Recently, scammers have been luring users into adding malicious RPC nodes to their wallets. These nodes return fake balance data, making it look like you’ve received funds, and then push you to transfer tokens or pay fees—leading to asset losses.
Unlike traditional crypto theft, this type of scam does not involve a real on-chain transfer. Instead, it works by manipulating what your wallet displays, making it far more deceptive and harder to detect.
What Is an RPC Node?
Before understanding the scam, it helps to know what an RPC node is.
An RPC node is the data gateway your wallet app uses to connect to the blockchain. You can think of it as a messenger between your wallet and the network—it brings balances, transaction history, and other on-chain data into your app interface.
Keep in mind
- Wallet apps don’t hold your assets
Your tokens always remain on-chain. The wallet is simply a tool for managing and displaying them. - What you see depends on the node
The balances and transactions shown in your wallet come from the RPC node it is connected to.
If this “messenger” is fake or controlled, it can send false data to your wallet. You may see a higher balance or a successful receipt, even though no transfer has actually happened on-chain.
Under normal circumstances, you should use your wallet’s default trusted RPC. Scammers often provide RPC URLs containing strings like virtual.mainnet.rpc.tenderly. These point to virtual or simulated environments used only for testing. Any assets shown there do not exist on the real blockchain and have no real value.
Case Study
Howard made a profit on a third-party website. But when he tried to withdraw his funds, the site claimed its withdrawal feature was temporarily restricted. The site’s customer support told him he could withdraw directly to his own decentralized wallet.
Following their instructions, Howard added a so-called “dedicated network channel” (a custom RPC node) to his wallet. After completing the setup, a large token balance suddenly appeared. He believed the funds had arrived.
When he tried to send the tokens to an exchange, the transaction stayed pending and never went through. The customer support then claimed that because the amount was large, Howard had to pay a service fee to “activate” the account before the transfer could be completed.
At that point, Howard realized something was wrong. After switching back to his wallet’s default RPC node, the displayed balance instantly dropped to zero—and there were no transaction records. Official wallet support later confirmed that the transaction was just an illusion created by the manipulated RPC node. Howard had been scammed.
How the Scam Works
Scammers exploit information gaps and usually follow this pattern:
1.Build trust or create urgency
They may first send a small, real transfer (such as 10 USDT or 0.005 ETH) to convince you they are legitimate. Or, they take advantage of your urgency to withdraw or recover funds, pushing you to act quickly.
2.Get you to change the RPC node
They might say things like:
- “The official node is congested.”
- “Your network is too slow—switch to this dedicated channel.”
- “Use this faster node and your funds will arrive instantly.”
Once you add their RPC node (often a simulated or test environment), your wallet starts pulling data from that source—so it may show incoming funds even though nothing has actually happened on-chain.
3.Fake the balance and charge more fees
After connecting to the malicious RPC, your balance appears to surge. Scammers then exploit the stress of “I can see it, but I can’t withdraw it” to demand additional payments—such as service fees, expedite fees,taxes, unfreeze fees, or deposits—to extract even more money.
PSA:
Changing RPC settings does not require you to share your mnemonic phrase, private key, or token approvals—so it can be easy to overlook the risk. To protect your assets, always remember:
- Do not change RPC nodes casually
imToken’s default RPC nodes are security-reviewed and performance-optimized. Be extremely cautious if anyone asks you to manually add an RPC node to receive funds, especially if a stranger or customer support is guiding you step by step. - Always verify on-chain
Blockchain data is public and immutable. The real test is whether a block explorer (such as Etherscan) shows the transaction and whether its status is successful. If it doesn’t appear on the explorer, the funds were never received. - Do not follow settings you don’t understand
If someone leads you through technical steps and asks you to change settings or pay fees, stop immediately and verify through official imToken channels.
imToken Is Always Protecting Your Token Security
In November, imToken marked a total of 221,139 risky tokens, banned 673 risky DApp websites and marked 447 risky addresses.
If you encounter any suspicious tokens or DApps, please report them to us at support@token.im to help protect other users.
Closing Thoughts
Scams are constantly evolving, and it can be difficult for everyday users to stay fully protected. imToken is committed to detecting threats quickly, developing solutions, and keeping the community informed through timely alerts and education—so we can reduce losses and improve overall crypto safety.
We invite you to read and share the imToken Wallet Security Monthly Report, and work with imToken to keep every token safe.