A new scam discovered on Telegram is raising alarms within the cryptocurrency community. It allows scammers to empty a user’s digital wallet without needing transaction approval. The scam targets tokens compatible with the ERC-2612 token standard that enables “gas-less” transfers or transactions by non-Ether (ETH) holding wallets. Although the scam doesn’t require transaction approval, it deceives the user into signing a message unknowingly.
The risk increases as more tokens adopt the ERC-2612 standard. A user reported losing over $600 worth of Open Exchange (OX) tokens by joining what seemed to be the official Telegram group of the token developers, OPNX. The group was a phishing trap. Requested to press a button to connect his wallet as bot verification, the user did so without suspecting any risk. Moments later, all his OX tokens were gone, despite not approving any transactions.
The investigation revealed a counterfeit Collab.Land Telegram verification system in use by the fraudsters. The real Collab.Land system uses the username @collablandbot, while the counterfeit version uses @colIablandbot. Due to Telegram’s font, these usernames seem identical. Additionally, the bogus version uses a subtly altered URL to trick users further.
According to blockchain data, the scammer drained the funds by using the “transferFrom” function in the OX token contract, usually requiring owner approval via a separate transaction. However, no such approval was found in the data. The perpetrator had used the “Permit” function on the OX token contract, setting their account as the “spender” and the victim’s as the “owner”, paving the way to drain the funds without conventional token approval. The victim unknowingly confirmed an “additional signing dialogue”, hence giving approval for this action.