Background
Recently, a scammer (CYBER RESCUE) phished victims under the guise of “helping to recover/restore stolen funds” under the security reminder tweet of SlowMist founder Cos. In response to this situation, the SlowMist security team reverse-phished the scammer and disclosed his deception process. We hope that users will be more vigilant and avoid being fooled.
The process of being cheated
As a victim, Slow Mist contacted CYBER RESCUE, which claims to be able to recover 100% of the stolen funds. The following is the scammer’s deception process:
1. The scammer CYBER RESCUE first asked the victim about the time of the theft, the wallet used and the reason for the theft, and then stated that 100% of the stolen funds could be recovered by processing the transaction through USDT under the BNB smart chain network and the stolen funds would be processed Funds are redirected to the victim’s wallet. The victim needs to download the APP, which the scammer explains is to guide the victim through transfer user settings and redirect funds to the victim’s wallet.
2. The scammer then asks the victim to click “Add Custom Asset” on the homepage and guides the user to enter the USDT contract 0x55d398326f99059ff775485246999027b3197955 (the contract address is correct). At this time, MathWallet will automatically identify the token with a precision of 18.
At this point, the scammer emphasized that when pasting the contract address, the Decimals should be changed from 18 to 0. The victim thus added a USDT token with the correct contract but wrong precision. Here is an explanation of what Decimals (number of decimal places) is. In tokens, Decimals represents the number of the smallest divisible units of the token, which determines the accuracy of the token in transactions and calculations. The higher the value of Decimals, the more accurate the token.
After the victim complied, the scammer said that was enough. He wanted to freeze the stolen funds and return them to the victim’s account. Now he requires the victim to provide a MetaMask wallet. Because the translation software translated the MetaMask wallet into a metamask wallet, the victim was completely confused and the scammer was also shocked. You don’t have a MetaMask wallet?
3. At this point, the scammer began his magical operation to “recover” the stolen funds:
After checking the stolen transactions provided to him by the victim, the scammer stated that he could only recover $89,589 of the stolen funds. The reason he gave was that the remaining funds had already entered the foreign exchange market and been converted into local currency.
The scammer then asks the victim to send a screenshot of the MathWallet Account and reminds the victim: Please stay online, success or failure depends on this. This sentence is a bit confusing. The victim has already lost his money. The scammer’s urging at this time will make the victim think about seizing this opportunity to get the money back. Who will he realize that he is about to fall into another trap? .
The scammer asks the victim to click Export Private Key in Manage Wallet and guides the victim to copy the private key to him. The scammer’s explanation for needing the private key is to connect the app to redirect transactions to the victim’s wallet. If the scammer’s previous operations didn’t make you suspicious, but now he wants your private key, run!
The victim sent the private key to the scammer. Soon, the scammer said that the operation was completed and he could check his wallet. The victim checked the wallet and found that the amount of USDT had indeed changed to the 89589 that the scammer had just promised to recover. What was going on?
After querying on the block explorer, it was found that the actual amount transferred by the scammer to the victim was 0.000000000000089589 USDT. This is because the victim was previously induced by the scammer to manually change the Decimals of the custom token in the wallet from 18 to 0. Therefore, although the scammer transferred the amount to the victim of 0.000000000000089589 USDT, the victim’s wallet will show that 89589 USDT was received. .
The scammer has obtained the private key, how will he profit next? He told the victim that he needed to have enough BNB available balance to execute transactions to other accounts. This available balance should be 10% of the initial balance in the BNB smart chain network. If the victim believes it and transfers BNB worth about $8968 to the wallet as required, it will be stolen by the scammer.
Use a block explorer to check the scammer’s address (0xe27126d1c17B42Eb42783655D339a782f779BABA) and find that the address frequently transfers small amounts to other addresses, indicating that the scammer continues to use this deception to commit crimes.
Use MistTrack (https://misttrack.io/) to query the address. You can see that the source of the handling fee for this address is Binance. MistTrack has blocked the relevant addresses and will continue to monitor fund changes.
MathWallet Updates
After receiving feedback on the case, MathWallet immediately repaired and released a new version, which prohibited users from manually modifying the accuracy. Please upgrade in the App Store or Google Play.
Improve safety awareness and develop good habits
In the WEB3 world, security always comes first.
Remember:
- Keep your mnemonic phrase and private key safe and do not send them to others.
- Avoid mnemonic words and private keys from being exposed to the Internet
- Don’t click on links provided by strangers
- Do not use unfamiliar third-party DAPPs
- When performing on-chain operations, verify the signature content again and again
- Regularly check the on-chain authorization status of wallet addresses
If you want to know more, you can read past security-related articles:
Prevention and cancellation of malicious Approve (authorization)
Essential security knowledge for backing up MathWallet
Look for our only official website: