{ "Event": { "analysis": "1", "date": "2026-04-14", "extends_uuid": "", "info": "[Threat Intel] Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation via Trust Wallet QR Code Phishing", "protected": false, "publish_timestamp": "1776682909", "published": true, "threat_level_id": "3", "timestamp": "1776682909", "uuid": "8824c005-fc1a-4f66-a4be-31cb7634da69", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#f9b12b", "local": false, "name": "misp-galaxy:producer=\"Cyfirma\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3d38fc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Acquire Infrastructure - T1583\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#4a5d84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#00f752", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#0add7f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776308416", "to_ids": false, "type": "link", "uuid": "4797c8ba-fa71-49ca-84bf-89372a6daf53", "value": "https://www.cyfirma.com/research/silent-crypto-wallet-takeover-unlimited-usdt-approval-exploitation-via-trust-wallet-qr-code-phishing" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776308416", "to_ids": false, "type": "text", "uuid": "b43f95d9-1394-42bf-895f-475a5ecc99db", "value": "An active campaign targets Trust Wallet users through malicious QR codes distributed via Telegram, exploiting deep link mechanisms to redirect victims to Netlify-hosted phishing domains. The attack masquerades as a legitimate USDT transfer interface but covertly triggers an ERC-20 approve() transaction, granting unlimited token allowance to an attacker-controlled contract on BNB Smart Chain. This enables persistent fund drainage without further victim interaction. The modular drainer architecture uses config.js for control parameters and main.js for execution logic, with integrated Telegram bot infrastructure providing real-time transaction monitoring. Analysis confirms 52 transaction notifications indicating active exploitation. The campaign employs social engineering through a deceptive dollar-one illusion where victims believe they are initiating small transactions while actually granting unlimited wallet access. Multiple cloned phishing domains demonstrate scalable deployment within a Drainer-as-a-Servic" }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776308416", "to_ids": false, "type": "text", "uuid": "a6069449-3593-4fc1-b111-b264ba6a72e8", "value": "Name: Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation via Trust Wallet QR Code Phishing\nAuthor: AlienVault\nAdversary: \nTags: [\"crypto drainer\", \"qr code phishing\", \"token approval abuse\", \"trust wallet\", \"drainer-as-a-service\", \"usdt\", \"telegram bot\", \"deep link exploitation\", \"bnb smart chain\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1583\", \"T1539\", \"T1204.002\", \"T1566.002\", \"T1071\", \"T1608.001\", \"T1185\", \"T1102\", \"T1608\", \"T1583.006\", \"T1528\", \"T1204\", \"T1098\", \"T1048\", \"T1566\", \"T1573\", \"T1056\", \"T1134\", \"T1071.001\", \"T1102.001\", \"T1048.003\"]\nIndustries: []" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776308416", "to_ids": true, "type": "yara", "uuid": "9301ad83-04a3-48c0-9290-9f4028d29359", "value": "6f25ebdc95eb23935abefc67150e05fe471d2d02" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656930", "to_ids": true, "type": "url", "uuid": "9d123dca-550d-4847-9ccc-4ecac376510a", "value": "https://link.trustwallet.com/open_url?coin_id=60&url=https://swift-wallat-usdt-send.netlify.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656951", "to_ids": true, "type": "url", "uuid": "bd74675e-9a08-4d07-9a91-00dc27ff570e", "value": "https://send-usdt-09-admin.netlify.app", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656972", "to_ids": true, "type": "url", "uuid": "90a62d4f-760c-4134-8b5e-d0dbf8dff0c6", "value": "https://swift-wallat-usdt-send.netlify.app", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1776653362", "uuid": "51fb6555-a2a7-437f-a007-31fd7a99557c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1776653362", "to_ids": false, "type": "text", "uuid": "3489e93a-a09c-4fd6-a79e-82fca4421d12", "value": "Crypto_Drainer_TrustWallet_QR_Approval" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1776653362", "to_ids": false, "type": "comment", "uuid": "759f1f7b-9f55-44cf-ac6b-db24d3625805", "value": "Detects Trust Wallet QR-based crypto drainer with specific URLs and malicious spender contract." }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1776653362", "to_ids": true, "type": "yara", "uuid": "4de3f29a-48c4-4a73-a5c9-13e52e0c351a", "value": "rule Crypto_Drainer_TrustWallet_QR_Approval\r\n{\r\nmeta:\r\ndescription = \u201cDetects Trust Wallet QR-based crypto drainer with specific URLs and malicious spender contract.\u201d\r\nauthor = \u201cCyfirma Research\u201d\r\ndate = \u201c2026-04-11\u201d\r\nthreat_family = \u201cCrypto Drainer\u201d\r\nreference = \u201cQR + Deep Link + USDT Approval Abuse\u201d\r\nstrings:\r\n// URLs\r\n$url_1 = \u201chttps://swift-wallat-usdt-send.netlify.app\u201d nocase\r\n$url_2 = \u201chttps://send-usdt-09-admin.netlify.app\u201d nocase\r\n$deep_link = \u201clink.trustwallet.com/open_url?coin_id=60&url=\u201d nocase\r\n// Malicious spender contract\r\n$malicious_contract = \u201c0x76C77b171264e1a81baA63125D9627E70B43a169\u201d nocase\r\ncondition:\r\nany of them\r\n}" } ] } ] } }