Costly Mistake: Victim Loses $68 Million In Address Poisoning Scam

Crypto hackers have claimed another major victim, fooling him into sending $68 million to a wallet he thought was somebody else’s.

Blockchain data indicates that a once-wealthy Ethereum user lost all of his Bitcoin holdings after hackers contaminated a recipient’s wallet history. The user now holds just $1.6 million in crypto at his address.

The Danger Of Address Poisoning

According to Etherscan, the sending wallet’s remaining assets include 0.89 ETH ($2,747) and 1.63 million dollar-pegged DAI stablecoins.

The assets stolen from the victim included 1155 Wrapped Bitcoin (WBTC) – a token that operates like a stablecoin for Bitcoin on the Ethereum network, mirroring the price of the dominant digital asset. Naturally, WBTC is vulnerable to the many hacks and exploits common in the Ethereum ecosystem, such as address poisoning.

Wallet contamination or “address poisoning” involves sending a transaction – usually of zero or negligible value – to a victim’s wallet, simply so that the attacker’s address appears in the victim’s transaction history.

Notably, attackers will deliberately generate their address to have several starting and ending characters that match those of an address belonging to the victim. Popular wallet software often shrinks addresses to display only the first and last characters, making the differences in the middle undetectable on the surface.

Address Poisoning In Action

In this case, both the attacker’s address and the real target address had characters starting with 0xd9A1, and ending with 853a91.

Ideally, the attacker hopes they try to copy that address from their history the next time they intend to receive a transaction, under the mistaken belief that it’s their address or that of someone they know.

Last year, address poisoners targeted a series of SafeWallet users, stealing $2 million within one week. Back in February, a Kraken user was robbed of 1 million USDT after scammers poisoned their history mimicking the victim’s prior interaction with the exchange.

Metamask suggests users avoid copying transactions from their history, and to add frequently used addresses to their address book to avoid using any that aren’t specifically whitelisted.

“This advice applies to your own address as much as it does the addresses of others to whom you may be sending funds,” the wallet provider states on its website.