SlowMist uncovers crypto scam exploiting altered Ethereum nodes


The SlowMist security team has uncovered a novel cryptocurrency scam that exploits altered Ethereum nodes’ remote procedure call (RPC) function. This type of fraud commonly targets physical offline transactions, employing Tether (USDT) as the preferred payment method.

According to SlowMist findings, the scam starts with convincing the victim to download the legitimate imToken wallet and gain trust by transferring a small amount of 1 USDT and Ether (ETH) as bait.

Subsequently, the scammer directs the victim to change their ETH RPC URL to a node controlled by the scammer (

The scammer modifies the node using Tenderly’s fork feature, which falsifies the user’s USDT balance to make it appear that the scammer has deposited funds into the user’s wallet. When users view the balance, they mistakenly believe the funds are legitimate.

Analysis of a victim’s wallet address (0x9a7…Ce4) shows that the victim’s address received a small amount of 1 USDT and 0.002 ETH from another address (0x4df…54b)  Source: SlowMist

However, upon attempting to transfer out the miner’s fees to cash out the USDT, they realize they have been deceived. By this point, the scammer has disappeared without a trace.

In addition to modifying displayed balances, the fork feature can alter contract information, presenting an even more significant threat to users.

SlowMist Technology’s report stated that this type of scam exploits users’ trust and negligence, resulting in asset losses. The SlowMist security team reminds users to remain vigilant when trading and avoid using untrusted RPC nodes.

A remote procedure call lets a program run code on one computer on a remote server, mimicking local execution. In blockchain like Ethereum, RPC interacts with nodes, querying balances, sending transactions, or interacting with smart contracts.

Related: Bitcoin-hating European Central Bank isn’t doing much to stop scammers

According to SlowMist, a user can adjust balance values using Tenderly’s custom JSON-RPC to control account balances within Tenderly Forks. This feature enables modifying account balances by setting specific values or increasing them as desired.

However, to establish a specific balance, use the code snippet “ether4s.utils.hexvalue(aBignumberish)” to convert the big number value into a suitable format without leading zeros. This snippet sets the balance value to 100 ETH for one or more addresses through the tenderly_setBalance custom RPC endpoint.

A similar scam circulated on Telegram, allowing the attacker to drain a victim’s crypto wallet without the victim needing to confirm a transaction. While the method does not require users to approve a transaction, it appears to require tricking the user into signing a message.

Magazine: $6B scam accused in court, China loophole for Hong Kong Bitcoin ETFs: Asia Express