Be careful

Did you know that anyone can carry out a transaction from your wallet by knowing the wallet address only and without the need for the wallet’s secret key or phrase? There is a type of attack known as Zero Transfer Phishing that is considered one of the worst phishing attacks in the crypto field because of the ease of doing it by the attacker, and the ease of Falling into it on the part of the victim. This attack currently targets millions of crypto wallets on different networks. How is this attack carried out? How do you protect yourself from it? First, there is a function in the Ethereum virtual machine (EVM) called transferFrom(). This function allows transactions from your wallet to another wallet via a third party. This means that a third party, such as a smart contract, can withdraw from your wallet via this function. Provided that prior approval is obtained from the wallet. There are many uses for this function, including “Swap” currency exchange transactions via decentralized platforms, as it allows the smart contract to withdraw a balance of X currency from your wallet; In exchange for obtaining a balance of Y currency. This function is used on other networks such as BNB Chain, Tron, and others. But at the same time; This function allows anyone to make a transaction from another person's wallet without their permission if the transaction amount is 0. What is the purpose of this if the transfer is worthless? The goal is to poison the wallet's transfer history to trick the wallet owner into making a transfer to the attacker's wallet. This is called an address attack. Poisoning.How does this attack occur? Firstly, the attacker searches for active addresses by searching through the blockchain, and active wallets are often targeted in stable currency transfers. Secondly, the attacker creates wallet addresses whose beginning and end are identical to the addresses of the targeted victims. How does this happen and the wallet addresses are generated in a manner Random? In fact, anyone can generate a wallet address under certain conditions. In this example, the condition is that the wallet address begins and ends with the same letters and numbers as the addresses of the targeted victims' wallets, and this address is called Vanity Address. Third, the attacker exploits the transferFrom() function to carry out a transaction worth 0 to or from the victims' wallets. This function calls another function called transfer(), which is responsible for performing transfers, but the most important thing it does is record the transaction in the wallet’s transaction log. The attacker begins monitoring addresses to wait for them to transfer before carrying out the attack, or he attacks randomly. Example: In this transaction, the victim transferred the first 10 USDC from his wallet to an address starting with 0x74C and ending with 0E1cA as a test to ensure that there were no problems before making the larger transfer. Two minutes later, the attacker carried out his attack by exploiting the transferFrom() function to make transfers of 0 from the victim’s wallet. To poison the transfer history and put his fake wallet address similar to the correct address to which the victim transferred 10 USDC. You can see the difference between the middle of the original address and the fake one. The result? The victim verified the last address he transferred to (the fake address) by checking only the beginning and end of the address, and then transferred more than $2 million to the attacker’s wallet address due to this simple mistake. Despite the naivety of the mistake; Most crypto users make the same mistake, and verify the transfer addresses by checking only the first and last characters. Of course, the attacker immediately transferred the funds to UniSwap to launder them and to avoid any possibility of his wallet address being frozen by Circle. Currently, there are millions of addresses on the Ethereum blockchain and the BNB blockchain that It has been targeted by this type of attack, and this number is constantly increasing, so I advise you to be very careful of these attacks. You can follow statistics on attacks via Zero Transfer Phishing. What you can learn from: 1- Always check the entire address before transferring, and not just the beginning and end of the address. 2- Do not transfer large amounts in one transaction. 3- If you find transfers worth 0$ sent from your wallet, do not worry, the wallet has not been hacked.