Update: Since mid Dec 2022 Etherscan has started identify "spam" transactions. You can see in the screenshot below the spam transaction is greyed out and contains a warning.

Since Monday 28th November 2022 around 9am, we have seen a number of customer accounts affected by an apparent attack.

This manifests itself as a customer receiving either a Webhook or iOS push notification for an apparent outbound USDC/USDT transaction which you did NOT send.

Firstly, your funds are safe.

You are simply seeing someone (we'll call them "spammer") attempting to "pull" zero tokens from your address to another address. Unfortunately, these on-chain contracts for USDT/USDC (that we have no control over) allow for this transaction. Should the spammer try to "pull" a non-zero amount of tokens the transaction would (correctly) fail.

No. The spammer is initiating the transaction so they are paying the gas fees.

Our best guess is that they are trying to confuse people by adding a spam transaction soon after a valid transaction with a similar address in the hopes that the user will accidentally send to them in future.

We have seem some of the spammer addresses very similar to valid addresses in that they have two or three digits that match at the beginning of the address and 4 or 5 that match at the end of the address.

This could lead to a mistake if someone was only checking the first and last few digits.

Here is a some sample transaction:

This is a valid transaction for 10,000 USDC to: 0xc0485e5d3fab6ca12ec55594cb8c0f1f9adaae0b

This is spam transaction for 0 USDC to: 0x46443c0bb379a20767168c02954eaadc1adaae0b

In this example the spam address has no initial characters matching the "real" to address, but the last seven are the same. This could trick someone into believing its correct.

Both of these transactions appear to send tokens from address: 0x6be602bad7d5f7033b7d4a6040e5d67e458c4b4a whereas in fact, only the first has sent tokens (10,000). The 2nd, although looking very similar has sent 0 tokens.

When the spammer attempts to "pull" funds from your address it is a valid on chain transaction. They are using the ERC-20 method called transferFrom or a batch version. The more common usage for transferFrom is when used in conjunction with the approve function where you can give another address the ability to "pull" ERC-20 tokens themselves. However, in this circumstance the spammer is "pulling" zero balance, so the contract doesn't check to see if you have actually given them permission since zero tokens doesn't affect your balance.

Once the spam transaction has been sent, it actually includes your address (as the sending address) which means our indexing picks it up and notifies you that you are technically sending funds. The value of the funds is zero. This can seem confusing but our desire is to be fully transparent with on-chain activity and limiting notifications because the value is zero could have other adverse consequences.