A new scam has emerged on Telegram that allows attackers to steal cryptocurrency from victims’ wallets without the need for transaction confirmation, according to reports and blockchain data. This scam specifically targets tokens that comply with the ERC-2612 token standard, which enables “gas-less” transfers or transfers without the need for Ether (ETH) in the wallet. While this method doesn’t require users to approve a transaction, it does require users to unknowingly sign a message.
As more tokens adopt the ERC-2612 standard, this type of attack is expected to become more widespread. One user reported losing over $600 worth of Open Exchange (OX) tokens after visiting what he believed to be the official Telegram group for the token’s developer, OPNX. However, it turned out to be a phishing scam.
Upon entering the Telegram group, the user was prompted to press a button to connect his wallet and prove that he’s not a bot. This action opened a browser window, and the user connected his wallet to the site, assuming that merely connecting wouldn’t pose any risks to his funds. However, within a few minutes, all of his OX tokens were drained. The victim claims that he never approved any transactions on the page, yet his funds were still stolen.
Investigations revealed that the Telegram group featured a fake version of the Collab.Land Telegram verification system. The genuine Collab.Land system sends messages from the @collablandbot Telegram channel, while the fake version used the username @colIablandbot, with a capital “I” instead of a lowercase “l.” In Telegram’s font, these two letters appear almost identical.
Furthermore, the “connect wallet” button in authentic Collab.Land messages directs users to the URL connect.collab.info, while the fake version sent them to connect-collab.info, with a dash instead of a period.
According to blockchain data, the attacker drained the funds by calling the “transferFrom” function on the OX token contract. Normally, this function can only be called by a third party if the owner first calls “approve” in a separate transaction and sets a spending limit. However, there is no evidence that the victim ever made such an approval.
Approximately one hour and 40 minutes before the transfer, the attacker called “Permit” on the OX token contract, designating itself as the “spender” and the victim’s account as the “owner.” They also set a “deadline” for the permit to expire and an arbitrarily large “value” for the amount of tokens that could be transferred.
The Permit function, found in the token contract’s ERC20.sol file, enables a third party to authorize token transfers on behalf of the owner, but only if the owner provides a signed message authorizing it.
This setup explains how the attacker was able to drain the funds without tricking the owner into making a traditional token approval. However, it suggests that the attacker did deceive the owner into signing a message. When confronted with this evidence, the victim admitted attempting to connect to the site a second time and noticing an “additional signing dialogue” that they must have confirmed without realizing it.
The Permit function appears to be a new feature in some token contracts and is part of the ERC-2612 standard, which allows for transactions by wallets that don’t hold ETH. While this feature has the potential to create user-friendly wallets that only hold stablecoins, scammers are exploiting it to trick users into giving away their funds.
The Collab.Land team confirmed that the bot and website involved in this attack are not affiliated with the real Collab.Land protocol. They have reported the scam to Telegram after being informed of the imposter.