Duplicate USDT Transactions To Random Addresses?

TrezorTramp · January 5, 2024, 1:04pm

Hello,
I made a transaction.
But then there are two duplicate transactions to random addresses. Which have actually withdrawn from my balance.
But weird thing is, I wasn’t actually on my computer at the time. I mean, I turned it on, made transaction and turned it off again.

Real transaction:

Then two transactions for the same value to 2 random addresses;

I’m assuming I can’t recover that so that’s great :’)
But how has that happened it makes no sense??

No one has my recovery key, I definitely didn’t confirm 3 transactions… its stored on a piece of paper, sealed inside a box…

Viktor_1BTC · January 5, 2024, 3:32pm

Are you sure what the duplicated USDT transactions has a valid ERC20 contract address?
Some fraudulent transactions may contain negative values. This is done so that in the future you would inadvertently transfer funds to the address that you allegedly used.

TrezorTramp · January 5, 2024, 4:05pm

Well the balance is not showing on my Trezor ETH USDT balance

So I mean something seems to have gone wrong?

TrezorTramp · January 5, 2024, 5:31pm

I’ve checked if I accepted any contracts (I wouldn’t even know how). But there are none and these duplicate* transactions to different addresses have exact same amount of USDT.
So I’m pretty sure it’s some sort of copy my transaction and edit it then resend it out?
But the issue then is how am I supposed to prevent that??
Just seems like it’s waiting to be stolen
Unless this is an issue further up the chain that I am not able to do anything about and it falls on Trezor for failing to do something or whatever

I don’t know it makes no sense to me and I just wish I could figure out how I could have prevented this or what I did wrong

matejcik · January 6, 2024, 12:30pm

Don’t worry, you didn’t do anything wrong.

See, the problem is that “the blockchain” (Ethereum in particular) is essentially a huge Excel spreadsheet that anyone can write into.

When you move ETH, there are builtin checks that you need a valid signature from your private key, etc., all that jazz. When you interact with tokens? Ha ha, not so much.

Every token is a smart contract, that is, a piece of code that “runs” on the Ethereum virtual machine. If the token is well written, it has all the things like “IF the transaction is signed by the sender, AND the sender owns enough token, THEN subtract tokens from sender and move them to recipient”.

Trouble is, anyone can publish any contract. I can make my own, set its name to “USDT”, and say “yeah and address A will receive 25, address B will receive 100, address XYZ will receive … blah blah”, you get the gist.

The way Ethereum works, I can inject those completely-made-up-on-the-spot transactions into your history.

So what the scammers do is, they watch for any USDT transactions and generate the same ones, except they own the destination address.
What people do is browse through their history, copy-paste the last address and send more tokens to it.
That is called address poisoning.

What should be done is that Suite should implement basically a form of spam filter to throw out all fake tokens. But because all the tech is so new, and the problem is not completely understood, writing such filter is not easy.