According to PANews, Bitrace recently received a request for assistance from a victim who reported that after scanning a QR code and transferring 1 USDT as a test, their remaining wallet funds were stolen. The victim expressed confusion, stating, 'I just scanned a QR code, how could I be robbed?' This article delves into the mechanics of QR code transfer scams, using real cases to highlight the importance of vigilance in cryptocurrency transactions.
Upon investigation, it was found that this scam involves using a payment QR code to steal wallet authorization. Scammers add users as friends on social platforms, build initial trust, and then propose an OTC request at a slightly lower market rate to attract users. After agreeing on transaction details, the scammer sends a small amount of USDT to gain trust and offers TRX as a transaction fee for long-term cooperation. The user, believing there is no risk, scans the QR code for a small return payment test, only to have their funds stolen.
In a real case, the victim provided a QR code for analysis. Bitrace tested the QR code with an empty wallet, leading to a third-party website that appeared legitimate but was actually a scam. When the user entered the specified return amount and clicked 'Next,' they were redirected to a wallet signing interface. Clicking 'Confirm' initiated an interaction with a smart contract, granting the scammer authorization to transfer all assets from the victim's wallet.
The success rate and impact of QR code transfer scams are higher than expected. Bitrace's analysis of the victim's address revealed that within a week, from July 11 to July 17, 2024, the suspect's address TT...m1mV1 scammed 27 victims out of nearly 120,000 USDT. The funds were laundered through five addresses and transferred to three Huione accounts. The anonymity of blockchain transactions makes tracking difficult, but Bitrace linked the scammer's address to a centralized exchange, connecting the on-chain address to a real-world identity.
Bitrace has advised the victim to report the incident to the police, hoping to increase the chances of recovering the stolen funds through legal channels. Users are urged to verify the identity of counterparts in OTC transactions, avoid unknown QR codes and links, and conduct risk assessments of counterpart addresses before trading. Bitrace is launching a risk-check tool to help users identify potential risks associated with target addresses, available for free trial soon.
