Alert to Trust Wallet users: There's an ongoing address spam, be more cautious.

[CryptopreneurBrainboss]

I believe we have some Trust Wallet users on the forum (since they have huge numbers of download and patronage) so best I shared this message here so other don't fall victim. I haven't verified if other wallets are been targeted as well but I guess similar practice are ongoing so you all noobs have to be extra cautious. I received a message from an off forum users requesting my assistance to help identify what's happening to the USDT he intended sending to an exchange to trade to his Native currency, he reached out after the transaction has delayed and refuses to reflect on his address with the exchange. Upon looking at his transaction ID and the wallet address he intended sending the USDT to, there were some difference even though the two address looks similar especially as the last four digits of the both address were the same.

After further questioning, he admitted to copying the address from his previous transaction on his app and did some quick review before sending the token to the address but unknowingly to him, he has mistakenly copied a wrong address. Here's were things get interesting, for sometime now each USDT transaction he execute on his Truth wallet app, he usually gets some sort of reward (less than cents) either in TRX or USDT. But unknowing to him that was a spam attack and not reward from trust wallet as he thought.

Hackers has been patiently spamming this address with a similar address when depositing the supposed reward in anticipation of the user mistaking their address for his and it did work as the user lost $100 worth of USDT.

I'm just bring this up since alarms has been sounded numerously here of always cross checking copied address to make you you're sending to the right address and be watchful of unfamiliar activities on your wallet. Be careful out there, don't fall victim to this particular scam or others out there.

[jackg]

This looks like something that could be done to newbies but probably shouldn't be something more advanced members need to be that aware of.

It's worth setting a rule to not do things when you're too tired to do them. You can't expect to remember which transaction address you have to pay if you receive quite a few transactions - I've done similar before and nearly sent to the wrong person but double checking is always a good idea (with the service or person you're paying).

[joniboini]

Just in case everyone is not aware yet, this is not exclusive to Trust wallet, for example:
https://bitcointalk.org/index.php?topic=5425022.0
https://bitcointalk.org/index.php?topic=5425735.0

Looks like the attacker has been doing this for a few days now, but the victims just recently post more on social media. Personally, I got these spam transactions months ago, not exactly identical but share some similarities. I wonder if the attacker is the same person/group or not. He definitely targets wallets that allow users to copy and paste addresses from the transaction history easily. A feature like that allows him to hide some characters to trick the user, but unfortunately, even those who use other apps or HW also fall for this trick.

Looks like we need to check the whole address just to be sure we don't get tricked next time. Using the bookmark/contact feature on your wallet might be a good idea so you don't have to copy-paste every time you make new transactions.

Here's were things get interesting, for sometime now each USDT transaction he execute on his Truth wallet app, he usually gets some sort of reward (less than cents) either in TRX or USDT. But unknowing to him that was a spam attack and not reward from trust wallet as he thought.

Sounds very similar to what happened in one of those threads I linked above. Is there any reason why he assume it was a reward though? I don't recall Trust Wallet having any promotion like that.

[Pandu Geddon]

so the method used is like a trap that is used to wait for the user to make an error in making a transaction.
it looks like the method shown by joniboini is good enough to implement. moreover, some addresses usually can be given a name label. so transactions are carried out with the very minimal risk of being wrong when entering an address.
but I prefer to scan the QR code every time I want to send it from my wallet to exchange. so I always double-check the destination address for delivery.

[BlackBoss_]

Sending token in a transaction and did not check a receiving address, that is stupid and very careless. They should check a full address or a few first, middle and last characters.

Spam attacks can be in addresses but more usually, these attacks will be done with shit tokens. You can see shit tokens on block explorers and they don't have verified token icons. Their icons on block explorers are in grey color that means not verified yet by Etherscan.io or bscscan.com explorers.

If you receive these shit tokens, don't make any transaction with them. When you give access to your wallet, your wallet can be hacked.

[Piesel]

This have been the trend for a while new, and users need to be careful this kind f trick is also similar to the clipboard malware that eat some of us up some time ago.

I was a victim of clipboard spam, we're the wallet address that I copied was a swap to a scammer's address and without a check, I sent the Bitcoin to the hacker.

Just like others have suggested, we should be cautious enough to check and re-check every address before sending the transactions.

[BlackBoss_]

Just like others have suggested, we should be cautious enough to check and re-check every address before sending the transactions.

Copy an address
Paste that address
Check that address

It is three steps if you make a transaction from your non custodial wallet

If you make a withdrawal from a centralized exchange, you will get other confirmation from them, in a confirmation box for that withdrawal on the exchange website or a confirmation in your email.

Two or three times of checking are safe enough to avoid typo.

[vv181]

Sending token in a transaction and did not check a receiving address, that is stupid and very careless. They should check a full address or a few first, middle and last

In this particular scam scheme, the attacker is making a vanity address that is similar to the first and last characters of the victim's addresses. The attacker also makes use of the habit of the user who makes a transaction based on the last address transaction they have made.

Spam attacks can be in addresses but more usually, these attacks will be done with shit tokens. You can see shit tokens on block explorers and they don't have verified token icons. Their icons on block explorers are in grey color that means not verified yet by Etherscan.io or bscscan.com explorers.

If you receive these shit tokens, don't make any transaction with them. When you give access to your wallet, your wallet can be hacked.

It's not a spam attack. And it is not because of a shit token, in fact, the particular token where it involves the scam is a popular stablecoin. It happened due to a flawed smart contract implementation where as a zero amount of transaction can be made without user authorisation/private key.

Take a look deeper here: Address Poisoning Attack, A continuing Threat

[DeathAngel]

This looks like something that could be done to newbies but probably shouldn't be something more advanced members need to be that aware of.

It's worth setting a rule to not do things when you're too tired to do them. You can't expect to remember which transaction address you have to pay if you receive quite a few transactions - I've done similar before and nearly sent to the wrong person but double checking is always a good idea (with the service or person you're paying).

This is very important, even to OG’s. Numerous times I’ve nearly messed up & sent coins to the wrong chain/address when I’ve been tired.

I think it’s good that the OP has made time to remind people to stay alert when dealing with money. Good luck to everybody.