Don't let address poisoning attacks ruin your day! Keep your coins safe from this new sneaky crypto scam!
In early 2023, a new type of cryptocurrency attack rose to prominence, known simply as “address poisoning.” The premise of the attack is simple: trick the target into sending funds to the attacker's address by forming transactions designed to confuse the target.
The attack was first spotted in December 2022 but has since grown dramatically in frequency, with somewhere in the order of $5 to $10 million lost to the scam — a number still growing to this day.
At least $2.8 million has been stolen from users on BNB Chain, the majority of which is in the form of USD Coin (USDC) or Tether (USDT). At least 1,000 unique users have now fallen victim to the attack.
Most major blockchains are now being used to carry out the attack. To date, tens of millions of active addresses have been targeted by address poisoning attacks.
There are several ways this scam is orchestrated. We’ll cover two of the most common below.
Method 1: Fake Contracts
In the first example, the attacker creates a smart contract that sends tokens with zero amounts to an address that is similar to the victim's address. The first time the victim sees this transaction, they may not pay much attention to it.
However, the next time the victim tries to make a legitimate transfer, they may inadvertently copy the phishing address from the transaction history on Etherscan or their wallet app, instead of the intended recipient address. This mistake results in the victim transferring their cryptocurrency to the attacker's address.
This address is designed to closely match the victim’s, with the first (and often last) several characters matching exactly. These are typically the only characters shown by wallets and explorers for brevity purposes. As such, most people only know the first and last few characters of their wallet.
In some variations of this scam, the attacker uses a fake token contract and transfers a significant sum of said token to the target. This will usually be a fake version of a popular token, such as USDT or USDC. The attacker can then use a transaction that calls this token contract's transferFrom function to make it appear that the target address transfers 0 of these tokens to the receiver (the attacker's address).
This is used to increase the odds that the victim will copy the last receiver's address, believing that they have already transacted with this address in the past.
Some block explorers now hide these transactions by default, but many in-app transaction logs and explorers will still show these transactions.
Method 2: Breadcrumbing
In the second example, the attacker creates a vanity address that is very similar to the victim's address. They then send very small amounts of cryptocurrency to the victim's address, hoping that the victim will check the balance on a block explorer and see the attacker's address in the transaction history.
The attacker hopes that when you see a transaction for a token you typically interact with in your transaction history, you might copy the recipient address (thinking it is your own) and then send funds to that address.
As you might expect, sending a small amount of funds to thousands of wallets can be expensive. In total, attackers have spent millions of dollars in transaction fees carrying out attacks on the Ethereum blockchain alone.
These attacks can be difficult to detect because the transactions appear legitimate and may not trigger any warnings. However, victims can protect themselves by always double-checking the recipient's address before sending any cryptocurrency.
How To Stay Safe From Address Poisoning Attacks?
Unfortunately, there is nothing you can do to prevent yourself from being targeted by an address poisoning attack. The attackers tend to target anybody that transacts regularly and/or frequently sends or receives large sums.
If you find yourself the victim of an address poisoning attack, your best course of action is to simply arm yourself with an understanding of how they work so that you don’t fall victim to one. Then, it’s best to simply ignore transactions associated with address poisoning attacks.
Besides this, there are a handful of transaction hygiene practices you can follow to minimize your chances of being duped. These include:
- Set up alerts: Several tools allow you to set up alerts to notify you when your address transacts or interacts with specific smart contracts. These can be used to confirm your usual transactions (allowing you to ignore anything else) or flag suspicious transactions involving your address.
- Create a contact list: Address poisoning attacks work by tricking you into sending funds to a wallet that you think is your own or somebody you transact with regularly. You can completely eliminate the risk of falling victim to this attack by adding wallets you regularly transact with to your contact list. Almost every major cryptocurrency wallet now has a contact list or address book.
- Use a trusted source: Use a trusted source to obtain the recipient's address. This could include using an official website, social media account or other verified communication channels. Avoid clicking on links or using addresses obtained from untrusted sources, and never use previous transactions to identify the recipient's address without double-checking first.
- Use a name service: Name service addresses such as those provided by the Ethereum Name Service (ENS) or BSC Name Service (BNS) can provide an additional layer of protection since they are impossible to duplicate and their short length makes them much harder to spoof.
For a more technical solution, some Web3 wallets allow you to filter transactions by contract address or whitelist only specific contract addresses. You can then find the official contract address for your target tokens on its CoinMarketCap coin detail page. Popular options include MyEtherWallet (MEW) and Exodus.
Many block explorers will automatically label these transactions as suspicious or as likely phishing attacks, but this generally takes some time. As such, it’s not a reliable way to determine if a transaction is an address-poisoning attack — particularly if the transaction is very recent.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.
