Issue

In your vault accounts, you may encounter incoming or outgoing transactions that consist of no value. Such transactions may be indicators of malicious actors targeting your wallet as part of a social engineering attack.

These transactions allow the malicious actor to fabricate a transaction history between their wallet and yours. Having established this history, the malicious actor may try to trick you into transferring funds to their wallet. This attack vector is known as an address poisoning attack. Spammers may also use this technique to send you messages by including the message data in the transaction's contents.

Malicious actors target specific organizations if they know their wallet addresses. Otherwise, they may choose a random target by monitoring on-chain activity for addresses to target.

ERC-20 withdrawals

The ERC-20 token standard implements strict methods for transferring tokens and introduces Approve transactions, which allow you to enable another wallet or smart contract to withdraw funds up to the amount specified. For example, if you own wallet A, you can approve wallet B to withdraw up to 10 USDC from your wallet. Wallet B can then initiate withdrawals of up to 10 USDC out of wallet A.

Since the default amount for Approve transactions is zero for all tokens held in a wallet, a malicious actor can initiate a withdrawal of zero value out of your account. As a zero-value transaction, this does not move any funds out of your wallet.

TRON deposits

Since TRON provides its users with a daily bandwidth allowance to make no-fee transactions, malicious actors often take advantage of it. They often initiate transactions of no value or negligible value and include their spam messages within the transaction's content.

Learn more about TRON-specific spam transactions.

Resolution

Note that in all the above cases, the malicious actor has not compromised your wallet, Vault, or workspace keys. You will only lose funds if you manually transfer funds to the attacker. No particular action is required if you see these transactions in your workspace.

If you have any concerns with unknown transactions, contact Fireblocks Support.