imToken on Security: USDT was sent out of my wallet without my consent. How did that happen?

A user asks: A guy asked me to scan a QR code and transfer 1 USDT to him. I did what he said then all my USDTs were sent out from my wallet without my consent. How did that happen?

Another user asks: An imToken official told me that I could earn rewards by depositing tokens into imToken. Considering it a very good opportunity to grow money, I did as instructed. After transferring money to imToken, however, my wallet was drained.

 

imToken: That guy is a scammer and the so-called ‘imToken official’ is an impersonator. They tricked you into approving him to drain your wallet.

TL;DR:
  • Scammers usually send you a QR code or impersonate imToken officials to trick you into giving him the token approval.

  • Token approval allows a third-party to transfer tokens out of your wallet without your consent. 

  • Check whether you are giving unlimited token allowance whenever you are making a transaction.

  • Use tools like TRONSCAN and Etherscan to check and revoke token approval.

What is a token approval?

Google Play offers a family payment method through which your family members’ purchases such as books, movies will be charged directly through your account. Even if your family doesn't know your Google Pay password, they can still use your money.

Token approval is a little similar. When you unconsciously give the token approval to the scammer, he can move your funds to their own wallets without knowing your mnemonic or password. 

And scammers usually use QR code payment and liquidity mining to trick crypto investors.

QR code payment

Scammers lure you to scan a QR code or click a link, which opens a scam website mimicking the transfer page of your wallet app. The site takes you through an imitation of the familiar transfer interface. Instead of the transaction confirmation, a window for approving unlimited token balance shows.

Please note that you can distinguish between real and fake transfer pages by checking the icon in the upper right corner of the page. The  icons in the top right corner of the fake page are "..." and "X", while that of the real page is a QR code scan icon.

In any case - such as scanning a payment QR code - there a few steps that help you to stay safe:

  1. Check whether the QR opens a legit transfer

  2. Check whether you are giving unlimited token allowance

  3. You can also ask for the text version of the recipient’s address. It’s a little inconvenient, but it’s much safer.

Liquidity mining

Scammers impersonate imToken officials on channels such as Telegram, WhatsApp, Youtube etc. and offer you a very good investment opportunity: Deposit USDTs into imToken and participate in liquidity mining or staking to get guaranteed daily earnings, the more tokens you deposit, the higher the rate of return. 

Some scammers even tell you that no principal is required, just pay some miner fees to join the network, then you get a stable income. Sounds too good to be true? Well, it probably is. 

When you confirm a transaction on the scam website to start the so-called liquidity mining or staking,  you are actually giving unlimited token allowance to the scammer.

So when you make a transaction or invest in a project, please pay attention to whether the "Approve Allowance" page pops up in the app, and stay alert.

 

Note:

  • imToken officials will never chat with you on Telegram, WhatsApp and Youtube. 

  • imToken is a self-custodial wallet, so there is no such thing as “Official Address” or “Address of imToken Financial Department”. If someone tells you this address belongs to imToken, he must be a scammer.

How to check whether you have approved a third-party to transfer your token?

Approve scams usually play out on Ethereum and TRON, so this blog will explain how to check and cancel the approval of your ETH and TRX addresses respectively.

  1. Open imToken ETH wallet, and switch to the browser page.

  2. Enter “Approval” in the search bar and click “Token Approval”. 

  3. Click “Connect to Web3” -> “WalletConnect” ->“imToken”. After the wallet is successfully connected to Etherscan, return to the previous page and it will display "Connected".

  4. Scroll down the page and you can see the addresses and quantities you have approved under Approved Spender and Allowance.

  5. However, if you find an unknown address in your Approved Spender list, it is likely to be a fraudulent address. Please revoke the approval immediately. Click "Revoke" on the right side of the address, then click "Revoke" again on the pop-up page and confirm the transaction.

  6. Click "View your transaction". If the Status shows Success, it means you have successfully cancelled the approval.