A prolific crypto thief deploying an attack vector known as “address poisoning” has siphoned over $2 million from Safe Wallet users in just the past week. The latest theft spree brings the overall tally to around $5 million stolen from 21 victims across the past four months, according to blockchain tracking firms.
Keypoints
- Scammer has stolen over $2 million from Safe Wallet users in past week via address poisoning
- Brings total estimated theft tally to $5 million drained from 21 victims across 4 months
- Attacker creates similar-looking wallet addresses to trick users into misdirecting funds
- Poisons transaction history by sending small amounts from fake address to target’s wallet
- Related attack saw $1.45 million stolen from Florence Finance protocol using same methods
How it Works
The cunning technique involves creating wallet addresses with similar starting and ending characters as a targeted user’s actual wallet. Attackers use Ethereum’s Create2 function for deterministic address generation to accurately predict what new addresses will look like ahead of time.
Attackers then “poison” a victim’s transaction history by sending small token deposits from the lookalike address, hoping targets mistakenly copy the fraudulent address to withdraw or transfer funds. The deposits lend a veneer of validity, tricking unwitting users into dispatching much larger sums to the scammer’s wallet rather than intended recipients.
$2 Million Stolen
Researchers discovered at least ten Safe Wallet users fell prey over Thanksgiving week. One particular target held over $10 million in assets on the self-hosted wallet yet avoided catastrophic losses by only misdirecting $400,000 to the hacker. Overall $2.05 million was stolen from Safe Wallet victims in days while the grand total approaches $5 million and counting as the attacks persist.
The address poisoning specialist also recently netted $1.45 million from decentralized finance protocol Florence Finance using the same techniques. According to PeckShield, the hacker generated an address starting and ending with “0xB087” and “5870” – extremely similar to the actual finance smart contract address – and sent a small amount from the fraudulent wallet prior to the million-dollar theft.
about ~10 Safe wallets have lost $2.05 million to "address poisoning" attacks in the past week.
the same attacker has stolen $5 million from ~21 victims in the past four months so far. pic.twitter.com/fu4kxaI3py
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 3, 2023
While address poisoning requires some sophistication, the victims are ultimately users failing to validate send-to addresses adequately before signing transactions. But the endings demonstrate why verifying full addresses, not just beginnings and endings, proves critical for avoiding deception. The incidents also underscore the need for affirmation prompts like those seen on hardware wallets.
As crypto platforms increasingly shorten addresses for visual clarity, and asset transfers grow more time sensitive, address poisoning presents an increasingly credible vector. Users must remain vigilant by triple-checking recipient addresses right before signing. Verifying linked address names where available provides another layer of protection. As always, enabling multi-factor authentication and other account safeguards helps mitigate external threats.
But for decentralized apps and protocols holding customer funds, additional measures may prove necessary to counter address spoofing risks. Warning prompts when sending to never-transacted addresses could flag potential scams. Freezing suspicious withdrawals through strict anomaly detection and mandatory confirmation delays might also thwart the most aggressive hack attempts.
Until better standard protections emerge however, the simplest adage bears repeating. Look closely before you leap, as a single lapse in judgment can derail even the most secure crypto fortune.