Scammers consistently invent new tactics to manipulate and defraud cryptocurrency enthusiasts. Early this year, we highlighted an emerging threat that preyed on unsuspecting victims who make rushed transactions. Known as “Address Poisoning”, the orchestrators behind that phishing technique swindled victims off millions of dollars worth of crypto.

The zero-value token transfer attack is a phishing technique that leverages the same psychological factors exploited in address poisoning scams by adding a layer of intricacy to the attack. This aids in the deception of the more cautious crypto user.

According to data from Dune.com, scammers launched more than 5.2 million attacks of the same technique. Some cryptocurrency users were hit with dozens of zero-value transactions prior to falling victim and losing significant amounts of funds.

What is a Zero-Value Token Transfer?

The zero-value token transfer attack is a type of scam that targets users of the Ethereum blockchain, specifically those who are involved in transferring tokens in haste to addresses they have previously interacted with. Ethereum is a blockchain platform that enables the creation and execution of smart contracts and decentralized applications. 

In this attack, the attacker leverages the fact that Ethereum addresses are represented as hexadecimal strings and consist of 40 characters. When humans see Ethereum addresses, they often focus on the first and the last few characters, as the middle characters are typically seen as less significant and harder to memorize. 

For example, an Ethereum address might look like this: 0x742d35Cc6634C0532925a3b844Bc454e4438f44e. In this address, the first few characters are 0x742 and the last few characters are f44e.

Scammers exploit that behavior by creating a vanity Ethereum address that intentionally matches the first and last few characters of an address the potential victim has recently interacted with. This technique is widely known as address spoofing.

What is a vanity address?

It is a cryptocurrency address that is customized or personalized to include specific characters or patterns chosen by the owner, making it easier to remember or aesthetically pleasing.

Vanity addresses are common among legitimate users and have a variety of legitimate purposes. For instance, when creating a vanity Ethereum address, users can specify patterns they want their new custom address to contain. Users typically repeatedly generate addresses using a variety of methods until they are satisfied with the result.

In our case, the fraudsters aim for the vanity Ethereum address they create to fool their potential victims. For example, if the target recently sent tokens to the address 0x742d35Cc6634C0532925a3b844Bc454e4438f44e, the attacker might create an address that starts and ends with 0x742d and 8f44e with the characters in the middle randomized. 

To an unsuspecting user, these addresses might appear very similar due to their matching beginnings and endings. Additionally, many wallet applications and block explorers abbreviate addresses in a way that shows only the first and last few characters of the address.

The Execution

After gathering enough information about their target and creating a fake address for their scam, the scammers move on to the next step: associating the spoofed address with the customer’s wallet.

This differs from address poisoning schemes where scammers flood the victim’s transaction history with numerous low-value transactions, hoping to confuse the victim into sending money back to the sender of one of the transactions. In this case, the attackers take a more convincing approach. They initiate a transaction of zero value directly from the customer’s wallet, earning it the name “zero-value token transfer attack.”

To accomplish this, the scammers employ the “transferFrom” function, a feature found in Ethereum-based smart contracts. This function typically allows one account (the “transaction initiator”) to transfer a specified number of tokens from another account (the “owner”) to a third account (the “receiver”). Normally, this transaction requires approval from the owner before it’s executed, unless the transaction has zero value.

The scammers exploit this exception by initiating zero-value transactions from their potential victim’s wallet, designating their spoofed wallet address as the receiver. This action creates a transaction history that appears as though the victim has interacted with the scammers’ wallet, making it resemble a previous interaction the victim might have had with a similar-looking wallet.

If the cryptocurrency user takes the bait and decides to utilize one of the phishing entries in their transaction history to send money, they unwittingly become victims by sending their funds directly to the scammer.

Real-World Example of a Costly Mistake

Let’s take a closer look at a real-world scenario involving a victim who unwittingly became a target of the zero-value token transfer attack. Using QLUE^TM, the blockchain analytics investigation tool by Blockchain Intelligence Group, we take a closer look at one successful scam of that type and reveal how deceptive these scams can be.

At 5:54 AM, on April 1, 2023, on a seemingly ordinary morning, an individual involved in cryptocurrency transactions decided to send 350,000 USDT (US $350,000) to Ethereum address, “0xeb40342d42967a70066efdb498c69fd8b184683d.” This transfer was meant to be a straightforward transaction to a trusted recipient.

Little did they know that their actions had set the stage for a meticulously planned deception. At 5:55 AM, just a minute after the initial transfer, a zero-value token transfer was executed from the victim’s own wallet. The recipient? A seemingly similar address, “0xeb40342d0f7a5a0aacefbb9a32c9d2e22184683d.” The first ten characters and the last seven characters of this address bore an uncanny resemblance to the original recipient address.

Days later, the victim overlooked the subtle differences in the addresses and made a costly mistake. They sent an additional 850,000 USDT (US $850,000) to what they believed was the same recipient address, “0xeb40342d0f7a5a0aacefbb9a32c9d2e22184683d.” The money landed directly into the hands of the fraudsters.

QLUE^TM graph: zero-value transfer attack victim losing 850,000 USDT to scam

The scammers continued to move the stolen funds on multiple stages, transferring some to different chains, and swapping the USDT tokens to ETH. The majority of the stolen funds eventually ended up in exchanges.

QLUE^TM graph: tracing the stolen funds and their deposit in exchanges.

To avoid falling victim to this type of attack, Ethereum users should pay close attention to the entire address, not just the first and last few characters. They should also verify the authenticity of the sender through multiple means, such as cross-referencing the address with official communication channels or services.

Need QLUE^TM to solve sophisticated cryptocurrency investigation cases? Contact us and get access today.