A new scam is making the rounds on Telegram, allowing scammers to drain victims’ crypto wallets without their confirmation, according to reports from users and blockchain data. This particular scam targets tokens that comply with the ERC-2612 token standard, which permits “gas-less” transfers or transfers through wallets that don’t hold Ether (ETH). While users don’t need to approve a transaction, they are tricked into signing a message. As more tokens adopt the ERC-2612 standard, this type of attack is expected to increase.
One user reached out to Cointelegraph, claiming to have lost over $600 worth of Open Exchange (OX) tokens after visiting what he believed was the official Telegram group for the token’s developer, OPNX. However, it turned out to be a phishing scam. When the user entered the group, they were prompted to connect their wallet to prove they weren’t a bot. They connected their wallet, assuming it posed no risk to their funds. However, within minutes, all of their OX tokens were drained. The victim insisted they hadn’t approved any transactions, yet their funds were stolen.
Cointelegraph investigated the Telegram group and discovered a fake version of the Collab.Land Telegram verification system. The genuine Collab.Land system sends messages through the Telegram channel @collablandbot, while the fake version used @colIablandbot, with a capital “I” instead of a lowercase “l.” In Telegram’s font, these characters look strikingly similar. Additionally, the “connect wallet” button in genuine Collab.Land messages leads to the URL connect.collab.info, which lacks dashes. However, the fake version directed users to connect-collab.info, with a dash instead of a period.
According to blockchain data, the attacker drained the funds by utilizing the “transferFrom” function on the OX token contract. Normally, this function can only be called by a third party if the owner first calls “approve” through a separate transaction and sets a spending limit. However, there was no evidence of the victim making such an approval. Approximately one hour and 40 minutes before the transfer, the attacker called “Permit” on the OX token contract, designating themselves as the “spender” and the victim’s account as the “owner.” They also set a “deadline” for when the permit would expire and a large “value” of tokens that could be transferred.
The Permit function, found in the token contract’s ERC20.sol file, permits a third party to authorize token transfers on behalf of the owner, provided the owner signs a message giving them authorization. This may explain how the attacker drained the funds without tricking the owner into making a traditional token approval. However, it suggests that the attacker did deceive the owner into signing a message. When presented with this evidence, the victim revealed that they attempted to connect to the site again and noticed an “additional signing dialogue,” which they must have confirmed the first time without realizing it.
The Permit function appears to be a new feature in some token contracts, implemented as part of the ERC-2612 standard, which allows transactions through wallets that don’t hold ETH. While this feature has the potential to enable user-friendly wallets specifically for stablecoins, scammers have been exploiting it to deceive users and steal their funds. Web3 users should be cautious, as attackers can drain their funds even without an approval transaction, as long as they sign a message granting the attacker permission.
Cointelegraph contacted the Collab.Land team for comment, and developers confirmed that the bot and website involved in the attack are not associated with the genuine Collab.Land protocol. Upon learning about the imposter, the project developers reported the scam to Telegram.