Don't let address poisoning attacks ruin your day! Keep your coins safe from this new sneaky crypto scam!
In early 2023, a new type of cryptocurrency attack rose to prominence, known simply as “address poisoning.” The premise of the attack is simple: trick the target into sending funds to the attacker's address by forming transactions designed to confuse the target.
The attack was first spotted in December 2022 but has since grown dramatically in frequency, with somewhere in the order of $5 to $10 million lost to the scam — a number still growing to this day.
Most major blockchains are now being used to carry out the attack. To date, tens of millions of active addresses have been targeted by address poisoning attacks.
There are several ways this scam is orchestrated. We’ll cover two of the most common below.
Method 1: Fake Contracts
This address is designed to closely match the victim’s, with the first (and often last) several characters matching exactly. These are typically the only characters shown by wallets and explorers for brevity purposes. As such, most people only know the first and last few characters of their wallet.
In some variations of this scam, the attacker uses a fake token contract and transfers a significant sum of said token to the target. This will usually be a fake version of a popular token, such as USDT or USDC. The attacker can then use a transaction that calls this token contract's transferFrom function to make it appear that the target address transfers 0 of these tokens to the receiver (the attacker's address).
This is used to increase the odds that the victim will copy the last receiver's address, believing that they have already transacted with this address in the past.
Some block explorers now hide these transactions by default, but many in-app transaction logs and explorers will still show these transactions.
Method 2: Breadcrumbing
In the second example, the attacker creates a vanity address that is very similar to the victim's address. They then send very small amounts of cryptocurrency to the victim's address, hoping that the victim will check the balance on a block explorer and see the attacker's address in the transaction history.
The attacker hopes that when you see a transaction for a token you typically interact with in your transaction history, you might copy the recipient address (thinking it is your own) and then send funds to that address.
These attacks can be difficult to detect because the transactions appear legitimate and may not trigger any warnings. However, victims can protect themselves by always double-checking the recipient's address before sending any cryptocurrency.
How To Stay Safe From Address Poisoning Attacks?
Unfortunately, there is nothing you can do to prevent yourself from being targeted by an address poisoning attack. The attackers tend to target anybody that transacts regularly and/or frequently sends or receives large sums.
If you find yourself the victim of an address poisoning attack, your best course of action is to simply arm yourself with an understanding of how they work so that you don’t fall victim to one. Then, it’s best to simply ignore transactions associated with address poisoning attacks.
Besides this, there are a handful of transaction hygiene practices you can follow to minimize your chances of being duped. These include:
- Set up alerts: Several tools allow you to set up alerts to notify you when your address transacts or interacts with specific smart contracts. These can be used to confirm your usual transactions (allowing you to ignore anything else) or flag suspicious transactions involving your address.
- Create a contact list: Address poisoning attacks work by tricking you into sending funds to a wallet that you think is your own or somebody you transact with regularly. You can completely eliminate the risk of falling victim to this attack by adding wallets you regularly transact with to your contact list. Almost every major cryptocurrency wallet now has a contact list or address book.
- Use a trusted source: Use a trusted source to obtain the recipient's address. This could include using an official website, social media account or other verified communication channels. Avoid clicking on links or using addresses obtained from untrusted sources, and never use previous transactions to identify the recipient's address without double-checking first.
- Use a name service: Name service addresses such as those provided by the Ethereum Name Service (ENS) or BSC Name Service (BNS) can provide an additional layer of protection since they are impossible to duplicate and their short length makes them much harder to spoof.
For a more technical solution, some Web3 wallets allow you to filter transactions by contract address or whitelist only specific contract addresses. You can then find the official contract address for your target tokens on its CoinMarketCap coin detail page. Popular options include MyEtherWallet (MEW) and Exodus.
Many block explorers will automatically label these transactions as suspicious or as likely phishing attacks, but this generally takes some time. As such, it’s not a reliable way to determine if a transaction is an address-poisoning attack — particularly if the transaction is very recent.