A phishing scammer recently managed to steal $20 million in USDT through a zero transfer phishing attack, as reported by blockchain security firm PeckShield. The stolen funds were quickly frozen by Tether, the issuer of USDT, raising questions about the identity of the victim and the prompt response from Tether.
The zero transfer phishing attack works by tricking victims into sending their USDT to a phishing address that appears similar to their intended address. In this case, the victim had received 10 million USDT from Binance and had successfully sent those funds to an alternative address. However, during that transfer, the scammer conducted a zero-value token transfer from the victim’s address to their phishing address.
Coinbase explained in a blog post that scammers started using smart contracts in November 2022 to create spoofed zero-value transactions. These transactions appear to be from the victim’s address and are designed to deceive victims into sending real funds to the scammer’s address. Users often only check the first and last characters of an address, making them more susceptible to this type of scam.
Immediately after the transfer, Tether took action and froze the USDT held at the scammer’s address by adding it to their blacklist. This swift response surprised many, including on-chain investigator ZachXBT, who questioned the identity of the victim and the speed at which Tether acted. It is possible that the transfer is related to an over-the-counter transaction.
Tether’s decision to freeze the funds is not unprecedented. Circle, a rival stablecoin issuer, has previously frozen transactions connected to the Ethereum privacy mixer Tornado Cash at the request of the U.S. Treasury Department. However, Tether has not taken similar action in the past.
The freezing of the $20 million stolen by the phishing scammer highlights the importance of vigilance and thorough address verification when conducting cryptocurrency transactions. Users should double-check the entire address and be cautious of any suspicious or unexpected transactions.