Security

Chainalysis discovers 82K wallets tied to address poisoning scam

Address poisoning is a seemingly simple scam, which nevertheless can affect even experienced crypto users. Chainalysis has discovered up to 82K wallets linked to a campaign of targeting users with high balances.

Address poisoning continues as one of the most common, yet efficient attacks. Public blockchains reveal wallets with attractive balances, and bots target them, hoping to mix technological attacks with a human mistake. The poisoned addresses were created in a short time span, but personal losses happen multiple times, once the victim becomes active again on-chain. In the past day, one loss of $57,000 was registered due to a poisoned address copied from the transaction history.

🚨💔 42 minutes ago, a victim lost $57,000 by copying the wrong address from a contaminated transaction history.

Note: Never copy addresses from transaction history. 🚫📋 pic.twitter.com/ypjn8iMOcO

— NODE GUARD SOLUTION. (@NodeGuard_Pro) October 23, 2024

Chainalysis has tracked down 82K wallets tied to attempts at poisoning by posting fake zero-value tokens. The address poisoning scam is also similar to the zero-value token attack, though with the added generation of a confusing address. Tools for poisoned address attacks are also distributed on darknet markets.

The attack depends on users not verifying their addresses closely enough, by issuing similar digits at the beginning and end of the address. The attack hinges on crypto user habits of only checking the first and last four digits of an address.

Some of the most common fake tokens or zero-sum transactions involve USDT, TRX, or MATIC, or a faked version of the token. A part of the transactions also copy the amount previously used, creating a similar-looking wallet entry. Others send entirely new tokens as an airdrop. The wallet itself is not hacked in this type of attack, and there is no risk to the funds when receiving seeding transactions.

Poisoned address scams may target even small balances, but this type of attack was behind one of the biggest losses in 2024. Poisoned addresses managed to drain $68M Wrapped BTC (WBTC) from a single wallet.

In this case, the exploiter later returned the funds, after earning $3M due to the appreciation of BTC at that time. The victim contacted the exploiter through Ethereum micro-transactions with messages attached, leading to a full refund three days later.

Poisoned addresses still spread on Ethereum

The large-scale heist helped Chainalysis discover more poisoned addresses. A total of eight wallets were responsible for launching the fake addresses during a campaign-like, concentrated event.

Chainalysis discovered a total of 82,031 spoofed addresses, which resemble legitimate counterparties. The newly created poisoned addresses were close to 1% of all new Ethereum wallets launched in a similar time period.

The network of poisoned addresses managed to scam more experienced users with a higher wallet balance. A total of 2,774 wallets sent funds to the faked addresses, diverting a total of $69.72M. The wallets contained up to $338K, though most held smaller sums of $1,000. What was also common is that the victims were usually active traders and Ethereum users.

The wide network of poisoned addresses had a relatively small success. Of the wallets targeted, 756 caught the scam with a test transaction or a smaller sum under $100. The transactions sometimes even spoofed the victim’s own wallets. In that case, owning a human-readable ENS address could mitigate the risk.

Similar campaigns have ran on Binance Smart Chain, with the Binance team now flagging zero-value transactions and spoof addresses. Reports of Toncoin (TON) poisoned addresses have also surfaced, with 0 TON transactions as the bait.

Scammers launder funds through DeFi and exchanges

While the biggest $68M haul was not laundered efficiently, smaller sums could be disguised and liquidated. Scammers used DeFi protocols, then centralized exchanges to both clear their tracks and swap the initial funds.

Some of the exchanges involved in the scam were no-KYC markets in Eastern Europe, with less stringent regulations on the origin of funds. The transfers to an exchange were the last leg of the destination, after mixing the funds through DeFi protocols and decentralized markets.

Campaigns of seeding wallets are usually short, but can have outsized earnings. Block explorers have started flagging the fake transactions, so users can check their history before sending funds.

Source

Click to rate this post!
[Total: 0 Average: 0]
Show More

Leave a Reply

Your email address will not be published. Required fields are marked *