A scammer managed to steal $20 million worth of Tether using the zero transfer phishing method. Following this incident, the scammer was blacklisted by Tether, one of the largest stablecoin companies in the cryptocurrency market. Since 2022, scammers have successfully made over $40 million in fraudulent transactions using this method.
According to an update from blockchain analysis firm PeckShield, a zero transfer scammer, who had never made any transactions before, managed to seize 20 million USDT from the victim’s address, 0x4071…9Cbc. The victim intended to send the funds to wallet address 0xa7B4BAC8f0f9692e56750aEFB5f6cB5516E90570, but instead sent it to a phishing address, 0xa7Bf48749D2E4aA29e3209879956b9bAa9E90570.
The victim first received $10 million from a Binance account. The victim then sent this money to another address before the scammer intervened. The scammer later sent a fake USDT token transfer from the victim’s account to the phishing address. A few hours later, the victim, thinking they had transferred the funds to the desired address, sent 20 million USDT to the scammer.
After the transfer was completed, Tether, the issuer of USDT, froze all USDT transactions from the wallet and blacklisted it.
Users often check only the first or last five digits of a wallet address, which leads to sending their assets to a phishing address. The victim is tricked into sending a transaction for zero tokens to an address that resembles the one they previously sent tokens to.
For example, if the victim sends 100 tokens to an address for a swap deposit, the attacker can send zero tokens to an address that looks similar to the one controlled by the attacker. The victim, seeing this transaction in their history, may assume that the displayed address is the correct deposit address and send their funds to the phishing address.
Zero transfer phishing has become quite prominent in the crypto ecosystem over the past year, with multiple examples coming to light. One of the initial instances of zero transfer phishing occurred in December 2022, and since then, over $40 million in losses have been incurred due to such attacks.