Fraudsters Use Phishing Zero Transfer Attacks To Steal USDT Tether Of IDR 302 Billion

Tether USDT, suffered a phishing attack. (photo: twitter @Tether_to)

JAKARTA - On August 1, the fraudster using a phishing zero transfer attack managed to steal USDT's USD 20 million Tether (IDR 302 billion) before being blacklisted by stablecoin publisher Tether.

According to an update from the on-chain analysis firm PeckShild, a fraudster used a zero transfer scheme to steal 20 million USDT from the victim's address 0x4071...9Cbc. The actual address planned by the victim to send the money was 0xa7B4BAC8f969256750AEFB5f6cB5516E90570; however, the money was instead sent to the phishing address: 0xa7Bf487449D2E4A29e3209899956bAa9E90570.

The victim's wallet address first received 10 million US dollars (Rp150 billion) from the Binance account. Later, the victim sent it to another address before the fraudster entered the action. The fraudster then sent a fake token transfer named Zero USDT from the victim's account to the phishing address. A few hours later, the victim sent 20 million USDT to the fraudster, thinking that the money was transferred to the address he wanted.

The wallet was immediately frozen by USDT publisher Tether, which surprised the speed of the move.

Users generally check the first or last five digits of a wallet address, not the entire address, so they send the asset to a phishing address. The victim was tricked to send a zero token transaction from their wallet to an address that resembled the address they had sent a token before.

For example, if the victim sends 100 coins to the address for deposits on the exchange, the attacker may send 0 coins from the victim's wallet to an address that looks similar, but is controlled by the attacker. When viewing this transaction in their transaction history, the victim may think that the address displayed is the correct deposit address and then sending their coin to the phishing address.

The zero transfer phishing scam has been very prominent in the crypto ecosystem over the past year, with several cases revealed. One of the first cases of zero transfer scams came in December 2022, with losses of more than US$40 million (Rp604.3 billion) as a result of such attacks since then.