Address Poisoning in Crypto and How to Avoid It
By Shane Farrell
Marketing Manager
Last week, a victim mistakenly sent around $70 million worth of Wrapped Bitcoin (WBTC) to a scammer’s address in a presumed address poisoning attack. The incident underscores not just the sophistication of crypto scams but the need for heightened vigilance among users.
This blog explains address poisoning attacks and how to prevent becoming a victim.
What’s Address Poisoning?
Address poisoning is a scam where a malicious actor creates a crypto address to mimic one frequently used by their target in the hopes that the victim will mistakenly send funds to the fraudulent address. The attacker ensures the malicious address is logged in the victim’s transaction history by sending a transaction (typically of minimal to no value) to the victim’s wallet.
Address poisoning scams are particularly insidious because they rely on human error to be successful. Specifically, they exploit the common practice of only verifying the first and last characters of an address during transactions.
Protecting Yourself from Address Poisoning
Unfortunately, given the open nature of blockchain and decentralized tech, there is no way of preventing attackers from sending you money. However, the mere fact of being aware of these types of attacks is important as it encourages vigilance. Beyond awareness, here are five concrete steps you should follow to avoid becoming the victim of an address poisoning attack:
1. Verify Addresses Thoroughly: Always double-check every character of the address when sending or receiving crypto. Although this seems tedious, it’s essential for safety. Be cautious with copy-paste; malware that alters clipboard content can replace copied addresses with the attacker’s. Always recheck the address after pasting.
2. Practice Transaction Discipline: Before sending large amounts, conduct a test transaction with a small amount to ensure the address is correct. In addition, verify transaction details through a separate communication channel with the recipient to ensure that the address hasn’t been altered by malware or replaced due to clipboard tampering.
3. Leverage Wallet Features: Use your crypto wallet’s address book feature to whitelist trusted addresses, minimizing the risk of selecting a fraudulent address.
4. Maintain Software Hygiene: Regularly update your crypto wallet apps to include security patches that can protect against new vulnerabilities. In addition, use reliable security and malware detection software to alert you to suspicious activities.
5. Beware of Scams in Transaction Histories: Watch out for small, unusual deposits — scammers may use these to make their addresses appear familiar. Platforms like Etherscan don’t show transactions with zero token values or ones believed to be suspicious. But you can never be too careful.
Defense’s Approach to Security
Scams, such as address poisoning, significantly erode trust in the crypto and decentralized tech space and undermine the transformative technology it is built on.
That is why at Thesis Defense, we believe it is important to highlight security risks not only in the code that we audit, but also to inform users of risks that are related to human behavior and error.
After all, improving the security of projects built on decentralized systems is only part of the battle. We believe that to ensure the long-term success of these technologies, in addition to boosting institutional and retail confidence in crypto and DeFi, users must be safeguarded against malicious entities.
At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.
To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit us on our website, blog and X (Twitter).
