I got scammed out of 100000 dollars by fake 0 dollars withdrawal on BSC

[oliver_g]

First i deposited 50000 and 8684 dollars to binance. Then scammer made 0 dollars withdrawal from my address without having my private keys. Address where this empty withdrawal happened to is similar to binance's deposit address. Last 5 symbols are same and 2 first also are same. Then i copied address of last withdrawal, confirmed that last 4 symbols are same and deposited 100000 dollars. I did not notice that other symbols of address are different.

I started to research about it in internet and figured out that scammer do not have my private keys and did withdrawal from my address using vulnerability in binance smart chain blockchain. I.e. scammers can make empty withdrawals without private keys to addresses with at least 5 same last symbols and 2-4 first symbols as exchanges' deposit addresses. Some people do not compare every symbol of address and watch for example only last 4 symbols and can send funds to scammer's address.
Here is scam transaction: https://bscscan.com/tx/0xc797622c27e35f89898bf43121a36b1f6e29d64769c7aca0917c85f1b764c7f3

[suchmoon]

I started to research about it in internet and figured out that scammer do not have my private keys and did withdrawal from my address using vulnerability in binance smart chain blockchain.

Link to you "research" / vulnerability description / etc?

It sounds like you are talking about a smart contract, not a blockchain issue.

[oliver_g]

Link to you "research" / vulnerability description / etc?

It sounds like you are talking about a smart contract, not a blockchain issue.

https://ethereum.stackexchange.com/questions/140214/fake-0-token-transaction-on-bsc

[suchmoon]

Link to you "research" / vulnerability description / etc?

It sounds like you are talking about a smart contract, not a blockchain issue.

https://ethereum.stackexchange.com/questions/140214/fake-0-token-transaction-on-bsc

Ok, so it is a shitty token implementation + a shitty chain explorer or whatever you were using to get that address, not really a blockchain problem.

As to you getting scammed... if you know that you didn't make the 0 transaction, why would you copy that address. Not trying to blame you there, just trying to understand how this could work and how would the alleged scammer know that you're going to do this?

[oliver_g]

Not trying to blame you there, just trying to understand how this could work

I copied address from last withdrawal from bscscan.
You can see it here:
https://bscscan.com/address/0xb410e3d622d1072ee3e1cc6cdc90120e657977f7#tokentxns

Can some make topic about this vulnerability in reddit? I cannot make new topics there.

[JeromeTash]

Not trying to blame you there, just trying to understand how this could work

I copied address from last withdrawal from bscscan.
You can see it here:
https://bscscan.com/address/0xb410e3d622d1072ee3e1cc6cdc90120e657977f7#tokentxns

Can some make topic about this vulnerability in reddit? I cannot make new topics there.

Why would you copy from the bscscan explorer?

Why not copy the deposit address from the exchange's app or website? That should be a much better and secure practice, given that exchanges sometimes change deposit  addresses due to various reasons. Sorry for the loss, but be careful next time

[suchmoon]

Why not copy the deposit address from the exchange's app or website? That should be a much better and secure practice, given that exchanges sometimes change deposit  addresses due to various reasons.

Exactly. And I still don't understand how the alleged thief would have known that someone would do this. Is this a common practice?

The thief's address matched three bytes of the victim's address (one at the beginning of the address and two at the end). I would have thought that if this was done on purpose they'd try to generate an address that matches more bytes at the beginning because that's what the explorer shows. But I checked a few other 0 token transfers from the same TX and there were similar 3-4 byte matches to other addresses that previously received large amounts, so it can't be a coincidence.

Seems like a very low effort low probability "attack" if you can even call it that. And someone hit a jackpot.

[MikkisJ]

Seems like a very low effort low probability "attack" if you can even call it that. And someone hit a jackpot.

All transactions above some amount trigger 0 dollar transactions within few minutes. It's a massive attack that has been going for some time. Just look at the block chain. Even if it happens one in a million transaction, it's still profitable and scammer makes money.

[JeromeTash]

All transactions above some amount trigger 0 dollar transactions within few minutes. It's a massive attack that has been going for some time. Just look at the block chain. Even if it happens one in a million transaction, it's still profitable and scammer makes money.

Perhaps a message to avoid the shitty centralized blockchains that are easy to spam and stick to the real OGs

But also people ought to be extra careful and responsible for their funds. You can't claim to advocate for cryptos, being your own bank and then end up losing money in this fashion is scammers.

[rat03gopoh]

All transactions above some amount trigger 0 dollar transactions within few minutes. It's a massive attack that has been going for some time. Just look at the block chain. Even if it happens one in a million transaction, it's still profitable and scammer makes money.

Until someone brought up the topic on altcoins discussion board, i just realized these are attacks on two famous blockchains (ETH & BSC). I think it's possible that the attack will occur on all prefix 0x networks.

https://bitcointalk.org/index.php?topic=5425576.0

[Mpamaegbu]

Some people do not compare every symbol of address and watch for example only last 4 symbols and can send funds to scammer's address.

That's simply because people are often in a hurry while at it, during transactions. It's good to suspend everything one is doing during transaction. That's what I do. I'm never in a haste because I know once a mistake happens it's goodbye to my funds. I do take my time to check the first four/five letters of any copied wallet address I'm sending or withdrawing to. I do same for the middle and last four/five letters too. That's if the funds involved aren't much. If I'm doing a heavy transfer, I take my time to run a complete check from the first letter to the last before hitting the send or withdrawal tab. I'm conservative like that and I haven't regretted any bit of being conservative.

[MikkisJ]

Some people do not compare every symbol of address and watch for example only last 4 symbols and can send funds to scammer's address.

That's simply because people are often in a hurry while at it, during transactions. It's good to suspend everything one is doing during transaction. That's what I do. I'm never in a haste because I know once a mistake happens it's goodbye to my funds. I do take my time to check the first four/five letters of any copied wallet address I'm sending or withdrawing to. I do same for the middle and last four/five letters too. That's if the funds involved aren't much. If I'm doing a heavy transfer, I take my time to run a complete check from the first letter to the last before hitting the send or withdrawal tab. I'm conservative like that and I haven't regretted any bit of being conservative.

You don't even have to do that. Unless hackers have full control of your computer or phone, it's enough to copy paste address from the exchange, if you're sending to exchange. If it's your address, also copy paste, or use address book in your wallet. This kind of attack is effective only against people who don't take security seriously at all.

[oliver_g]

Situation update. I reporded about this scam first time to binance 29:th or 30:th november.

Here is answer:

After reviewing the case, we have concluded that this was not due to a vulnerability in BSC.

The 0 transfer from your address 0xb410e3d622D1072eE3E1cc6cdc90120E657977F7 to scammer’s address 0x27feaafd9b46b74bee510a0a538615d2ff639871 was not a withdrawal but a call to the token contract’s https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56#writeContract transferFrom function. The transferFrom function does not require the private key of the sender address if the amount is 0. Anyone can call transferFrom with any address + 0 amount in token contract.

Note that this function is not specific to BEP20 but to ERC20 tokens as well. If you check this contract from Etherscan (and other token contracts) https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#writeContract, you will be able to find and call the same transferFrom function.

2. What the scammer has managed to achieve was to use the function to his advantage and target users who would copy the scam address from the previous transactions, trick them into thinking that it was a legit address and make a deposit to it.

Here is article about this scam:
https://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M
And here updated info:
https://dune.com/opang/first-and-last-address-construction
Scam continues and new victims loss money. Now passed 8 days since i reported about this vulnerability and binance even did not inform when it will fix this vulnerability.

[rat03gopoh]

Scam continues and new victims loss money. Now passed 8 days since i reported about this vulnerability and binance even did not inform when it will fix this vulnerability.

Even if the vulnerability is patched (if possible), they won't be able to reverse all transactions from this incident. From now on you should stop hoping that you'll get a refund. This is happening beyond their control, the target of the attack succeeded in the victim's carelessness.

[FatFork]

First of all, why anyone would go and copy the destination address from a previous transaction for their new transaction, especially when such high amounts are involved, is beyond me. Second, regardless of how ridiculous a smart contract function may seem to be, if it's been documented as part of the software that runs Ethereum (or BSC), then I don't consider this vulnerability. Third, this belongs in the Altcoins related discussion board, not the Scam Accusations.

[wwzsocki]

First of all, why anyone would go and copy the destination address from a previous transaction for their new transaction, especially when such high amounts are involved, is beyond me...

TransferFrom Zero Transfer Scam they INITIATE OUTGOING TRANSACTIONS FROM OUR WALLETS!

I just posted about this in new thread

https://bitcointalk.org/index.php?topic=5427888

[FatFork]

First of all, why anyone would go and copy the destination address from a previous transaction for their new transaction, especially when such high amounts are involved, is beyond me...

TransferFrom Zero Transfer Scam they INITIATE OUTGOING TRANSACTIONS FROM OUR WALLETS!

Smart contracts can initiate an outgoing transaction from your wallet ONLY if they have been previously approved by the owner. The TransferFrom() function cannot fire a transfer event if it is not approved unless the token amount transacted is equal to 0. If you fail to understand this, it may lead you to believe that anyone can initiate a token transaction from any wallet - which is not true.

The transferFrom() function transfers the tokens from an owner's account to the receiver account, but only if the transaction initiator has sufficient allowance that has been previously approved by the owner to the transaction initiator. To transfer the tokens using the transferFrom() function, approver must have called the approve() function prior. As per the standard, the transferFrom() function must fire the Transfer event upon the successful execution and transfer of tokens. The transfer of 0 (zero) value must also be treated as a valid transfer and should fire the Transfer event.

[coeghacked]

Here you go, if you like degen on shitcoin :

1. use NEW WALLET for playing shitcoin
2. always change wallet if you see dust coin. dust coin : the token never bought  but you have it in your wallet. If you saw it on your wallet never approve it on dex.
    https://prnt.sc/VNP5zXlrWLSu you can see on this pict. This is dust coin i never bought on bep20 but have on my wallet.
3. like number 2 never approve on your Phone wallet like trust wallet and etc
4. small tips from me. Always use passphrase when you create new wallet for shitcoin

REMEMBER SHITCOIN IS EXTREMLY RISK. YOU CAN LOSE YOUR MONEY ON SEC BECAUSE DEVELOPER REMOVE LIQUIDITY

[Coin_trader]

The problem might be on your device since there’s a malware that can replace the wallet address that you copy. Do you try to your computer for a potential malware because this is the first time I read issue like this reported here or in social media. The chance for a hacker to exploit your account without a malware on your computer is very slim since Binance has a strong security in terms of withdrawal breach.

If you are confident that the issue is really on Binance security lapses then file a complaint on there live support or tag CZ on twitter since he is always entertaining this kind of issue especially this about security failure.

[tvplus006]

First i deposited 50000 and 8684 dollars to binance. Then scammer made 0 dollars withdrawal from my address without having my private keys. Address where this empty withdrawal happened to is similar to binance's deposit address. Last 5 symbols are same and 2 first also are same. Then i copied address of last withdrawal, confirmed that last 4 symbols are same and deposited 100000 dollars. I did not notice that other symbols of address are different...

I know about this method of fraud, but I didn't think there were those who parted with their 100 thousand dollars so easily. It is impossible not to notice that you copied the address at which $0 was withdrawn, while you deposited other amounts.