A sophisticated hack targeting Tron accounts has compromised over 13,000 wallets in the 18-month period between June 2023 and November 2024, according to crypto forensics firm AMLBot.

The attack, which exploits Tron blockchain’s account permission settings, has led to losses in the tens of millions of dollars. Tron, the second-largest blockchain by active addresses with 2.19 million users in the past 24 hours, is also the third-largest by total value locked, holding $6.75 billion, per DefiLlama.

AMLBot began investigating the “UpdateAccountPermission” exploit after one of its employees fell victim last year. According to CTO Mike Tiutin, the attack has gained significant traction over the past year but remains underreported and poorly understood.

Mechanics

The “UpdateAccountPermission” hack requires the attacker to obtain the victim's private key or mnemonic phrase. Using this access, the attacker modifies the wallet’s permission settings to require approval from a wallet they control for any outgoing transfers.

Once permissions are updated, victims lose effective control of their wallets. Any outgoing transaction requires signatures from both the victim’s original key and the attacker’s key. With no alert to these changes, victims remain unaware of the breach until they attempt to transfer funds and encounter a transaction error. Meanwhile, the wallet can still receive funds, which the attacker can withdraw at will.

“If this was on the Ethereum blockchain or a Bitcoin blockchain, they would simply cash out all the funds from your wallet. But what they do in Tron is they update account permission. This gives extra time to the attacker to grab some extra funds,” Tiutin said.

AMLBot’s data indicates that an average of 25 Tron wallets are compromised daily using this method.

Targeting Tron wallets

While other blockchains also face wallet-targeting scams, Tron’s unique permission setup makes it particularly susceptible to certain types of attacks. These exploits often involve social engineering schemes in addition to technical vulnerabilities.

And the permission-based hack AML Bot’s employee encountered is not the only scam exploiting Tron’s mechanics.

Over the past few years, variations of these sorts of attacks targeting Tron wallets have proliferated.

One common scheme involves fraudsters posing as students on social media, claiming they need help transferring funds. They share seed phrases and offer a portion of the funds in return for assistance.

Victims are lured into adding TRX tokens to the wallet for the transfer, only to find the funds cannot be moved because the permissions have been diverted to another wallet. Ultimately, the scammers steal the TRX put into the wallet.

“The attack is in stealing your TRX that you have just funded to this account,” Tiutin explained.

“Popping up like grass”

Wallet providers like SafePal are grappling with the fallout. Veronica Wong, CEO of the Singapore-based non-custodial wallet, said her team has assigned a full-time employee monitor and report scams mentioning their wallet.

Recently, she said, she’d seen an uptick in these sorts of messages being left under Youtube videos offering crypto-related tutorials and in Google ads or sponsored search results.

“We try to report and take it down one by one. It's definitely an endless process,” she said, adding the scams pop up constantly like grass.

Despite efforts, scammers adapt quickly. "Some of the scam websites we report are taken down and later on came back but change the content to other wallet brands,” she said.

She also highlighted the surge of new users entering the crypto space, spurred by the approval of Bitcoin ETFs and improved market conditions. Many lack basic knowledge of how crypto transactions work, leaving them vulnerable.

“We are seeing a lot of people reaching out to us not even understanding that blockchain transfers are non-reversible,” she said.

Wong said she would like to see more education on these scams, and for developers and companies to think more about how their infrastructure can be exploited as they create it and put it out into the market.  ”Technology is a double-sided sword. It's really a matter of how people use it,” she added.

“Proper guidelines and education are very important, especially if we are going to see a new wave of investors coming in.”