Reveal hackers the secret! Scan code to transfer money to control your digital wallet

lunaray
2 min readDec 20, 2021

In order for everyone to have a clear understanding of the stolen coins incidents and strengthen prevention, this article summarizes the types of currency theft incidents that Lunaray security team has received assistance recently, which can be roughly divided into the following four categories:

Pretend customer service to defraud private key

Scan the QR code to steal money

Get free access of stolen coins incident

Exchange customer service fraud incident

Here is a brief introduction to the above four types of currency theft process.

Pretend customer service to defraud private key

  1. Attackers pretend to be customers lurking in the community
  2. When a user transfers money or withdraws proceeds for help, the attacker promptly contacts the user to assist in processing
  3. They can very patient to answer your questions, and after send a work order system disguised as a decentralized bridge, allowing users to enter mnemonic words to solve their transaction abnormalities.
  4. The attacker steals assets after obtaining the private key and hacks users.

QR code stolen coin incident

  1. The attacker sends the malicious QR code prepared in advance to the user;
  2. The attacker induces the user to use the wallet to scan the QR code to transfer.
  3. After the user enters the specified amount, the transfer transaction is confirmed (the actual operation is the process that the user approve authorizes to the attacker USDT)
  4. Then a large amount of USDT in the user’s wallet is lost (the attacker calls TransferFrom to transfer the user’s USDT)

Get free access of stolen coins incident

  1. The attacker forged a trading platform or DeFi project
  2. The attacker induces the user to use the wallet to scan the QR code to receive the airdrop
  3. After the user scans the code, click to receive the airdrop (actually, it is also the process by which the user approve authorizes the attacker’s USDT)
  4. Then a large amount of USDT in the victim account was transferred (the attacker called TransferFrom to transfer the user USDT)

Exchange customer service fraud incident

  1. The attacker faked the customer service of Binance, Huobi and other exchanges
  2. The attacker informs the user that the account is abnormal and triggers risk control, and the use of funds needs to remove the abnormal state;
  3. The attacker’s customer service induces users to transfer funds to a secure account (actually a hacker account) and upgrades the victim’s account
  4. After the user transferred the funds to the secure account, the attacker immediately blocked the user.

Analysis of scanning and stealing process

The attack address used in the test is

TMmunHQsjSdUKZT1suksWBM7n6jVWkUGwL

The address of the attacker’s collection of assets used in the test is:

TKjxdVUpyqwmqMGUh9kyRg196f1zesb3m9

The contract used in the test is the USDT contract on the TRON chain:

TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t

The victim address used in the test is:

THcDZSMmGdecaB2uAygPvHM7uzdE2Z4U9p

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.