In part 3 of our series, we explore more scams: Fake wallets, scam text messages and more.
Let’s learn from others and stay safe out there! If you have any questions, our support team is always here to help.
Fake wallet scam
In imToken Wallet Security Newsletter #1, we disclosed that scammers had purchased search terms and Ad space on Baidu. When users searched for imToken, the results would show scam sites where fake wallet Apps would be downloaded.
This time we look at another channel, found by our users.
The scammers contacted Feixiaohao, a small Chinese app store, disguised as imToken officials and replaced the official website URL on Feixiaohao with a fake one.
imToken security team found out about that and immediately contacted Feixiaohao to take down the fake URL, while continuously collecting evidence to help the police block these fake websites and arrest the scammers.
Scammers replaced the imToken download link on Feixiaohao with a fake URL between May 16 and August 8, 2021. Users who have downloaded imToken via Feixiaohao during this period are at risk of losing their assets.
What should you do if you have downloaded a fake App?
- Addresses created via fake Apps or addresses that have been imported into fake Apps are at risk. Stop using these risky addresses ASAP
- Download imToken from our official website: https://token.im and create a new wallet address
- Transfer assets from the fake App to the new wallet address ASAP
So, what is the most important factor in wallet security? My answer is to bookmark imToken's official website address https://token.im.
If you download imToken from the Apple App Store, Please confirm that the developer of imToken is IMTOKEN PTE.LTD., and all others are fake Apps.
Likewise, when you use other wallets such as MathWallet, TokenPocket or MetaMask, please make sure to download them from official websites or Google Play and Apple app stores.
Recently, some users received SMS claiming that their imToken accounts were suspected of black money trading, and they needed to click a URL for verification, otherwise their funds would be frozen.
If you click the link in the SMS, you will be taken to a fake AML/imToken website which will lure you to download a fake imToken App resulting in asset loss.
Please note that imToken does not collect users’ personal information. The imToken security team believes that scammers obtain information through social engineering and then send SMS to users pretending to be imToken officials to commit fraud.
- imToken is a self-custodial wallet, so it is impossible for us to freeze your assets.
- It is strongly suggested to bookmark our official website: https://token.im
After downloading the genuine imToken, the next step is to correctly back up the mnemonic, as mnemonic leak can result in a loss of assets.
So what happens if someone intentionally makes their mnemonic public?
”I'm liquidated. I have enough of this and I wanna quit crypto. This is my mnemonic, and there are still some UNI in my wallet, just take it as you like. “
Is there a free lunch?
No! There is no such thing as a free lunch. It’s a mnemonic scam!
The scammer claimed that he wanted to quit the crypto because he got liquidated, he made his mnemonic(12 English words) public, and wanted to give away the tokens in his wallet.
After importing the mnemonic into the wallet, you’d find that the address does have some tokens such as UNI but no ETH. So if you want to transfer UNI to your own wallet, you need to transfer ETH to the scammer’s address first to pay the miner fees. However, once you transfer ETH into that wallet, your ETH will be stolen immediately.
⚠️Warning: There is no such thing as a free lunch!
Is the safety of your assets assured once you have properly backed up your mnemonic? No. You also have to be wary of authorization scams.
Recently, scammers have been airdropping UniH to RUNE holders. If you receive UniH and authorize a DApp such as Uniswap to manage the token on your behalf, then the scammer will exploit vulnerabilities in the RUNE contract to carry out attacks and steal RUNE from your wallet.
- imToken has marked UniH as a risky token.
- Be wary of airdrop tokens and do not approve it for swapping.
In July, 12 tokens, 50 DApps and 130 addresses were marked by the imToken security team as risky.
If you recognize any risky DApps or tokens, please report to us via firstname.lastname@example.org to help more users avoid being deceived.