In the crypto world, it’s all about moving fast and breaking things, and break they do; it seems like every month, millions of dollars worth of crypto are stolen or lost in some new scam, bug, or human error.
You only have to hit up Google, Bing or Yahoo news and type in the search terms “crypto scam”, “crypto fraud”, “crypto hack”, or “crypto losses”, and your results will be filled with hundreds of loss porn articles enough to scare anyone away from this asset class. As the losses stack up, it makes the media’s job a lot easier. The crypto media simply need to log in to Twitter with the headlines and content all written for them, while the traditional media can lump all crypto craziness together with Bitcoin and point to it as a failure of Bitcoin.
When you build financial tools out in the open, security is the one requirement you cannot skimp on, but security is not sexy; it doesn’t capture the headlines or excite investors, so altcoins focus on other trimmings that will get them PR and investors.
As a result, any vulnerability that can be exploited will be exploited over a long enough time frame or if the payout is attractive enough. It’s a painful lesson for the victims who place their funds and trust in these systems, but they make for great examples of why making crypto user-friendly has its trade-offs.
What is address poisoning?
Address poisoning, also known as address spoofing, is a deceptive technique used by attackers who attempt to trick victims into sending funds to a fraudulent address that looks very similar to their intended recipient’s address. This attack often relies on overconfidence, carelessness and haste, where victims unknowingly copy the wrong address, leading to their funds being siphoned away.
He who signs beware/caveat subscriptor
Address poisoning tends to plague smart contract chains (EVM) like Ethereum, where users are subjected to an account model with address reuse. Address poisoning has appeared chiefly on Ethereum, Binance Smart Chain and Polygon; however, this attack can be applied on Bitcoin side-chain Rootstock.
Unlike Bitcoin, where address reuse is discouraged and even referred to as a bug, EVM chains reuse addresses by default. Reusing addresses instead of creating them each time you want to receive funds is a trade-off to ensure these chains are more user-friendly and have a lower barrier to use. It also makes conducting repeat transactions with users easier, but that convenience comes at a cost.
As user behaviour can be monitored through on-chain data, those who showcase certain repeat behaviours can easily be targeted for attack. Once targeted by these scammers, even the slightest oversight can have devastating consequences when dealing with public blockchains that anyone can monitor and where transactions happen in split seconds.Â
How Address Poisoning works?
There are several ways of addressing poisoning, the most popular being fake contracts and breadcrumbing.
Fake contracts
An attacker will first use blockchain data to look for two addresses that interact with one another frequently. Once they’ve identified addresses that fit their criteria, they will create a smart contract that sends tokens with zero amounts to the victim. They hope the victim uses previous transaction history to copy and pay the wrong address. This address is designed to closely match the victim’s, with the first (and often last) several characters matching exactly.
If users fail to fall for the scam, then a variation is the next step, where scammers use a fake token contract and transfer a significant sum of said token to the target. Usually, it is a fake version of a popular token, such as USDT or USDC. The attacker can then use a transaction that calls this token contract’s “transferFrom” function to make it appear that the target address transfers 0 of these tokens to the receiver (the attacker’s address). Increasing the odds that the victim will copy the last receiver’s address, believing that they have already transacted with this address.
Breadcrumbing
An attacker creates a vanity address similar to an address the victim interacts with regularly. They then send tiny amounts of cryptocurrency to the victim’s address, hoping the victim will check the balance on a block explorer and see the attacker’s address in the transaction history.
The attacker hopes that when you see a transaction for a token you typically interact with in your transaction history, you might copy the recipient address (thinking it is your own) and then send funds to that address.
Other address spoofing scams
Since anyone can source transaction data from a block explorer, anyone using these networks can become a target; since anyone can interact with you if they know your wallet address, there is no barrier to targetting you.
Criminals and hackers have been using block explorers and wallet transaction history to reach unsuspecting users for several scams. Many of these scammers try to send users messages with small amounts of cryptocurrency or fake tokens to get them to visit websites set up to mislead victims.
Address Poisoning is just another one in a growing list of attack vectors. Some similar attacks also targetting users include:
Clipboard hijacking
This technique involves using malware or malicious websites to replace the intended recipient’s address in the victim’s clipboard with the attacker’s address. When the victim attempts to paste the address into their wallet software, they unknowingly send their funds to the wrong recipient.
DNS spoofing
In this method, attackers manipulate the Domain Name System (DNS) to redirect the victim to a fake website that looks identical to the legitimate one. The phoney website then displays a fraudulent address resembling the intended recipient’s address, luring the victim to send funds to the attacker.
Fake QR codes
Address poisoning can also happen with fake QR codes. Attackers can mimic real addresses with only slight changes and deliver bogus codes via QR code when dealing with a fake app or piece of software.
How to protect yourself from Address Poisoning
If you use an EVM-compatible wallet and conduct regular transactions, consider making the following steps part of your routine.
- Always double-check: Carefully verify the recipient’s address by character before sending any funds. Please don’t rely solely on copying and pasting from transaction history. Also, please don’t do that lazy check of reviewing the first few characters and last few characters and assuming it’s correct; scammers rely on this practice of address verification.
- Use a dedicated device for crypto transactions: Avoid using public computers or shared devices to access your crypto wallets. While it might not stop you from sending to an incorrect address, getting out your keys to sign adds a barrier that will force you to check everything. When you’re sign from a mobile device or browser wallet, it’s easy to become complacent.
- Create a contact list: You can reduce the risk of falling victim to this attack by adding wallets you regularly transact with to your contact list. Almost every major cryptocurrency wallet now has a contact list or address book.
- Keep your software updated: Install the latest updates for your wallet software and operating system to ensure you have the latest security patches.
- Beware of phishing attempts: Be vigilant against phishing emails, websites, and social media messages that trick you into signing a fake transaction sensitive or clicking on malicious links.
- Use a name service:Â Name service addresses such as those provided by the Ethereum Name Service (ENS) or BSC Name Service (BNS) can provide an additional layer of protection since they make it possible to reserve a human-readable address that is slightly harder to spoof.Â
- Review your block explorer: Block explorers are catching on to this behaviour and have begun to automatically label certain transactions as suspicious or as likely phishing attacks, but this generally takes some time, and that lag can make this method unreliable.
The extent of address poisoningÂ
Address poising is a risk for scammers, as they cost money to send transactions, so educated users result in a negative return. Yet there are still enough users around, failing to check their wallets before signing transactions, that make this type of attack lucrative.
According to reports by Dune, attackers have spent millions of dollars in transaction fees carrying out attacks on just under 50,000 users of the Ethereum blockchain and Binance Smartchain.
Some major address poisoning attacks include:
DEA’s wallets get drugged
Address Poisoning sounds like a simplistic scam primarily targeting novice retail users, but anyone can be a victim, even regulators. According to a 24 Aug 2023 report by Forbes, The U.S. Drug Enforcement Agency (DEA) unknowingly sent over Tether’s (USDT) to a crypto scammer. The DEA sent 55,000 USDT to the incorrect wallet instead of the U.S. Marshal address for which the funds were meant.
Users of not so Safe Wallet get poisoned
In December 2023, Users of Safe Wallet lost a combined $2.05 million after being targeted by an attacker using an address poisoning attack.
Avoid altcoin chains
One of the best ways to avoid Address Poisoning attacks is to use Bitcoin instead and become familiar with how it works. While it might seem like a pain to manage versus the simplified UI of altcoin chains and multi-chain wallets, there is an apparent reason behind why Bitcoin operates in the way it does: because it optimises for security.Â
While Bitcoin may offer some advantages regarding address poisoning protection, the security of your assets depends on your vigilance and awareness of these threats. Be cautious and take your time when dealing with transactions.
