New Ethereum Token Scam on Telegram Drains User Crypto Wallets without Transaction Approvals
Summary:
A new scam on Telegram targets crypto users holding tokens compliant with the ERC-2612 standard, extracting funds without transaction approval. The scam involves convincing users to sign a deceptive message, allowing attackers to gain access to funds. Cointelegraph received a report from a victim who lost $600 worth of Open Exchange (OX) tokens. The scam involved a counterfeit version of the Collab.Land Telegram authentication system, and a deceptive site mimicking Collab.Land's signature token transfer process. The crypto community has been alerted to the scamming method.
A novel scam exploiting Telegram has surfaced, allowing the fraudster to deplete the cryptocurrency wallet of a target without transaction confirmation as indicated by user accounts and corresponding blockchain data. The scam takes advantage of tokens adhering to the ERC-2612 token model, which permits transfers not necessitating Ether (ETH). While the user's transaction approval isn't needed, it seems the scam relies on duping users into endorsing a message. Given the growing numbers of tokens adopting the ERC-2612 model, these kinds of attacks could become more common.
Cointelegraph received an account from an individual who lost over $600 in Open Exchange (OX) tokens. The victim believed he was in the official Telegram group for token creator OPNX, but fell prey to a phishing con. While in the group, he was directed to click a button that would link his wallet as a non-bot proof. This action opened a browser window and he connected his wallet with the belief that it posed no threat to his assets. Despite this, his OX tokens were emptied in a matter of minutes. The victim insisted he had not consented to any transactions, though his funds were stolen.
Cointelegraph investigated the Telegram group, finding a counterfeit version of the Collab.Land Telegram authentication system. The official system messages from the Telegram channel @collablandbot. The imitation installed in the group used @colIablandbot which represents the malfeasance of replacing the second lowercase 'l' with an uppercase 'I', causing them to look alike due to the font Telegram utilizes for its usernames.
Additionally, the authentic "connect wallet" command on original Collab.Land messages re-directs users to connect.collab.info without any hyphens, whereas the fraudulent version guides users to connect-collab.info, replacing a period with a hyphen.
Analysis of blockchain information shows that the scammer emptied the funds by invoking the "transferFrom" operation on the OX token contract, which can typically only be done by a third party if the holder firstly calls "approve" via a separate transaction with set spending limits. No indication of such approval from the victim was found in the blockchain data.
Just over an hour and a half before the transfer, the scammer used the "Permit" function on the OX token contract, designating itself as the "spender" and the victim's account as the "owner". It established a large number of tokens that could be transferred and set a "deadline" for the permit expiration.
The "Permit" function procedure allowed the fraudster to exhume the funds without coaxing the holder into a standard token approval though it means the owner was fooled into signing a message. Presented with this evidence, the victim affirmed that he unwittingly acknowledged an "additional signing dialogue" when initially connecting to the site.
The Permit function is a fresh feature of some token contracts, following the ERC-2612 model that facilitates wallet transactions devoid of any ETH. Web3 developer OpenZeppelin elaborates that the allowance of ERC20 can be altered via the account holder's signed message instead of the IERC20.approve function, removing the need for the account to send a transaction or hold Ether.
While useful for creating user-friendly wallets solely containing stablecoins, it can also be manipulated by scammers to dupe users into inadvertently giving access to their assets. Thus, Web3 users must stay vigilant, realizing that their funds could be drained without transaction approval, if a scammer deceives them into signing a message.
After Cointelegraph reached out to the Collab.Land team, they confirmed the bot and website implicated in this scam fraud are not affiliated with the authentic Collab.Land protocol. Upon being informed of the deception, the project developers reported the hoax to Telegram.
Published At
2/23/2024 10:00:00 AM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.