StakingMarketRegulationCryptostake ExplainsUncharted
New Crypto “Drainer Token” Scam Empties Wallets Without Owner’s Signature

New crypto scam can drain your crypto wallet in a frighteningly sophisticated way  

A novel scam has emerged, targeting unsuspecting crypto enthusiasts. This deceitful scheme leverages the ERC-2612 token standard, exploiting a "gas-less transfer" feature to drain wallets without requiring the victim's transaction approval. Predominantly spreading through Telegram, the scam ensnares victims by masquerading as legitimate token groups, only to facilitate unauthorized access to their digital assets. 

With the crypto community on high alert, understanding the mechanics of this scam is crucial for safeguarding one's digital fortune against such sophisticated threats.

How the ERC-2612 scam operates

The scam exploits the ERC-2612 token standard's allowance for "gas-less" transfers, a feature initially designed to facilitate transactions without needing Ether (ETH) in one's wallet. Herein lies the vulnerability: attackers deceive users into signing a seemingly harmless message, which, in reality, grants them the authority to transfer tokens at will. 

This intricate scam does not necessitate the victim to explicitly approve any transaction, thereby bypassing conventional security measures. The increasing adoption of the ERC-2612 standard among tokens could potentially escalate the frequency of such attacks, posing a significant threat to unwary investors in the crypto space. 

Awareness and vigilance are paramount as this scam method gains traction through platforms like Telegram, exploiting the trust and curiosity of the crypto community.

Victim's encounter with the Telegram phishing scam

A crypto enthusiast's encounter with this scam unfolded in a Telegram group posing as the official channel for the Open Exchange (OX) token developers, OPNX. The victim, who lost over $600 in OX tokens, shared his ordeal: 

"I was asked to press a button to connect my wallet to prove I'm not a bot. I thought connecting my wallet was safe." 

However, shortly after complying, he discovered all his OX tokens were drained without his consent to any transaction. This incident underscores the scam's deceitful nature, leveraging fake verification systems to swindle users. The Telegram group utilized a counterfeit version of the Collab.Land verification bot, distinguished only by subtle typographical differences in the username, a detail easy to overlook. 

The victim recounted:

"This fake version sent messages from @colIablandbot, with a capital 'I' instead of a lowercase 'l'," 

Understanding the technical exploit

The scam's technical foundation lies in the abuse of the "Permit" function, a newer addition to some token contracts under the ERC-2612 standard. This function enables a third party to execute token transfers on behalf of the token owner, provided they have a signed message from the owner granting permission. 

In the case of the scam, attackers ingeniously trick victims into signing such a message without their clear understanding. 

Web3 developer OpenZeppelin explains:

"The Permit function allows a third-party to authorize tokens to be transferred on behalf of its owner, but only if the owner delivers a signed message giving them authorization," 

By setting themselves as the "spender" and the victim’s account as the "owner," the attackers could drain funds without a traditional transaction approval. Blockchain data revealed the attacker had called "Permit" on the OX token contract, setting a high-value limit and a deadline, which the victim unknowingly authorized. 

This exploit demonstrates a critical vulnerability, emphasizing the need for heightened security awareness among token holders.

Preventative measures for crypto wallet security

In light of these sophisticated scams, enhancing the security of crypto wallets has never been more crucial. The key to safeguarding digital assets lies in a blend of vigilance and knowledge. First and foremost, users should treat any request to sign messages with extreme caution, understanding that this simple act can grant scammers access to their funds. 

OpenZeppelin warns: 

"Web3 users should be aware that an attacker can drain their funds even if they don’t make an approval transaction, as long as they sign a message giving the attacker this ability," 

It's essential to verify the authenticity of any platform or group before interacting with it, especially on social media channels like Telegram. Double-checking URLs and usernames for subtle discrepancies can prevent falling victim to phishing attempts. Lastly, employing hardware wallets for storing significant amounts of cryptocurrencies can add an extra layer of security, as they require physical confirmation for transactions, making unauthorized transfers considerably more challenging.