Scammers exploit malicious ETH RPC nodes to target imToken wallet users.

The scam involves convincing individuals to download the legitimate imToken wallet and then sending them 1 USDT and small amounts of ETH as bait. The victim is then instructed to change their ETH RPC URL to a node that has been maliciously modified and is under the control of the scammer.

In this instance, Ethereum RPC interacts with nodes for various purposes such as querying balances, sending transactions, or interacting with smart contracts. After the user modifies the RPC URL, a falsified wallet balance is displayed on the victim’s end, leading them to believe that they have received a substantial amount of funds.

When the user attempts to transfer the miner’s fees to cash out the USDT, they discover the deceit. By then, the scammer has removed all traces and disappeared with the transferred fees.

Researchers at Slowmist highlighted that users often focus solely on whether funds have been credited to their wallets, overlooking potential risks. Scammers take advantage of this trust and negligence, using believable tactics such as transferring small amounts of money to deceive users.

Slowmist added that an investigation into one of the victim’s wallets revealed that it received 1 USDT and 0.002 ETH from the scammers’ address. Tracking that address showed that the scammer had sent 1 USDT to three other wallets.

The scammer’s address was associated with multiple trading platforms and was also flagged as “Pig Butchering Scammers” by the on-chain tracking tool MistTrack. As such, Slowmist urged users to remain vigilant during transactions and be skeptical of others to avoid being defrauded.