Unraveling a New Scam: Maliciously Modifying RPC Node Links to Steal Assets

Background：

Feedback from our partner imToken has revealed a new type of cryptocurrency scam. This scam primarily targets offline physical transactions using USDT as the payment method. It involves maliciously modifying the Ethereum Remote Procedure Call (RPC) node links to carry out fraudulent activities.

Scam Process

The Slowmist Security team has analysed this scam, and the attacker’s malicious process is as follows:

First, the scammer lures the target user into downloading the official imToken wallet and gains their trust by sending them 1 USDT and a small amount of ETH as bait. Then, the scammer guides the user to redirect their ETH RPC node address to the scammer’s node (https://rpc.tenderly.co/fork/34ce4192-e929-4e48-a02b-d96180f9f748).

This node has been modified by the scammer using Tenderly’s Fork feature, falsifying the user’s USDT balance to make it appear as if the scammer has already deposited funds into the user’s wallet. Seeing the balance, the user is led to believe that the payment has been received. However, when the user tries to transfer miner fees to cash out the USDT from their account, they realize they have been scammed. By then, the scammer has already disappeared.

In fact, in addition to the balance display being modified, Tenderly’s Fork function can even change contract information, posing a greater threat to users.

(https://docs.tenderly.co/forks)

Here, we need to address what RPC is. To interact with the blockchain, we require a suitable method to access network servers through a standard interface. RPC serves as a connection and interaction method, enabling us to access network servers and perform operations such as viewing balances, creating transactions, or interacting with smart contracts. By embedding RPC functionality, users can execute requests and interact with the blockchain. For instance, when users access decentralized exchanges through wallet connections (like imToken), they are communicating with blockchain servers via RPC. Generally, all types of wallets are connected to secure nodes by default, and users do not need to make any adjustments. However, if users carelessly trust others and link their wallets to untrusted nodes, the displayed balances and transaction information in their wallets may be maliciously modified, leading to financial losses.

MistTrack Analysis

We used the on-chain tracking tool MistTrack to analyze one of the known victim wallet addresses (0x9a7…Ce4). We can see that this victim’s address received a small amount of 1 USDT and 0.002 ETH from the address (0x4df…54b).

By examining the funds of the address (0x4df…54b), we found that it has transferred 1 USDT to three different addresses, indicating that this address has already been scammed three times.

Tracing further up, this address is associated with multiple trading platforms and has interacted with addresses marked as “Pig Butchering Scammer” by MistTrack.

Summary

The cunning nature of this scam lies in exploiting users’ psychological weaknesses. Users often focus solely on whether funds have been credited to their wallets, overlooking potential underlying risks. Scammers take advantage of this trust and negligence by employing a series of seemingly genuine operations, such as transferring small amounts, to deceive users. Therefore, the Slowmist Security team advises all users to remain vigilant during transactions, enhance self-protection awareness, and avoid trusting others blindly to prevent financial losses.

Disclaimer：

1. This article is reprinted from Slowmist Technology, with the original title “Unraveling a New Scam: Maliciously Modifying RPC Node Links to Steal Assets”. The copyright belongs to the original author [Lisa]. If there are any objections to the reprint, please contact the Gate Learn team, who will handle the matter according to the relevant procedures.

2. Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.

3. Other language versions of this article are translated by the Gate Learn team and may not be copied, disseminated, or plagiarized without mentioning Gate.io.