Rob Behnke
May 8th, 2024
In May 2024, a crypto whale lost an estimated $68 million in wrapped Bitcoin (WBTC). They were the target of an address poisoning attack in which the attacker tricked them into sending crypto to the wrong address by poisoning their transaction history with malicious lookalike addresses. Once the targeted copy-pasted this address into a new transaction, their crypto was sent to the attacker instead of its intended recipient.
Halborn previously reported on this threat in November 2023 when MetaMask first highlighted the existence of address poisoning hacks in the wild. In this article, we’ll dive into address poisoning attacks and how to protect yourself.
Blockchain addresses are commonly represented as long strings of hexadecimal numbers, and every variation of an address string represents a potential address. This means that a typo when entering the destination address for a transaction could result in crypto being sent to the wrong address. Since the vast majority of addresses are unused, this could also mean that the crypto is lost forever.
To protect against this, many people copy-paste addresses when performing a blockchain transaction. While this has its risks — such as malware modifying the address while in the system clipboard — it dramatically decreases the risk of an expensive typo.
However, when copy-pasting addresses, it’s important to ensure that you’re copying the right address when performing a transaction. This is where address poisoning comes into play.
When performing repeated transactions, a user might copy an address from their transaction history. Cybercriminals know this and can poison the address history with lookalike addresses that mimic trusted ones.
This is what happened in the case of the crypto whale who lost $68 million in an attack. The image below (from @realScamSniffer) shows a few transactions from their history.
In this image, the addresses outlined in green indicate a transaction from this account to a trusted address. The addresses outlined in red are for a transaction from a phishing address to this account.
Note the similarity between the trusted address and the phishing one. Both of them begin with 0xd9A1 and end with 53a91. Often, when making a transfer, a user will only look at the first and last few characters of an address to verify that it is the correct one. In general, this makes sense since the chance of two addresses accidentally matching in these nine characters is 1/(16^9) = 1.45e-11.
However, this assumes that an attacker isn’t deliberately looking for matching addresses. With tools like vast.ai, it’s possible to rent GPUs that check about 2 billion addresses per second. This would mean that generating a lookalike address would take an attacker about 72.5 seconds or a little over a minute. By inspecting an account’s transaction history, the attacker can identify repeat transactions and generate a lookalike address for one or more of them.
After identifying such an address, the attacker performs a small transaction designed to place the address in the target’s transaction history. Note that, in this case, the malicious transaction had a value of 0 ETH, so the attacker only paid the gas fee of $0.65.
Then, the attacker waits for the target to make an accidental copy-paste of their malicious address to perform another transaction. When this happens, the money — $68 million USD in this case — is transferred to the attacker’s account.
Unlike many other crypto hacks, address poisoning attacks don’t exploit smart contract vulnerabilities or use phishing emails to trick recipients. The only “malicious” action in the attack is sending crypto to the target’s address. The attack relies on the fact that some users may copy-paste addresses from their transaction history and make a critical and expensive mistake.
Some of the ways that users can protect against address poisoning types of attacks include:
Consider Inputs vs. Outputs: In this attack, the victim was sending crypto to an address that they sent it to in the past as well. However, the attacker’s address was the source address of a transaction rather than the destination. Realizing the mismatch here could have prevented this attack.
Check More Address Characters: Blockscanners like Etherscan commonly conceal the middle characters of a blockchain address. However, several of them are still visible, and, in this case, the visible characters didn’t fully match. Checking that all visible characters are correct forces the attacker to find an address with more matching characters, which dramatically increases the complexity of the attack.
Securely Store Commonly-Used Addresses: Address poisoning attacks take advantage of the fact that users copy-paste addresses from their transaction history, which is something that anyone can modify (by sending a transaction to that account). If there are certain addresses that you send transactions to frequently, it’s a good idea to store them securely somewhere else like a password manager.
Send a Test Transaction: When transferring large amounts of crypto — like $68 million — it’s a good idea to send a test transaction first to ensure that everything works properly. While this takes longer and incurs additional transaction fees, it reduces the risk of something going wrong.
Double-Check Transaction Data: Address poisoning and other attacks attempt to trick a target into sending a transaction to the wrong address. Double-checking the transaction data before signing and sending can reduce the risk of these attacks.
Address poisoning attacks are highly targeted since they require generating a specialized address and using it to send a transaction to a particular target. As a result, they are most commonly performed against individuals with valuable or desirable crypto assets. In this case, the attackers targeted a crypto whale who was sending about $68 million in a single transaction.
However, other crypto scams and attacks are more widely targeted. Phishing emails and websites are designed to trick as many people as possible into handing over their private keys or investing in a scam project. To learn more about how to protect yourself against these scams, check out our article on the most common types of crypto scams.