story, or you are really so negligent in your dealings, not sure which is worse.


Not possible if you edit while I'm typing and don't even add a note that you edited something.

because we are humans and we all do mistakes, this is what they count for

but as I have written earlier I fill like kicking with horse discussing with you this matter


I gave you few real live examples when this is hard or even impossible to confirm address with the source and you keep persisting this is all users fault, that we are lazy, etc

Not always is possible to get the other party to confirm address, especially if that matter was discussed at start of cooperation and addresses where set in stone, then one checks them in the wallet if there is no other place he save it, not from laziness only because we have to do it at this particular time

we should be careful when sending transactions, now even more, always check them with the source, there also should be no wars and hunger in ideal world but we don't live in such place, here where we are is full of scammers that only wait for us to do mistake


please use final (edited) version of my posts when you quote me, if possible

EDITED

If the wallet/explorer had the wrong address to begin with, and you're comparing it to another address from the explorer/wallet, then you obviously have a problem, don't you really see it? What if the other address is wrong too? Do you take three and conduct a vote?

You need to get the address from the original source. If it's an exchange/casino/etc - from the deposit page (some sites will also e-mail it to you as an additional precaution against clipboard malware - make sure to cross-check it on different devices), if it's for a purchase - from the checkout page (verify against QR if there is one), if it's from a person - use the original PM/e-mail/whichever way they communicated it to you, if it's some sort of public address like for a donation - get it from the official source, and so on.


That's how people get scammed, one is too lazy to provide the address, the other one is too lazy to verify it.

Not to mention this goes against best practices of not reusing addresses. If you generate a new address for every TX then you'd avoid the issue altogether. Unfortunately it seems that most custodial sites don't have that option.


None of it matters. Even if you insist on using your NON-WEB wallet (should never use an explorer or an online wallet or any other third party sites) to copy the address, you should still know that you didn't make the 0 transfer so why would you copy that address.

I would never remember which tx went to whom anyway, so if someone said "just use the same address as last time" I wouldn't be looking in my wallet, I'd be looking back to where that person gave me the address, and would ask to resend it if I can't find it. An alternative is to label addresses in the wallet if it has that feature, this might work too.

As I said in the other thread, I couldn't believe that many people would do this (copy-paste from explorer) predictably enough to get scammed, but apparently they do, and now you keep arguing that it's the only way. It really isn't.

sure you are right I will add it in opening post


I thought it is clear that one needs to check address very carefully and of course it needs to be an trusted source to compare with

but what could be better as our wallet? or explorers we all use to confirm and check transactions? what left?

only direct contact with the other party and confirming the address, usually if we need to send multiple transactions during longer period of time one checks his wallet and use old once already used/confirmed at the start of cooperation, TBH i don't know any other way, if you do please tell me?

many times when I confirm address I hear: "send me to the previous addy, use the one we used lately/last time, etc" not always they are able to check it on the go, the only way then is to go to your wallet or explorer and here we are now on the minefield of 0value transactions

these transactions are sent immediately after wallet receives any incoming transaction, additionally majority of wallets, exchanges, show only few first and last  numbers, this is common as behavior to check also only few of them (I am the best example) so yes we need to change a lot as we see, and for sure we as community should start to make noise about this.

We should help each other to write great, informative content and warn others - not argue about this or look for possibility to undermine the importance due to personal conflicts.

I'm not implying anything, just making an observation on your OP and providing a quote that led me to said observation. If you think it's not acceptable to copy from past transactions and/or users should go to the actual destination to get the address - then perhaps you should state so in the OP.

Also you're saying "check addresses very carefully" and "check it fully" but what are you checking the address against? Presumably some known good/trusted source? So why not use that to begin with?

Of course, no objections there. Knowledge is power. The more information is out there, the more people will know about it.

If a user sends money to the wrong address, of course it's the user's fault because they didn't check the address properly. If a user copies and sends to an address without checking the entire address, it's again the user's fault.

I am sorry but I can only repeat what I already said. There are no second chances in crypto. If you are in a hurry and you make a mistake, that's it. You will get your coins back only if the other party is honest and sends them back, which is out of the question for scammers. Take your time and verify the receiving address thoroughly, no exceptions. There is a saying: "It's better to be safe than sorry". 

That's got nothing to do with the topic of discussion. Your thread isn't about best practices of how to use crypto ATMs. It's about people copying similar addresses from blockchain explorers or transaction histories (for whatever reason) and failing to verify if they have copied the correct address or not. Initiating a transaction the proper way keeps you safe from this threat. That means accessing your wallet software/exchange, copying the address from there, verifying you have the correct one, pasting it wherever it needs to be pasted, and again checking to see if the same address got pasted. Not following the correct procedures can get you into trouble as is evident from the users that got tricked by this. 

This is totally not true what you are implying here.


My goal was to get the attention of others, I haven't thought about "fearmongering" anybody

For sure undermining importance of this scam and blaming users that are victim is at least odd


for me is clear that you never send many transactions, day after day, when you have to do it multiple times P2P or in not friendly environment were is easy to get distracted, and that you will keep diluting anything I write about this scam, this is why I feel like kicking with a horse and want to end this conversation, from other side our discussion keep this thread on top of this board, so is seen by many more users each hour (which is my goal) so keep it rolling

That's just one possible attack vector that will likely get patched out, and possibly even create false sense of security for some users who instead of being advised to change their behavior (like copying addresses from wrong sources) were told that big bad scammers could initiate transactions and now they can't anymore so all is good.

Not only do you fail to give proper advice (e.g. copy the address only from the actual destination, like an exchange you're sending money to) but you're making it sound that it is acceptable to just copy it from past transactions.


It's a horrible practice. Don't do that.


The user has to take multiple actions (fail to notice the difference in the address, copy/paste the wrong address, fill in the amount, click a button to send, possibly click some confirmation) to get scammed. It's like copying a random address from a spam e-mail and sending money to it. Makes no sense. People who fall for that would for just about anything, so what good does it do to confuse them with claims like "scammers can initiate transactions from your wallet"?

Anyway, it's obvious you think fearmongering is the way to go, so carry on. It's a shame as it would be likely be more effective to direct your effort to the root cause.

the only person that undermine importance of this "non existed thread" is you @suchmoon

explain that to ordinary people when they see this in their wallets



and to the user that lost 100K that talking about "non-existent threat" is not important

ok @suchmoon wish you a nice day further, as always happy you join my threads

None of what you said has anything to do with scammers initiating transactions from your wallet. That simply doesn't happen if you keep your keys safe.

With this issue, users don't need to worry about scammers stealing their funds without their consent. They need to worry about voluntarily sending funds to a wrong address, regardless of whether they were targeted by a zero token transfer, a phishing e-mail, or any other distraction.


I don't see how fearmongering with a non-existent threat is helping here.

You're diluting the issue by insisting that the problem is elsewhere: "users blindly copying addresses from untrusted sources".

Sending crypto transactions was never easy and that was/is always the first obstacle for any new  crypto user, especially today with so many chains, contracts, bridges this is even more advanced task

looks like you don't know how hard sending transactions in real life is? Have you ever done ATM withdrawal, have you ever dealt P2P?

if not then believe me you can be distracted and such scam transactions in our wallets, despite sent or not doesn't help, even more, they are there on purpose as you know because scammers are really clever and take advantage on our bad behavior

Real life example

by ATM withdrawal from known service, one receives QR code to scan the address where to send crypto, of course when one scan it see something like LTC33KS4f948484kfjjf8988:300$ depends on amount and crypto of choice it can be even more complicated, of course whiteout indication which chain to use!!! then one need to manually delete what is not correct, and paste where it needs to be pasted, of course don't know that from start, one think have the correct address, all starts when try to send it and see message :"address not correct" or something similar, immediately start to be nervous, if we add that one is on phone, need to check addresses, explorers back and forth, there are many things that can go wrong even in peaceful environment, where one is super focused, don't mention small local store, when there is 40 degrees outside...

I need to add that scanned address from QR code is not visible right away, it needs to be pasted somewhere like notepad to be able to decipher it, when copy pasted into tiny place in some wallet withdrawal tab all one see is bunch of numbers and later message "wrong address" when hit send

believe me experienced user that have done transactions multiple times on many chains, using all kinds of bridges and wrapped coins, have hard time to figure everything out and do that correctly,  this is only one simple example where such fake 0 value transactions in our wallets are like ticking bomb and are placed there exactly for that purpose

Maybe I am diluting the issue and partially i am doing that on purpose as I have told few times only for one reason to make it sound more alarming, but saying that this is only because "users blindly copying addresses from untrusted sources" is also "diluted"

You're diluting the issue by insisting that scammers somehow initiate transactions. They don't. Only someone who has the keys can do so. Shoddily coded wallets and/or explorers and/or token contracts don't change how the blockchain works. The issue is elsewhere - users blindly copying addresses from untrusted sources. Even if zero transfers are patched out of explorers/wallets/contracts/etc, scammers fill find other ways to take advantage of lazy users as long as they keep falling for stupid shit like that. For example by sending perfectly valid 1 sat (or whatever the dust unit is in shitcoins) transactions to the target's wallet.

In my opinion we need to share this as much possible to warn people, even experienced users make mistakes when send transactions, I am the best example, so this scam is not so stupid and takes advantage of that. As we can see they already succeed and scammed for sure many people one of them reported 100K lost to this.

Despite we call that trick, or attack that don't deserve to be called like that, is not important, let's call it simply what it is - SCAM.
People loose money all the time, even as we speak and I am really surprised to see some opinions that this is our fault that we don't check addresses very carefully.

there are many situations in real life when yes, indeed you are in hurry or make simple error and copy paste one of many scam addresses that are targeting every incoming transaction in wallet. They count exactly on that one small mistake we all can do because we are humans, don't forget that few first and last numbers match the correct address. This is why this scam is so brilliant and as we see effective, despite is not the most sophisticated one.


Yes scammers can send only ZERO VALUE transactions from our wallets and this is already added in my post. When I check TRON explorer and incoming transactions, I see that this TransferFrom Zero Transfer Scam is executed on multiple transactions.

Few days ago it was visible but I need some time to find them, today I had no problem finding them in the flow of newly sent transactions, literally every third of fourth was marked with warning message, looks like this keeps spreading, they are gaining momentum.

I hope that this is enough for developers to look at that, if they could implement such update that at least will hide/remove/mark such a ZERO VALUE transactions properly, that could resolve that problem at least to to some extend.

What is important to remember with this type of attack (if it even deserves to be called that) is that no one can steal your coins and tokens from you. This only works if a user makes several mistakes when sending Tron or Tron-related tokens.

- If you checked and verified the entire address that you want to send funds to, this fraudulent trick wouldn't work because you would notice the different characters.
- If you copy the addresses you send coins to from a blockchain explorer or your transaction history without verifying them properly, it's your own fault that you got scammed.
- Take the time to check your addresses properly and don't take shortcuts because you are lazy or in a hurry. And if you do, be ready to face the consequences.   

They can initiate TransferFrom function of the token contract that does not require approval only if the transaction amount is zero. Read the documentation on how the TransferFrom function works. All networks with smart contract functionality are susceptible to this type of "attack". So suchmoon is right. This can be toned down—it's nothing new.

No one can steal anything from your wallet using this method without you making a stupid mistake (such as copying the recipient's address from blockchain explorer). It's basically the same as fake airdrops.