In collaboration with SlowMist and imToken, a new type of cryptocurrency fraud has emerged that targets users in physical offline transactions and uses USDT as the payment mode. This fraud scheme defrauds unsuspecting victims by tampering with Ethereum node Remote Procedure Calls (RPC). 🕵️‍♂️

Initially, the scammer convinces the target to download the legitimate imToken wallet and establish trust by transferring 1 USDT and a small amount of ETH. The scammer then instructs the user to redirect ETH RPC URLs to a node controlled by the scammer, using the specifically modified node. Through this manipulation, the malicious actor fakes the user's USDT balance as a deposit.

But when the user tries to transfer USDT, he discovers that he has already been deceived. Only then did the fraudster disappear without a trace.

The blockchain security firm also explained that Tenderly's Fork feature can not only change balances but also contract information, thus posing a greater threat to users. Therefore, understanding RPC is critical to understanding the mechanism of such scams.

Further analysis by MistTrack revealed the depth of the fraud's operations. Inspection of a known victim's wallet address (0x9a7...Ce4) shows that this address received 1 USDT and 0.002 ETH from another address (0x4df...54b). This address shows repeated fraudulent activity, having transferred 1 USDT to multiple addresses. These addresses have been flagged by MistTrack as “Pork Slaughter Scammers” and have been associated with various trading platforms and have been involved in multiple scams. 🚩