A crypto investor lost $3.08 million in PYTH tokens after copying a scammer’s wallet address from their transaction history. This “address poisoning” attack highlights the risks of not verifying wallet addresses from trusted sources.
After inadvertently transferring over $3 million in PYTH tokens to a scammer’s wallet, an unidentified cryptocurrency owner recently suffered a loss.
The error occurred when the victim duplicated and utilized a fabricated deposit address, relying on their transaction history.
The Cost of a Minor Error
An unknown fraudster generated an address with the initial four characters identical to the victim’s deposit wallet, as per a November 25 post by blockchain analysts Lookonchain. They then sent the victim 0.000001 SOL, which is equivalent to approximately $0.00025. This action resulted in the phony account being recorded in their transaction history.
The affected individual copied the forged address directly from the transaction history without exercising due care, as the first four characters were identical. Subsequently, they transmitted 7 million PYTH tokens, which were estimated to be worth $3.08 million, to the criminal without verifying the unique identifier.
These attacks are referred to as “address poisoning” by security specialists. They capitalize on a prevalent practice among cryptocurrency users: utilizing transaction histories to duplicate the unique wallet identifiers, rather than obtaining them from official sources or trusted contacts. Despite its apparent convenience, the practice is frequently perilous.
Scam Sniffer, an anti-scam platform, recently uncovered an additional instance in which a user allegedly lost $129 million as a result of duplicating the incorrect address from their transfer history. The deceptive account and the correct one shared the same last six characters in that particular instance.
In numerous wallets, the initial six and final six characters of an address are typically displayed, necessitating more than a perfunctory examination to verify their authenticity. The fraudster promptly returned the stolen funds to the individual or entity, which was fortunate.
In May, an Ethereum user lost 1,155 wrapped Bitcoin (wBTC) worth $68 million, and in December of the previous year, several Safe Wallet owners had $2 million stolen from them using the same technique.
Comprehending Address Poisoning
Address poisoning is frequently implemented by malicious actors through the use of two methods: fake credentials and zero-value transfers. The con artist employs genuine token contracts in zero-value transfers, but they execute transactions with extremely low values to present deceiving activity in the on-chain transaction history of a potential victim.
In contrast, the false token method entails the development of sham token contracts that resemble genuine tokens such as USDT or USDC. The swindlers subsequently monitor for genuine token transactions and, upon spotting one, transfer their counterfeit tokens to the address from which the transaction originated. This gives the user the impression that they have transferred funds to a specific account, when in reality, they have not.
The user may subsequently confuse the fraudulent token transfer with the genuine one they made when they examine their wallet history or utilize a blockchain explorer. When they wish to replicate a transaction, they may inadvertently copy and paste the bogus address in order to transfer funds to the scammer’s wallet.
