What is TRX wallet account permission change scam
The thriving blockchain industry has been plagued by scams leading to assets lost. Scammers set novice crypto users up by taking advantage of the knowledge gap, such as cheating users’ transfer authorization by offering them good investment opportunities, or stealing mnemonics through fake official websites and Apps.
Recently, fraudsters have upgraded their scams to cheat others by exposing mnemonics. This article is a breakdown of the scam.
Since mid-May, many imToken users reported that they encountered an error pop-up when transferring through their TRX wallets. (Shown in the picture below)
According to on-chain data, we found that those wallet addresses all have updated their account permissions.
The overview shows that the “Owner Address”, i.e. the user’s TRX wallet account, transferred its “Owner Permission”, the supreme control over an account, to address B. This means any transaction initiated by “Owner Address” should be approved by address B.
A TRX account usually has two permissions, namely, “Owner Permission” and “Active Permission”.
Owner permission represents the supreme control over an account. An address granted with that permission can operate the account in all manners.
In contrast, an address with active permission is only allowed to a combo of actions, such as transferring TRX and freezing assets.
Simply put, if users give up the owner permission and transfer it to a third party, they’ll get error pop-ups when starting a transaction.
So why would they give up the permission?
According to users’ feedback, their wallet mnemonics are given by others, not generated by themselves.
For instance, Tom lends $1000 to an internet friend who offers his mnemonic containing the commensurate amount of cryptocurrency in exchange.
Tom sees the assets in the wallet after importing the mnemonic. However, an error pop-up shows up when he tries to transfer.
Because the internet friend, the scammer, updated the account permissions before giving Tom the mnemonic. The assets in the wallet cannot be moved even though Tom has the mnemonic since the owner permission is only accessible to the scammer now.
Apart from tricking users to lend them money by offering mnemonics, scammers will also steal users’ mnemonics through enticing them to download fake imToken and change the owner permission, causing users to lose control of their accounts. In this circumstance, users can only transfer tokens into their wallets, but not out of them.
PSA:
- Please stay alert if someone wants to borrow money from you by giving his mnemonic. In this case, he is very likely to be a scammer.
- Please go to https://token.im to download imToken and carefully keep your mnemonic without exposing it to others. If you download imToken from App Store or Google Play, make sure the developer is IMTOKEN PTE.LTD
