An active campaign targets Trust Wallet users through malicious QR codes distributed via Telegram, exploiting deep link mechanisms to redirect victims to Netlify-hosted phishing domains. The attack masquerades as a legitimate USDT transfer interface but covertly triggers an ERC-20 approve() transaction, granting unlimited token allowance to an attacker-controlled contract on BNB Smart Chain. This enables persistent fund drainage without further victim interaction. The modular drainer architecture uses config.js for control parameters and main.js for execution logic, with integrated Telegram bot infrastructure providing real-time transaction monitoring. Analysis confirms 52 transaction notifications indicating active exploitation. The campaign employs social engineering through a deceptive dollar-one illusion where victims believe they are initiating small transactions while actually granting unlimited wallet access. Multiple cloned phishing domains demonstrate scalable deployment within a Drainer-as-a-Servic