The United States Drug Enforcement Administration (DEA) fell prey to an address poisoning scam, losing $55,000 in confiscated Tether (USDT), despite the use of a hardware wallet. This unfortunate incident serves as a reminder that even the most secure institutions are not immune to clever social engineering attacks, which are pervasive in the world of crypto.
This scam is termed 'address poisoning' because the scammer contaminates the victim's transaction history, in the hope that they will unintentionally use the scammer's address. For example, the following screenshot, from an older version of MetaMask, shows two transactions that appear to originate from the same address.
Although both transactions appear to originate from the same address, this is not the case. While the first 3 and last 4 characters of the From address in both transactions match, the remaining characters do not. The difference becomes clear when using a block explorer, like Etherscan, to view the transaction history of the victim account, as shown below:
This subtle difference is an attempt to coerce the victim into using the last visually matching address for a familiar transaction to send additional funds in a subsequent transaction. It's a crafty trick because it leverages human nature - we only remember a few details of cryptocurrency addresses, making it easy to make mistakes most especially in haste. This type of scam generally unfolds as follows:
- Scammers identify accounts with specific transaction behaviors, and from the transaction history of these accounts, identify target address(es) to impersonate.
- They initiate a transaction with the victim account using an address that is visually similar to a previous transaction address that was identified, 'poisoning' the victim's transaction history by ensuring their deceivingly similar address is prominent in the transaction history.
- The victim, believing it to be a familiar address, copies the incorrect one from their poisoned transaction history for a future transaction.
- The funds are misdirected to the scammer's address instead of the intended recipient.
So how is it done in practice, and most importantly what do we need to do to avoid being a victim? In the rest of this post we will look at some of the different techniques that have been abused to this end.
The Basic Attack
A key requirement to this attack succeeding is dependent on the scammer acquiring an account with an address that resembles a legitimate address within a target account’s transaction history. This is where vanity address generators become useful to scammers.
Vanity address generators are often used to generate addresses with specific strings or patterns, based on user provided input. For example, if you wanted an address that contained “1111” you could use a vanity generator to generate a bunch of private keys and iterate until a corresponding address containing the provided characters is found and returned to you. While there is a legitimate use-case for these tools, they can also be a boon for scammers attempting to perform an address poisoning attack.
For example, using the GPU-based vanity generator: Profanity (disclaimer: A vulnerability disclosed in Profanity, an Ethereum vanity address tool (1inch.io)) we can generate addresses similar to a target address, in this case 0x499xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7A30. This is shown in the screenshot below:
In a few seconds, we have a completely new address that matches the first 3 and last 4 characters of our target address- enough of a match to appear visually similar at a glance. We can then use the private key to import this account into a wallet of our choice.
To simulate the attack, we can use the Sepolia test network to fund this account and send a small transaction to the target address. The result of this transaction on the victims account activity in MetaMask is shown in the screenshot below:
We made a payment that mirrors the last received transaction, in the hope that the victim will subsequently send something of value back to this address at a later point. The scam is hinged on the fact that people typically copy and paste addresses and often it’s the latest transaction address that is used in subsequent transactions. It should be noted, the display of shortened addresses in newer versions of MetaMask have recently been removed.
Viewing the details of these transactions and comparing the Jazzicon (icon next to the address) it is possible to see the difference:
Based on the frequency with which someone interacts with a particular account, they might recognize its associated Jazzicon. Yet, considering how quickly one can produce addresses that look alike, it's plausible to create numerous similar addresses until one with matching dominant colors is found. The main point is that a malicious actor might attempt to create a deceptive address, aiming for both textual and icon resemblance, to mislead someone who isn't extremely vigilant.
Therefore the most reliable way to ensure you are sending to the correct address is to check the full address. This can easily be done in a block explorer, such as Etherscan. Here we can see the difference more clearly:
In principle, this demonstrates the elements of an address poisoning scam. It's worth noting that this is just one variant of the address poisoning attack, and comes with certain limitations: The transaction is recorded as a "Receive" transaction for the target.
The Forbes article mentions, “A scammer had been monitoring the blockchain and detected when the DEA transferred a test amount of $45.36 in Tether to the United States Marshals Service as a part of standard forfeiture processing.” Based on this quote, this specific address poisoning technique was not used. The target account executed a send transaction for a Token, which is what the scam needed to emulate. It appears that something more would be needed.
Although success might seem heavily reliant on luck, there are techniques scammers can employ to boost their odds. One of the most intriguing and perilous traits of these scams is their ability to sidestep our usual defenses. We're conditioned to expect threats from emails or websites, where our guard is highest, not from the transaction history of our crypto accounts. It's this specific characteristic that offers potential for further exploitation in more inventive ways, such as:
- Zero-value token transfers — where only gas fees are necessary.
- Fake token airdrops — this requires deploying a fake token contract and subsequently distributing these tokens from target victim accounts to an address mimicking a past transaction.
- Fake NFT airdrops — this is similar to fake token airdrops just with NFT’s instead.
These techniques could be used to poison the target address with transactions that seem to originate from the owner of the account, making a much more convincing attack. Depending on the technique used, the poisoned transaction may not appear in the victim's wallet activity history. For example, in the case above a non-zero amount of Ethereum was sent to the victims wallet address, which was visible in MetaMask’s activity tab. However, when it comes to transactions involving tokens things are slightly different:
Receive transactions for tokens do not typically show in the activity for the given token in the user's wallet. Depending on the wallet configuration, users may be alerted by their wallet when they receive a new unfamiliar token. In the context of this particular scam, the scammer-controlled account will receive the bogus transaction.
On the other hand, Send transactions initiated in MetaMask are shown under the tokens activity history for the respective account. In the cases for the techniques above, because these transactions are created on behalf of the victim account, they will not show up in the victim's wallet. Instead, these will only be viewable in a block explorer. Therefore, for the techniques above involving token transfers, the attacker is relying on the victim using Etherscan to view previous transactions and copy addresses. Without knowledge of these types of attacks, a victim has no reason to doubt unfamiliar Send transaction’s originating from their account- most especially when they appear to mimic familiar transfers by emulating the token and amount.
Zero-value Token Transfers
This technique gained significant traction towards the end of 2022. However, since then, crypto wallets and block explorers have taken steps to shield users from this scam. For instance, Etherscan now by default hides zero-value transfers and as noted above, certain token transactions are not visible in MetaMask.
Zero-value attacks are trivial to perform and can be done by interacting directly with the contract of the respective token, using any account with enough funds for gas to call the transferFrom method. For example, sending a zero-value transaction using Etherscan can be done by writing to the contract as follows:
This is possible because the ERC20 token standard includes a mechanism involving the approve and transferFrom functions. For one entity to transfer funds from another account using transferFrom, prior approval must be secured through the approve function. This establishes an "allowance", dictating how many tokens a third party can move on behalf of the token owner.
By default, due to the way the Ethereum Virtual Machine (EVM) handles uninitialized storage variables, the allowance for any address on any ERC20 token is set to 0. When transferFrom is executed, the function checks against the balanceOf[_from] and deducts the _value from the sender's balance. However, if the transfer value is 0, this deduction has no effect on the sender's balance. This logic in the transferFrom function allows any transaction with a value of 0 to bypass usual checks.
Consequently, no prior authorization from the sender's address is required for these zero-value transfers. This enables external entities to initiate such transactions, making them appear in the sender's transaction history without any actual token transfer taking place. As noted above, because it is a token transfer initiated on behalf of the sender, the transaction will only show on a block explorer like Etherscan, rather than in the victim’s wallet.
Achieving this is even simpler using a smart contract. The ease of execution and low cost explain why this attack gained traction. Instead of appearing as a received transaction, scammers could inject a 'sent' transaction, thereby enhancing their chances of success. Unfortunately for scammers, yet fortunately for the rest of us, it would require a victim to overlook many safety warnings to fall for this due to the evolutions made to protect users. For example, Etherscan now requires users to change their site preferences for zero-value token transfers to be visible. Doing this and using the technique above to initiate such a transaction results in the following history:
Had this transaction been visible by default, it would have been quite a convincing attack and definitely would increase the scammer's likelihood of success. Looking closer at this history, Etherscan further protects users by preventing them from copying any addresses for any zero-value ERC20 token transfers that were initiated by any account other than the owner.
Fake Token Airdrop
The Forbes article also stated “The swindler ‘airdropped’ the fake address into the DEA’s account by dropping a token into the DEA account so it looked like the test payment made to the Marshals.” — although a bit confusing at first, from this we can glean that a zero-value transfer was not part of the scam, rather it had something to do with a fake token.
Given certain requisite properties, any smart contract can qualify as an ERC20 token. By triggering specific events, these contracts can generate transactions that surface under an address's 'Token Transfers (ERC-20)' tab on blockchain explorers like Etherscan.
Since the transferFrom function is integral to the ERC20 standard, re-implementing this and eliminating all accounting controls allows us to devise a counterfeit token. By breaking the accounting checks and balances on this fake token it can send any quantity of itself to any address from any other address. This maneuver can be further exploited to mimic another genuine token by adopting the same token name and symbol.
For instance, the contract outlined below can be employed to this end:
By deploying this on the Sepolia test network and calling this transferFrom method, we can airdrop our counterfeit token. This allows us to initiate a send transaction from the victim's address to an address we control. Once our transaction is validated, we can observe the subsequent transactions on the victim's account:
And now, our poisoned transaction appears much more legitimate. However, since the block explorer displays more characters than our wallet does, it's possible to spot the discrepancy. Even so, hovering over the real token and fake token in this case displays the same text, namely: “USDT Token”- the name specified in the fake token contract.
So what actually happened?
On the Ethereum mainnet there are safety rails in place to safeguard user transactions involving tokens to. For example, if we look at the actual transaction history of the DEA’s account targeted by this scam, we see the following:
When examining only the items shown in the "Token" column, we can observe that “Tether USD (USDT)” is the genuine coin. This is verified both by the name and logo next to it and by evaluating its reputation through the associated link in the column. The presence of a red exclamation mark beside the other ERC-20 tokens suggests a low token reputation, further substantiated by their individual token pages on Etherscan.
This reputation marking is due to the Etherscan token reputation system. For example, token creators can provide transparency and legitimacy for their tokens by adding a logo, website link and getting the contract source code verified. However, by default all tokens in the Etherscan token tracker have a reputation of “UNKNOWN”, even if the token basic information (website, social media and logo) has been updated. A token marked with an “OK” reputation, the case for Tether USD, is deemed at the discretion of Etherscan to be a token of public interest, in other words trustworthy or safe. Fake token (mimicking legitimate tokens) creators often won't go through these lengths, and even if they did, at most they would be able receive a reputation of “NEUTRAL”, which is not as reputable as a reputation of “OK”.
At the time of this attack, these counterfeit tokens may not have been identified as fakes. Nevertheless, it would have been possible to validate their authenticity by inspecting their reputation. Even with these safety measures, someone in a rush might overlook these nuances, focusing solely on what they intend to verify: the last four characters of the 'to' address for the most recent USDT token transaction of $45.36. This seems to have been what happened in the case of the DEA’s account that got poisoned.
If we inspect the screenshot above closer and trace all transactions sent to addresses ending with “463”, we can see exactly what happened. In this case, the fake address used by the attacker (0xf14…463) didn’t even accurately mimic the first 3 characters of the legitimate address (0xF14…463), yet the attack succeeded.
Don’t be a Victim
Cryptocurrency is a revolutionary leap forward in digital transactions, but as with any financial frontier, it attracts those who employ various tricks in the form of scams for their own gain. Given the proven security of cryptocurrency wallets and technology, and the self agency benefits for individuals owning their assets, scammers seeking to steal crypto funds essentially need to rely on crafty tricks. Regardless of the type of scam, it is all about tricking the owner, at their expense, into doing something that benefits the scammer. Address poisoning is just one type of trick, and as shown in this post, is not difficult to perform. This scam doesn't rely on the traditional trappings of phishing—no suspicious emails or dubious dApps, yet is effective enough to fool even the DEA.
By nature of address poisoning attacks, a degree of profiling target wallet accounts is required for the scam to be profitable. For example, in the case of the fake Token airdrops, this technique would not work on accounts that do not trade Tokens. Therefore scammers need to be deliberate in their attacks by targeting specific accounts that transact in a particular way, based on the technique being used. Referring back to the Forbes article, there were specific details that stand out, which if known beforehand by the scammer would have greatly shifted the odds of success, namely:
- funds were placed in DEA-controlled accounts, stored in a Trezor hardware-based wallet
- the DEA sent a test amount of $45.36 in Tether to the United States Marshals Service, as part of standard forfeiture processing
If the scammers had knowledge of the DEA account address, the technology or hardware in use, as well as the standard operational procedures, this knowledge could have been leveraged in a very precise manner. When it comes to phishing, leveraging additional information into crafting a specific payload for a particular victim has typically resulted in increased success and appears to have played a role here.
Fortunately though, wallet providers and block explorers have gone through great lengths to stay on top of new scams and to introduce mechanisms to safeguard users. Despite these safety measures, it still remains possible for people to make an expensive mistake. The purpose of this post was to provide insight into the simplicity of these attacks and to provide a better understanding of what they look like from the victims perspective.
As insidious as address poisoning may sound, its antidote is remarkably simple: attentiveness. By taking an extra moment to verify transaction details, especially for substantial amounts, and by educating oneself on the intricacies of these scams as highlighted in this post, one can successfully navigate the crypto-waters, steering clear of the lurking dangers below:
- Be careful when copying addresses from your transaction history
- Always verify the reputation of any tokens that you interact with
Tools like NightHawk are an important part of protecting yourself from scams and help to create alerts for threats stemming from the web, dApps or social media. As users however, we rarely anticipate danger lurking in our crypto transaction histories. The unique positioning of address poisoning attacks comes in the way that it reaches its victims: showing up in our transaction history. In the world of digital currencies, knowledge and awareness is key to avoid being a victim. Being aware that threats can also emanate from your transaction history is enough for you to spot these kinds of attacks. Scammers will always change their methods, but you will always be in control of your funds.