The Anatomy of Deception: How a Tron Phishing Scheme Scaled Over $770,000 in 2023

Key insights

  • The Tron phishing scheme used over 55,000 scam wallets and generated revenue of over $770,000.
  •  The scheme operates by collecting information about transactions made on the TRON Blockchain network and selecting a specific wallet as a phishing attack target based on its volume of transactions.
  •  The phishing scheme is based on three main wallets: The Rod Wallet 1, The Rod Wallet 2, and The Profit Collector Wallet. The Rod Wallets create new phishing addresses that carry out phishing transactions, while the Profit Collector Wallet serves as the main repository of funds obtained through phishing attacks.
  •  Scammers can create fake addresses that look similar to legitimate ones, tricking users into sending cryptocurrency to the wrong address.
  •  As of December 9th, 2022, the TRON Phishing Scheme has received 774.327 USDT, out of which 656,941 USDT was converted into 12,109,369 TRX.

In this article, we’ll delve into the mechanics of the Tron Phishing Scheme that used more than 55.000 scam wallets and generated revenue exceeding $700,000, found by the Global Ledger research team, and explore the tactics used by scammers to help users keep their Tron holdings safe and secure.

In mid-November, the GL protocol research team noticed a suspicious transaction and decided to check it for fraud. As a result, a large phishing scheme was discovered that struck at the lack of care taken by TRON Blockchain users. During the investigation, more than 3 variations of this scheme were revealed:

The scheme operates by collecting information about transactions made on the TRON Blockchain network and selecting a specific wallet as a phishing attack target based on its volume of transactions.

The flow of the TRON USDT Phishing Scheme used for receiving funds looks like these steps

1. A group of fraudsters collects information about transactions made on the TRON Blockchain network;

2. Then the specific wallet is selected as phishing attack target based on it’s volume of transactions;

3. A transaction of 0 USDT is sent to the selected wallet. This transaction is sent from a newly created phishing wallet, which has the same last 4-5 characters with the wallet to which the selected wallet has already sent a certain amount of tokens.

4. Such transactions are carried out several times and are targeted to the persons who mistakenly send funds based only on the end of the wallet number, as shown on the next slide.

But let’s take a look at how it works from the inside.
This  TRON phishing scheme is based on 3 main wallets: The Rod Wallet 1, The Rod Wallet 2, and The Profit Collector Wallet. The Rod Wallets are responsible for creating new phishing addresses that carry out phishing transactions, while the Profit Collector Wallet serves as the main repository of funds obtained through phishing attacks. 


The operation of this scheme began on 04.11.2022 with the creation of the first wallet TEd8bfCniiWoZNrDnSCxKYS3aRyQuChy9Q. Let us call it The Rod Wallet 1. The first transaction of this wallet was the deposit of 100 USDT and then was partially transferred to TRX. It is assumed  that the fraudsters created a large number of wallets with the help of a bot, and then The Rod Wallet 1 as the main one started sending 35 TRX and 0.1 USDT to the newly created wallets.



Such 35 TRX and 0.1 USDT transactions are necessary to conduct in order to create the impression that these wallets are valid for the TRON Blockchain network, which in the future will allow fraudsters to make more scam transactions.


After receiving the first profit on 11.16.2022 with one of the newly created phishing wallets TVNqQjZn9L4mBMJ4EVt4Kq1XTSz5VuDjuE, fraudsters created a wallet TJqeuqZLkE5WLMD1de3bMbciw4szTg18Yq which collects the profit from all the phishing wallets involved in the scheme. Let us call it The Profit Collector Wallet.

From 17.11.2022, the TRON Phishing Scheme begins to actively gain momentum, and a second wallet TE5M76ueVMUNpkVgVN2WKi2CiWKfpnQkCE was created using previous profits, let us call it The Rod Wallet 2. This Rod Wallet 2 carries out transactions in the same way as The Rod Wallet 1.


The number of outgoing phishing transactions per day


The number of transactions with profit came from phishing transactions during the operation of the USDT TRON Phishing Scheme



The amount of USDT received during the operation of the TRON USDT Phishing Scheme


The ratio of the number of incoming transactions with profit from phishing transactions to the amount of USDT received during the operation of the TRON USDT Phishing Scheme

Tron users need to be aware of the risks posed by these types of scams when making transactions. Scammers can create fake addresses that look similar to legitimate ones, tricking users into sending cryptocurrency to the wrong address. This can result in significant financial losses. The active work of this group of scammers ended between mid-December and mid-January.  As of December 9th, 2022, the TRON Phishing Scheme has received 774.327 USDT, out of which 656,941 USDT was converted into 12,109,369 TRX. The fraudsters have created over 55,000 phishing wallets, from which they continue to send phishing transactions. In addition, they have conducted over 170,000 transactions ranging from 0 to 0.001 USDT.  In the forthcoming article, we will elaborate on how the scammers utilized mining to launder the embezzled funds obtained through this scheme.