New Crypto Scam Targets Users with Malicious RPC Node Modification
By: SlowMist Security Team
A new cryptocurrency scam has emerged, targeting users with adeceptive tactic that involves manipulating Ethereum’s Remote Procedure Call (RPC) nodes. The scam, first reported by our partner imToken, typically takes place in offlinephysical transactions, utilizing USDT as the payment method.
The Scam’s Modus Operandi
The scammers employ a multi-step approach to deceivetheir victims:
-
Gaining Trust: The scammers initially encourage users to download the legitimate imToken wallet. They then offer a small amount of ETH and 1 USDT as bait to gain the user’s trust.
-
Redirecting RPC Node: The scammers then guide the user to redirect their ETH RPC address to a malicious node controlled by them (https://rpc.tenderly.co/fork/34ce4192-e929-4e48-a02b-d96180f9f748). This node has been modified using Tenderly’s Fork feature, allowing the scammers to manipulate the user’s USDT balance, making it appear as if the funds have been transferred to their wallet.
-
Exploiting Trust: Seeing the manipulated balance, users mistakenly believe the funds have arrived. However, when they attempt to transfer funds to cover the miner’s fee, they realize they have been scammed. By this time, the scammers have vanished.
Understanding RPC and Its Vulnerability
RPC (Remote Procedure Call) is a method used to interact with blockchain networks. It allows users to access network servers and perform actions like checking balances, creating transactions, and interacting with smart contracts. While most wallets connect to secure nodes by default, users who trust third-party nodes can be vulnerable to malicious modifications.
The Danger of Tenderly’s Fork Feature
Tenderly’s Fork feature allows users to modify blockchain states for testing purposes. However, in the hands of scammers, this feature can be used to manipulate user balances and even alter contract information, posing a significant threat.
Chain Analysis with MistTrack
Using our chain tracking tool, MistTrack, we analyzed the wallet address (0x9a7…Ce4) of a known victim. The analysis revealed that the victim received a small amount of 1 USDT and 0.002 ETH from address (0x4df…54b).Further investigation of address (0x4df…54b) showed that it had transferred 1 USDT to three different addresses, indicating that this address has been used in at least three scams. Tracing the address further revealed its connection to multiple trading platforms and interactions with addresses flagged as Pig Butchering Scammerby MistTrack.
The Psychology of the Scam
The success of this scam relies on exploiting users’ psychological vulnerabilities. Users often focus solely on whether funds have arrived in their wallet, overlooking potential risks. Scammers capitalize on this trust and negligence by employing seemingly legitimate actions, such as transferring small amounts of funds, to deceive users.
Staying Safe
To protect yourself from this scam, the SlowMist Security Team recommends:
- Be Vigilant: Always exercise caution when conducting transactions and avoid trusting strangers.
- Verify Information: Double-check all information, especially regarding wallet addresses and transaction details.
- Use Secure Nodes: Ensure your wallet is connected to a trusted and secure RPC node.
- Report Suspicious Activity: Report any suspicious activity to relevant authorities and security platforms.
Conclusion
This new scam highlights the importance of user awareness and security in the cryptocurrency space. By understanding the tactics employedby scammers and taking proactive measures to protect themselves, users can mitigate the risk of falling victim to such malicious schemes.
Views: 0