Zero Transfer Scammer Steals $2M from Crypto User; Here’s How to Avoid It

A scammer nabbed $2 million from a cryptocurrency user using an old tactic known as the “zero transaction.” The transaction, flagged by security firm Peckshield, follows a simple pattern where the victim mistakenly transfers funds to a hacker’s address.

What is the Zero Transfer Scam?

The “zero transfer” scam is one in which a bad actor replicates a user’s test transaction and provides a fake address to which the user mistakenly transfers funds instead of their original address.

First, the potential victim legitimately transfers funds to a cryptocurrency address. Next, the hacker mimics the original transaction by sending a zero transfer (no actual tokens are transferred) to the user’s cryptocurrency address. The new zero mimic transfer transaction shows up in the user’s transaction log on their wallet provider or blockchain explorer like Etherscan. 

The scam becomes successful if the unsuspecting user copies the address from the fake transaction to make a transfer instead of the address in their initial transaction. Users may copy an address from a previous transaction because of its convenience and may often miss the scam trick since the attacker uses an address with a similar prefix and suffix to the original address.

The $2M Scam 

The most recent transaction flagged by Peckshield saw the victim initially send a $10 test transaction to an address. The sender apparently wanted to transfer a larger sum and was double-checking the receiving address as part of basic security practices.

However, the attacker picked up the trail and sent a zero transfer to the victim’s address. The victim fell for the scam, moving $2 million in USDC to the hacker’s wallet address which looked similar to the address in the original transaction. the original address is 0x74C3…1cA while the scammer’s address is 0x74ce…1cA.

The scammer subsequently converted their loot to ETH, which they distributed across three addresses. A common exit route is to obfuscate the funds using the privacy-focused protocol Tornado Cash. 

How to Avoid Zero Transfer Scams

The simplest way to avoid zero transfer scams is never to copy addresses from blockchain explorers. It is best to copy addresses from the receiving destination instead of previously confirmed transactions or transaction logs. 

Another precaution is to carefully double-check addresses before initiating a transaction. A quick check of only address prefixes and suffixes may not be enough to protect one from zero transfer scams. Carefully comparing the entire address string from your destination wallet address can easily help you determine a scammer’s address and not fall victim to zero mimic transfer.