Security Alert|TRX multisig scams

Security Alert|TRX multisig scams

TRX multisig scams have become prevalent lately. Scammers trick users into downloading a fake imToken App to get hold of their mnemonics. They then alter the user's TRX account permission, taking away control of the user's assets. This article details how TRX multisig scams are carried out and provides tips to help guard against them. Scammers also use social media platforms to promote top-up websites and release mnemonics or private keys to lure users into sending TRX to wallets, only to have their owner permissions transferred by scammers.

Recently, TRX multisig scams have been rampant. Scammers get users’ mnemonics by luring them to download a fake imToken App. Instead of directly stealing assets away, they change users’ TRX wallet account permissions, causing users to lose control over their assets. 

In this article, how those scams are carried out will be explained to help you guard against them.

What are TRX multisig scams?

After a TRX wallet is created, the default wallet owner permission belongs to the account itself with the threshold being one. In other words, transferring through the wallet requires authorization signed by one address holding the permission.

Note: owner permission stands for the supreme control of a TRX account. With that permission, an address can operate the account in all manners.

With the ill-gotten mnemonic, scammers will change the user’s TRX account permission to get the owner permission, turning the threshold into two. In this case, sending assets through the wallet needs authorization signed both by the user’s address and the  scammer’s address.

That is why such scams are called TRX multisig scams since the user needs signatures from both his address and the scammer’s to transfer through the TRX wallet. This means that authorization from the scammer’s address is needed for any transactions from the user. The user will encounter an error pop-up  “server:SIGERROR” if his transaction does not have the scammer’s signature.

Suppose there is a firm with two partners, and they make it a rule that all major decisions can be executed only if both partners agree to sign the authorization, i.e., multi-signature. If one partner disagrees, the decision is not approved.

A multisig TRX account is similar to that company. Therefore, even with the mnemonic, the account user cannot make a transfer by himself.

Users can only transfer assets into his account, but not out of it. Scammers take advantage of this to play the long game. The user may keep transferring tokens into the account if he only uses it to receive payments from others and never check out his account permission.

Apart from luring users to download a fake imToken App, scammers will also carry out TRX multisig scams in these two ways:

  • Promoting top-up websites on social media platforms such as Telegram to lure users to deposit with their digital assets. In fact, scammers can get the owner permission of a user’s account during depositing.
  • Releasing their mnemonics or private keys on social media platforms such as Telegram and WhatsApp to lure users to send TRX as transaction fees into wallets. But in fact, the owner permissions of those wallets have already been transferred by scammers. In the end, all TRX in the wallets will be stolen.


imToken security team reminds you that

  • Please go to to download imToken.
  • There is no such thing as a free lunch.
  • Check out your TRX wallet account permission regularly.

How to check out your TRX wallet account permission?

1. Open your TRX wallet and switch to the “Browser” page. Enter TRONSCAN in the search box and launch the DApp.

2. In the search bar, enter your wallet address and click the search button. On the page showing all the account details, swipe down to the “Account Permission” section.

3. The account permission is under your control if your address is the only one with the owner permission.