A phishing scammer recently nabbed $20 million in USDT from an unsuspecting victim using a zero transfer phishing attack, reported blockchain security firm PeckShield on Tuesday.
The stolen funds were frozen in short order by Tether – the issuer behind USDT – raising questions about who the victim was given the speed of their response.
The Zero Transfer Phishing Attack
Days earlier, the victim had received 10 million USDT from Binance, and had sent those funds to the desired alternative address. However, at the time of that transfer, the scammer conducted a zero-value token transfer from the victim’s address to their phishing address.
#PeckShieldAlert A #ZeroTransfer scammer grabbed 20M $USDT from 0x4071…9Cbc.
Intended Address: 0xa7B4BAC8f0f9692e56750aEFB5f6cB5516E90570
Phishing Address: 0xa7Bf48749D2E4aA29e3209879956b9bAa9E90570#Tether $USDT has already added the scammer’s address 0xa7bf…0570 to the… pic.twitter.com/Y0APPTxIrT
— PeckShieldAlert (@PeckShieldAlert) August 1, 2023
As explained by Coinbase in a February blog post, scammers started developing smart contracts in November 2022 designed to create spoofed zero-value transactions from a victim’s address to a scammer’s, the latter of which is designed to look much like one of the victim’s actual addresses.
Since the transfers have zero value, they do not require the approval of the victim’s private key to execute. Though this transfer itself cannot steal funds, it can fool victims into later sending real funds to the spoof address – especially if the user often relies on their transaction history to verify addresses that they can send funds to.
Users often don’t check every character of the address they send coins to, instead only checking the first and last characters, making them more vulnerable to such a scam.
Moments after the transfer, Tether froze the USDT held at the scammer’s address by adding the address to its blacklist.
On-chain sleuth ZachXBT, who has investigated and exposed numerous phishing scams in the past, found the speed of the company’s response unusual. “Curious who this would be if it was blacklisted within ~1hr,” he tweeted on Tuesday.
Twitter user 0xG00gly also expressed confusion, saying they “couldn’t remember a single precedent like this where Tether would have acted so quickly.” ZachXBT suggested the transfer might be related to an OTC transaction.
Rival stablecoin issuer Circle has previously frozen transactions connected to the Ethereum privacy mixer Tornado Cash, at the request of the U.S. Treasury Department. Tether did not follow through on a similar freeze.