One Scan to Zero: The QR Code Trap Wiping Trust Wallets via Telegram

A sophisticated and highly effective cryptocurrency theft campaign is currently sweeping through Telegram channels, turning a simple scan into a total wallet wipeout. Security researchers from Cyfirma have detailed an active QR code-based “drainer” operation specifically designed to exploit the trust and interaction flows of Trust Wallet users on the BNB Smart Chain.

The attack begins with social engineering in Telegram distribution channels, where victims are enticed to scan a QR code. This code utilizes Trust Wallet’s deep link mechanism to redirect users to fraudulent domains hosted on Netlify, which are meticulously crafted to masquerade as legitimate USDT transfer interfaces.

However, the “transfer” is a technical ruse. As the report explains, “Instead of performing a token transfer, the phishing flow covertly triggers an ERC-20 approve() transaction, granting unlimited token allowance to an attacker-controlled contract”. This critical maneuver gives the adversary persistent access to the victim’s funds.

The campaign is not a one-off attempt but part of a maturing Drainer-as-a-Service (DaaS) ecosystem. The technical analysis reveals a modular and scalable architecture:

• config.js: Handles attacker-controlled parameters for quick deployment.
• main.js: Executes the core wallet interactions and transaction logic.
• Real-Time Exfiltration: The system utilizes Telegram bot infrastructure as a live monitoring channel. Researchers confirmed active exploitation after identifying at least 52 transaction-related notifications within these bot channels.

The true danger of this campaign lies in its reliance on user-authorized interactions rather than traditional software bugs. By granting “unlimited token allowance,” a victim unknowingly hands over the keys to their assets.

“This campaign demonstrates a highly effective blend of social engineering and blockchain-native abuse, targeting Trust Wallet users through trusted interaction flows rather than technical exploitation,” the report states. Furthermore, researchers warn that “at its core, the attack exploits the ERC-20 approval mechanism… enabling persistent and silent fund draining, where a seemingly harmless action can result in complete wallet compromise”.

Because the attack relies on valid (though malicious) user approvals, traditional wallet vulnerabilities are not the problem. Instead, the defense lies in “approval hygiene” and skepticism.

Cyfirma’s findings reinforce a sobering reality in the Web3 space: “the primary risk lies not in wallet vulnerabilities but in user-authorized interactions, making awareness, verification, and approval hygiene critical to defense”.

Users are urged to:

• Verify every request: Never scan a QR code or click a deep link from an untrusted Telegram source.
• Audit approvals: Use tools to regularly check and revoke “unlimited” token allowances on the BNB Smart Chain.
• Watch for Netlify domains: Be wary of USDT interfaces hosted on generic Netlify subdomains.