My USDT was sent out from my wallet without my consent. How did that happen?

A user asks: A guy asked me to scan a QR code and transfer 1 USDT to him. I did what he said then all my USDTs were sent out from my wallet without my consent. How did that happen?

imToken: Because that guy is a scammer and tricked you into approving him to drain your wallet.

TL;DR:

  • Scammers usually send you a URL or QR code to trick you into giving him the token approval.
  • Token approval allows a third-party to transfer tokens out of your wallet without your consent.
  • Check whether you are giving unlimited token allowance whenever you are making a transaction.
  • Use tools like CoinTool to check and revoke token approval.

Making payment via QR codes is extremely common these days because it is much quicker compared to other methods of payment. However, convenience can also bring some problems. By scanning a QR code your assets may be stolen.

How can this happen? You kept your mnemonic phrase in a secure place, but you still lost your assets.

The truth is when you click a link or scan a QR code given by the scammer and pay him 1 USDT, you inadvertently approve him to transfer the rest of the USDTs in your wallet as well.

What is token approval

Google Play offers a family payment method through which your family members’ purchases such as books, movies will be charged directly through your account. Even if your family doesn’t know your Google Pay password, they can still use your money.

Token approval is a little similar. When you unconsciously give the token approval to the scammer, he can transfer tokens out of your wallet without knowing your mnemonic or password.

This is how the scam usually happens: You scan a QR code or click a link, which opens a scam website mimicking the transfer page of your wallet app. The site takes you through an imitation of the familiar transfer interface. Instead of the transaction confirmation, a window for approving unlimited token balance shows.

The token approval allows the scammer to manage the full balance of the specified token in your wallet. This way they can move your funds to their own wallets without knowing your mnemonic or password.

How to tell if the transfer page is real or not

You can distinguish between real and fake transfer pages by checking the icon in the upper right corner of the page. The icons in the top right corner of the fake page are “…” and “X”, while that of the real page is a QR code scan icon.

In any case - such as scanning a payment QR code - there a few steps that help you to stay safe:

  1. Check whether the QR opens a legit transfer
  2. Check whether you are giving unlimited token allowance
  3. You can also ask for the text version of the recipient’s address. It’s a little inconvenient, but it’s much safer.

How to check whether you have approved a third-party to transfer your token?

Take TRX wallet as an example

  1. Open imToken TRX wallet, and switch to the browser page.
  2. Enter “cointool.app” in the search box and open the DApp
  3. Click on the menu icon in the upper left corner and select “Token Allowance Checker”.
  4. Click on “TRX” and enter your TRX wallet address.
  5. Click on :arrow_right: then all third-party addresses you have approved as well as the danger level are displayed on the page. You can revoke the approval by following the instructions of CoinTool.
    Note: If it says “You don’t have an authorization token for a contract. It’s great!” then you have not approved any third-party yet.

Further reading:

所以不要点陌生人发来的链接或扫描二维码 :thinking: