Address Poisoning Attacks: What They Are, What To Watch For, How Hardware Wallets Can Help.

If you hold #digitalassets and you don’t know about #addresspoisoning attacks, you probably should. There is no protection from it except vigilance against what may have become typical “lazy” behaviors such as copying and pasting an address, without first expanding an address so you can see all 42 characters (in the case of Ethereum) and not just the first and last few characters.

The ploy is simple but that doesn’t mean it can’t result in significant losses for the target. Here’s how it works:

1. The scammer monitors the blockchain for new transactions and selects a target.
2. The scammer then uses a vanity address generator, choosing from many readily available resources such as Vanity-ETH — an open source tool that uses your web browser to generate a custom Ethereum address. In the case of address poisoning scammer though, the use is not innocent, with the scammer deliberately creating an address that looks almost, but not quite, like the address the scammer has targeted.
3. The scammer uses this new-but-looks-like-a-recent/legit address to send the target a token transaction. This honeypot transaction is now part of the target’s wallet history. It *looks* like just another transaction from the same source the target was recently transaction with…but it’s not.
4. Now comes the crux (in rock climbing, the crux is the sequence of moves most likely to result in failure): because MetaMask shortens addresses in a wallet’s transaction history, users see the first and last few characters of the 42 character ETH address, and can easily mistake the honeypot address as the same address from their most recent legitimate transaction.
5. The scammer is hoping the target will simply think they are sending crypto to someone/an address they’ve already transacted with — the target does what so many users do, i.e. find the most recent transaction and copy the address without first expanding it to check every character.
6. The target copy/pastes the legit-looking address, which is really the scammer’s honeypot address and voila, sends cryptocurrency to the scammer instead of the person they have been transacting with.

Metamask customercare has urged users to be cautious when copying addresses from transactions as there is no method yet available to prevent these malicious transactions from taking place on the blockchain. Caveat emptor (or its equivalent, “caveat mittens” i.e. sender beware) might be an old saying but it is not particularly useful to a beginner in the crypto space trying to avoid the numerous scams and pitfalls of an unfamiliar platform and process. At Hito, we think this is exactly the kind of problem users hope their wallet provider will solve for them.

Hito has introduced the #Ethereum #emojidress, which can help users more quickly compare addresses to see if they are the same from one transaction to the next. But we think users need more protections, such as an Authenticity Check that identifies a new/malicious address in a user’s history. It’s what you should be able to expect from the most “human” hardware wallet ever built. Hito means human, because we’re building a #hardwarewallet that any human — not just geeks and crypto bros, but even crypto beginners — will find simple and intuitive to use. Stay tuned!