A prolific cryptocurrency thief deploying an attack vector known as “address poisoning” has swindled more than $2 million from Safe Wallet users in the past week alone. The thefts brought total thefts to about $5 million from 21 victims over the past four months, according to the blockchain tracking company.
key point
- Scammers stole more than $2 million from Safe Wallet users last week through address poisoning.
- The estimated total theft from 21 victims over a four-month period is $5 million.
- Attackers create similar-looking wallet addresses to trick users into sending funds in the wrong direction.
- Contaminates transaction history by sending small amounts from a fake address to the target’s wallet.
- In a related attack, $1.45 million was stolen from the Florence Finance protocol using the same method.
How it works
The sneaky technique involves creating a wallet address with starting and ending characters similar to the target user’s actual wallet. For deterministic address generation, attackers use Ethereum’s Create2 function to accurately predict in advance what a new address will look like.
The attacker then “poisons” the victim’s transaction history by sending small token deposits from similar addresses. This is because the target hopes to accidentally copy a fraudulent address in order to withdraw or transfer funds. Deposits provide a veneer of validity, tricking unwitting users into sending much larger amounts to the scammer’s wallet than the intended recipient.
$2 million stolen
Researchers found that at least 10 Safe Wallet users fell victim during the week of Thanksgiving. One particular target had more than $10 million in assets in a self-hosted wallet, but only misdirected $400,000 to hackers, avoiding catastrophic losses. A total of $2.05 million was stolen from Safe Wallet victims in just a few days, bringing the total to nearly $5 million and counting as the attacks continued.
An address addiction expert recently used the same technique to make $1.45 million from decentralized finance protocol Florence Finance. According to PeckShield, the hackers created addresses starting and ending with “0xB087” and “5870” that were very similar to real financial smart contract addresses and sent small amounts from fraudulent wallets prior to the $1 million theft.
Last week, about 10 secure wallets suffered $2.05 million in losses due to a “poisoning fix” attack.
The same attackers stole $5 million from approximately 21 victims over the past four months. pic.twitter.com/fu4kxaI3py
— Scam Sniffer | Web3 Scam Prevention (@realScamSniffer) December 3, 2023
Address poisoning requires some sophistication, but ultimately the victim is the user who fails to properly verify the address to be sent before signing the transaction. But the ending shows why checking the entire address, not just the beginning and end, is important to avoid being cheated. This incident also highlights the need for confirmation prompts like those found in hardware wallets.
As cryptocurrency platforms increasingly shorten addresses for visual clarity and asset transfers become more time sensitive, address addiction presents an increasingly reliable vector. Users should exercise caution by triple-checking the recipient’s address immediately before signing. Verifying the associated address name, when possible, provides another layer of protection. As always, enabling multi-factor authentication and other account protection features will help mitigate external threats.
However, for decentralized apps and protocols that hold customer funds, additional measures may be required to address spoofing risks. If you see a warning message when sending to a non-traded address, it may alert you to possible fraud. Freezing suspicious withdrawals through rigorous anomaly detection and required confirmation delays can also thwart the most aggressive hacking attempts.
But until better standard protections emerge, the simplest maxim bears repeating: A single lapse in judgment can derail even the safest cryptocurrency assets, so take a close look before you leap.