As the popularity of cryptocurrencies continues to grow, so does the ingenuity of scammers seeking to exploit unsuspecting users. In this blog post, we will shed light on a sophisticated ERC20 scam that involves the creation of a fake token with the same symbol as a widely used token, such as USDT (Tether).

Scammers carefully track wallets associated with the original token, create similar-looking addresses, and execute fake transactions to deceive users into sending their real tokens to the scammer’s controlled address.

The mechanics of the scam:

  1. Token Selection: The scammer chooses a popular and widely used token, in this case, USDT, as the target for their fraudulent scheme.
  2. Creation of a Fake Token: The scammer creates a new token that imitates the original token, using the same symbol (i.e. USDT).
  3. Tracking Original Token Wallets: The scammer monitors wallets that engage in transactions with the original token, specifically focusing on wallets sending the original token.
  4. Noting Transaction Details: The scammer takes note of the sent amount and the recipient’s address associated with the original token transactions.
  5. Generating a Similar Address: The scammer creates a new address under their control that closely resembles the original recipient’s address. They make sure the first few characters are intentionally similar to increase the chances of confusion.
  6. Executing Fake Transactions: Utilizing the fake token they created, the scammer initiates fake transactions that appear to originate from the user’s address. These transactions mimic the exact amount of the original token sent and are directed to the scammer-controlled address with similar-looking characters.

The mechanics of the scam

The deception:

The scammers’ ultimate goal is to deceive users into inadvertently sending their real tokens to the scammer’s address, mistaking it for the original recipient’s address. 

They exploit the user’s familiarity with the transaction process and the auto-suggestion features of wallets, leading to a higher likelihood of erroneous transfers.

Real-world example using Tres Finance’s Ledger:

Let’s take a closer look at a legitimate transaction and its corresponding fraudulent transaction to highlight the key differences and raise awareness about this deceptive scheme.

Please note that the address used in the example is randomly selected and is a victim of an active scam. 

It is important to clarify that this address is not associated with Tres or its customers in any manner.

As an anecdote, we have seen that more than 40% of our customers have been targeted with this scam, which is more common than what you might think.

Legitimate transaction:

In the legitimate transaction screenshot (as seen below), you’ll notice that it displays accurate information. The recipient’s name is visible since it has been previously configured in the user’s address book. 

Additionally, its corresponding fiat value is displayed. This transparency provides users with confidence in the authenticity of the transaction.

Legitimate transaction in Tres Finance’s platform

Fraudulent transaction:

In contrast, the fraudulent transaction screenshot reveals distinct disparities when compared to the legitimate transaction. It is important to note that the scam transaction is automatically marked with the “spam asset” tag by Tres, and transactions labeled as “spam asset” are hidden by default from the ledger page.

Furthermore, it is important to note that the recipient address in the fraudulent transaction is not listed in the user’s address book. As a result, it is displayed as a raw address without a familiar name attached to it. 

This absence of a recognized recipient name should immediately raise suspicion and caution during the verification process.

Unlike the legitimate transaction, the fraudulent transaction does not include a fiat value for the tokens being transferred. This absence of a fiat value serves as an important indicator that the transaction is associated with the fake token rather than the legitimate one. 

It is crucial to note that relying solely on the symbol of the asset can be misleading when determining the authenticity of a transaction. 

Instead, placing emphasis on the contract address, which serves as a unique identifier for the legitimate asset, is vital for accurate verification.

In addition to these discrepancies, another notable difference in the fraudulent transaction is the absence of a gas fee. This is because the user isn’t the one initiating the transaction.

In typical blockchain transactions, users are required to pay a gas fee to cover the cost of executing the transaction. The absence of a gas fee further indicates that this transaction is part of the scammer’s fraudulent activity.

Fraudulent transaction in Tres Finance’s platform

Indication in Tres finance’s platform:

We have created a table that provides a concise overview of the disparities between a legitimate transaction and a fraudulent one.


On platforms like Etherscan, the fraudulent transaction will appear above the original transaction which makes it “easier” to find and copy. It’s important to note that this transaction won’t bear any warning regarding the authenticity of the asset. A typical user will not notice the scam if they don’’t invest an extra 5-10 minutes looking into the transaction and verifying the address.

When creating new transactions, companies relying on Etherescan as their address repository put themselves under risk of sending their tokens to scammers.


On platforms like Etherscan, users searching for an address they interacted with may find the scammer’s address listed before the legitimate one. The fraudulent transaction appears above the original transaction, without any warning about the authenticity of the assets involved. This underscores the importance of exercising caution and carefully verifying transaction details before proceeding with additional funds transfers.

In conclusion, the ERC20 impersonation scam is a complex scheme where scammers create fake tokens to deceive users into sending their real tokens to scammer-controlled addresses. 

To safeguard your digital assets, it is crucial to stay vigilant, exercise caution during address verification, and stay informed.

When using the Tres Finance platform which is the Web3 financial data lake enabling finance teams to manage all their digital asset data for accounting, reporting and audit, you will be able to trust our data without any extra work.

Besides the financial applications, Tres has proprietary technology labeling transactions as scam/spam and reading the smart contracts involved.

The key indicators, as mentioned in the blog post earlier, are all visible while using Tres finance and are safeguarding your financial perimeter on the data level.

This article was also mentioned in our interview for CoinTelegraph

Interested in TRES?

Schedule a demo with one of our expert team members to show how we can streamline your financial operations and make Web3 finance the easiest part of your workflow.
Schedule a Demo