In May 2024, the altcoin world threw up another epic loss for the ages when a whopping 1,155 WBTC (Wrapped Bitcoin), valued at over $70 million at the time, vanished from users’ wallets due to an address poisoning attack.
While many reports will label it a hack, it is by no means coding on a terminal and brute-forcing its way into your wallet; these attacks are more of a social engineering play, relying on someone being a complete brainless baffoon with more money than common sense.
Sadly, in crypto, there is no shortage of this cohort, and the success rate of address poising is proof right on the blockchain of that stupidity. These attacks are a dozen dogecoin; the only difference that makes this attack worth mentioning is that the asset stolen was WBTC or Wrapped Bitcoin, a token issued to represent Bitcoin on Ethereum and other blockchains.
This incident serves as another blemish with loose ties to Bitcoin, and to the untrained eye or average headline reader, it is yet another reason why they should ignore Bitcoin.
If you’re not in the weeds, it would be easy to conclude that Bitcoin isn’t a safe store of value. Why should I invest my little savings in Bitcoin when people with over 1000 Bitcoin can get their wallets drained?
What is address poisoning?
Address poisoning is a deceptive tactic scammers use to trick cryptocurrency users into sending their assets to the wrong address.
The attack relies on lazy users copying the most recent transaction details from their wallet’s history when making a repeat transfer.
This type of phishing method has been known for some time. Yet, people fail to take appropriate precautions, and the resulting magnitude of the losses in this incident was shocking.
Here’s how it works:
- The Setup: The attacker scrapes the public blockchain for wallets that regularly interact with one another in large amounts and then sends a tiny amount of cryptocurrency to the victim’s wallet address. This transaction appears in the victim’s transaction history.
- The Lookalike: The attacker creates a wallet address that closely resembles the victim’s wallet or looks similar to those they regularly interact with. This might involve using similar characters or swapping a few letters/numbers.
- The Deception: When the victim wants to send cryptocurrency, they might accidentally copy the attacker’s address from their transaction history instead of their intended recipient’s address.
A simple enough scam to execute at mass leads to someone taking the bait, and this time, it happened in a big way when an unidentified cryptocurrency user lost $70 million worth of wrapped bitcoin (WBTC) after falling victim to an address poisoning exploit, according to blockchain security firm CertiK.
Once you sign a blockchain transaction with your private keys and it’s added to the next block, recovery is up to the receiving parties’ good graces. With these faster proof-of-stake blockchains, those transactions or, in this case, mistakes are secured in minutes, sometimes even seconds.
Personally, I don’t understand how people can be so lax or brazen when sending this kind of money over the internet, anything over 0.01 BTC, and I am sweating bullets.
Mistaken transaction: etherscan.io
Since wallet addresses can be as long as 42 characters, holders become complacent. Instead of checking addresses to the letter, they simply copy and paste addresses, trusting that it will work again because it worked in the past.
This can prove to be a fatal mistake.
In this case, the exploiter mimicked a 0.05 ether (ETH) transaction before receiving 1,155 WBTC from the victim.
A profitable little trade
But the story doesn’t end there. Given the size of the loot, you can be sure all eyes were on this wallet address as news began to spread about the heist.
Using chain analytics tools, interested parties watched that hacker exchange the 1155 WBTC for ETH and transfer them to the ten addresses.
On May 7, the hacker began moving the ETH from these ten addresses. The pattern of fund transfers generally involved leaving no more than 100 ETH in the current address, then roughly evenly splitting the remaining funds before transferring them to the next layer of addresses.
Acquiring the funds was the easy part; trying to cash it out without tying it to your identity becomes the next hurdle, and without mixing services to help you cover your trail or when you’re trying to move large amounts undetected, it becomes complicated.
As the hacker, you have two choices: continue creating a web of transactions and get lost in the bloating data set or make a deal with the person who signed over the initial funds to you and pocket a bounty for your troubles.
While 1000+ Bitcoin is tempting to keep, if you go all in and keep the money, you also risk being caught somewhere down the line.
On May 4, a victim communicated the following message to the hacker on the blockchain:
“You’ve won, brother. You can keep 10% and return the 90%. We can act like nothing happened. We both know $7 million is enough to live very comfortably, but $70 million will keep you up at night.”
Notes on chain: etherscan.io
Eventually, the hacker had a change of heart and returned the funds (in EtH) to the original wallet. At first, the victim agreed to allow the hacker to keep 10% of the money as a bonus. However, this deal is no longer on the negotiating table as the attacker had refunded more than 90% requested.
The attacker sent back approximately 22,960.07 ETH, worth $65.7 million, representing more than 96% of the original stolen funds’ US dollar value.
An attack vector that shouldn’t even exist
Suppose you’re using Bitcoin on the primary Bitcoin network. In that case, attacks like this aren’t commonplace because the standard protocol for exchanging funds in a UTXO model is to use a different address each time.
While it can be a pain in the arse, having to generate a new public key every time you transact versus having a static address, it sure does help Bitcoiners spare their blushes by default.
It encourages you always to check and double-check addresses and doesn’t allow complacency. While it is possible to reuse addresses, it isn’t advised, and some wallets might even flag you for attempting to do so.
The WBTC address poisoning attack highlights several crucial lessons for network users who rely on account-based models. If you are intent on using altcoin chains or an EVM-style side chain like Rootstock, add the following to your security routine.
- Double-Check Always: Before sending any cryptocurrency, meticulously double-check the recipient’s address. Don’t rely solely on auto-filled addresses or copying from transaction history – manually verify every character.
- Beware of Lookalikes: Be cautious of addresses that seem similar to yours. Scammers often use this trick to exploit human error. Consider using whitelisting for frequently used addresses.
- Stay Informed: Keep yourself updated on the latest crypto scams and security best practices. Many resources are available online from reputable sources.
Crypto losses will continue as networks are designed to encourage risk-taking
The WBTC address poisoning attack serves as a cautionary tale for all crypto users, yet it will continue to fall on deaf ears as the promise of future riches remains far too alluring.
In 2023, crypto investors suffered a staggering $2 billion loss due to hacks, scams, and exploits in decentralized finance (DeFi). In the first quarter of 2024, an additional $333 million was stolen, painting a grim picture of the security landscape in the crypto space.
While they can warn people about the dangers of using altcoins, in the end, everyone is free to do as they please, and all Bitcoin maxis can do is enjoy the schadenfreude and altcoiner tears.
