A New Crypto Scam Doesn't Need Your OK to Empty Your Wallet

A novel scam exploiting the ERC-2612 token standard's "gas-less transfer" feature is making rounds on Telegram, draining wallets with just a signature.

Bitcoin accompanied by an alert symbol

At the heart of this scam is the exploitation of smart contracts. For those new to the term, smart contracts are basically contracts that execute themselves based on code when certain conditions are met. They're crucial to many aspects of the blockchain universe, from the apps that let you lend out your crypto for interest, to the ones that let you own unique digital art pieces.

Normally, if you want to do something like send crypto or interact with one of these smart contracts, you'd get a prompt asking you to confirm the action. It's a security measure that's supposed to keep your digital money safe. But scammers have found a workaround. They've crafted malicious smart contracts that, once you interact with them just once, can keep dipping into your wallet without asking again.

The scam has been making waves particularly on Telegram, where, by tricking someone into signing a message, scammers can gain control over the victim's ERC-2612 tokens. This method's simplicity and effectiveness could potentially lead to an increase in attacks, especially as more tokens adopt the ERC-2612 standard.

The attack can even look like this: a person hops into a Telegram group and gets a prompt to "click here" to connect their wallet, all in the name of proving they are human, not a bot. They end up on a website, link their wallet, and think nothing of it because, hey, they didn't approve any transactions. But then, in just a blink, all their tokens are wiped clean.

So, how do you stay safe? It boils down to being super careful about what permissions you're giving out when you interact with smart contracts. If a contract is asking for wide-reaching permissions right off the bat, consider that a huge red flag. You should also avoid joining questionable groups and always double-check website links before connecting your wallet.