Fake 'AML Scanner' drains $31K
- A malicious 'AML Scanner' UI in Trust Wallet tricked a user into approving permissions, draining a $31,000 down payment. (x.com) - Attackers leveraged deceptive token‑approval flows to gain transfer rights and empty the wallet after the user clicked approve. (x.com) - The case spotlights self‑custody risks and the dangers of granting blanket approvals in decentralized finance apps. (x.com)
A fake “AML Scanner” screen inside a Trust Wallet flow tricked a user into approving access, and the wallet was emptied of a $31,000 home down payment. (x.com) Shieldguardio posted the case on X and said the victim clicked “approve” on what looked like a compliance check, not a transfer. The post says attackers then used the granted permission to move funds out of the wallet. (x.com) The mechanics are simple: many crypto apps ask users to approve a smart contract before a swap or deposit. On Ethereum-style networks, the ERC-20 token standard includes an `approve` function that lets a third party spend tokens, and a `transferFrom` function that can move them later. (ethereum.org) That design is routine in decentralized finance, but the permission can be broad. Trust Wallet says approvals can be limited or “unlimited,” and that unlimited permissions can stay active indefinitely until a user revokes them onchain. (trustwallet.com) Trust Wallet added an in-app approvals manager on November 17, 2025, letting users view, detect and revoke risky permissions from the wallet itself. The company says approved contracts can still drain tokens later if a contract turns malicious or was risky from the start. (trustwallet.com) Security researchers have documented similar approval-based attacks against Trust Wallet users this month. CYFIRMA said on April 14, 2026 that a phishing campaign used Trust Wallet deep links and a fake USDT send page to trigger an ERC-20 `approve` call instead of a real transfer. (cyfirma.com) CYFIRMA said that campaign targeted BNB Smart Chain, used Telegram distribution, and granted what it described as unlimited allowance, allowing attackers to drain funds without another prompt. The firm said the attack relied on user-authorized transactions rather than a flaw in the wallet software itself. (cyfirma.com) Users can review live token permissions with Etherscan’s Token Approvals tool, which lists approved contracts and the allowance attached to each one. Revoke.cash offers a similar checker across more than 100 networks. (etherscan.io) (revoke.cash) For victims, the distinction is brutal: they did not hand over a seed phrase, but they still signed away spending rights. In self-custody, one tap on “approve” can function like a blank check. (trustwallet.com)
