The world of crypto-crime is ever-evolving and just a month into 2023, a new crypto scam is on the rise. Known primarily as address poisoning, but also referred to as address spoofing, this scam has already prompted a consumer alert from a major cryptocurrency wallet, MetaMask, to its users on Twitter.
According to MetaMask, after a customer sends a normal transaction a scammer will send them a token transaction worth nothing or a nominal value, effectively “poisoning” or tainting the entire transaction history. Instead of using a normal wallet address that is automatically generated, the attacker will use a custom-made vanity address closely resembling the one belonging to the user. Attackers often duplicate four or five of the beginning and ending characters using an open-source tool like Profanity. The attacker is hoping that the user will mistakenly copy their vanity address, instead of the user’s actual address, for future transactions.
The address poisoning scam works as follows.
First, attackers monitor the blockchain to look for regularly active wallet addresses. By doing so, they can generate a shortlist of addresses to attack - sparing them the hassle of attacking dead, dormant, or secondary wallet addresses. Targeting addresses in this way is critical as the marginal cost of each attack isn’t zero, as attackers still have to pay network fees when spoofing an address.
These scammers rely on the fact that it is not practical for people to memorize a wallet address. Variably composed of either alphanumeric characters as in the case of BTC or hexadecimal characters as in the case of ETH (which generates them cryptographically), they are typically very long. A Bitcoin wallet address, for example, ranges from 26 to 35 characters, while a MetaMask wallet address is 42 characters.
Given how difficult it is to commit a full address to memory, people rely on mental shortcuts for validation. For instance, someone may only scan the first and last letters of an address to check if it’s correct. Using this technique, it would be hard to differentiate between:
0xC660DC4250C4F07cF780cBf0c897nHQPLN123Bn0 (a hypothetical user address)
and
0xC660EL1NDZK8L69cP9LKdRZNd213wPOX9T523Bn0 (a spoofed vanity address)
It may be easy for you to distinguish the two addresses because you have been primed to find a difference, but to someone rushing to complete a transaction, they may seem close enough to avoid drawing suspicion.
Because users cannot remember addresses in their entirety, the scammer can easily create similar-looking vanity addresses to fool users. In practice, it’s very similar to how cyber criminals spoof banking websites like Wells Fargo hoping to capture unsuspecting victims’ login credentials.
Second, scammers then execute the process of poisoning or modifying a person’s transaction history by sending them a very small or negligible amount of cryptocurrency.
Third and finally, users then copy and paste the address from their transaction history when it’s needed for other transactions. If a user is unknowingly copying and pasting a poisoned address, it may be a while before the user even notices that something is wrong. Funds may be inadvertently sent to the spoofed address on multiple occasions.
Unfortunately, there’s no complex explanation for why this happens: people are lazy. Rather than grab their wallet address from its address book, they will grab it from where it is most readily available, which is commonly their transaction history. The poisoning scam succeeds because it takes advantage of human psychology and behavior, which indicates that people will follow the most convenient path.
While MetaMask may be the biggest brand to warn about address spoofing, it is not alone. Ledger, which manufactures hardware wallets, also noted the rise of this scam. While Ledger gave advice on how to prevent falling victim to address poisoning with any Ledger product, they noted that the scam could happen on any blockchain. It theorized that attackers would prioritize blockchains where network fees are cheap, such as Polygon, Tron, or Binance.
Some platforms may even be unintentionally facilitating this scam. To improve their user experience, some platforms and wallets provide wallet address shorteners that visibly compress the address in some way, such as by only showing the first five and last five characters. This feature increases the chance of address poisoning succeeding. Instead of relying on users to overlook the middle characters, a vanity address and a shortened address can now appear indistinguishable from one another. With the advent of address poisoning, any wallet or platform that offers address shortening should consider discontinuing the feature to better protect users from scammers.
To best combat the rise of address poisoning across wallets and blockchains, it’s important to distinguish this scam from similar schemes, such as dusting attacks. As with address poisoning, a dusting attack relies on sending a negligible amount of cryptocurrency to different wallet addresses. But this is where the resemblance ends, and the goals diverge. The intent of address poisoning is to mimic the person’s address so that the conflation of wallet addresses results in funds mistakenly being sent to the poisoned address. The purpose behind a dusting attack is almost the opposite: de-anonymizing the recipient by watching how funds are spent, so they can possibly be identified. Once identified, the attackers may escalate the attack by blackmailing the de-anonymized user, trying to extort them, or targeting them for phishing.
Address poisoning more closely resembles a common variation of spear phishing, a scam where attackers create similar-looking email addresses to one that the target regularly works with. If the target uses JohnDoe@supplier.com, the attacker may send an email from the address JohnDoe@sopplier.com, much, in the same way, crypto scammers create vanity addresses. From there, the spear phisher will send an email requesting payment for overdue services and provide a bank account. The method of both address poisoning and spear phishing is nearly one and the same: combine people’s carelessness with digital mimicry so funds end up in the wrong hands.
As with spear phishing, there are several ways to combat address poisoning, which have already made the rounds amidst these early warnings.
The story around address spoofing is still developing, and if you’re interested in seeing how this develops please look out for our next piece in the address spoofing series, as well as in our upcoming Hackhub report. Stay tuned until then and watch your wallet addresses closely!