1 min read

Ethereum's ‘Create2’ Function Exploited in $60 Million Multi-target Crypto Heist


November 14, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Ethereum's ‘Create2’ Function Exploited in $60 Million Multi-target Crypto Heist

Security researchers have uncovered a sophisticated scheme where threat actors have weaponized Ethereum's "Create2" function, leading to significant cryptocurrency theft.

This malicious operation, exposed by Scam Sniffer Web3 anti-scam specialists, has caused nearly 100,000 victims a combined loss of about  $60 million over a six-month period.

Understanding ‘Create2’ and Its Vulnerabilities

The Ethereum network's "Constantinople" upgrade introduced the "Create2" function, a successor to the original Create function.

This feature allows for more advanced interactions with smart contracts, including pre-calculating contract addresses. However, it also introduced vulnerabilities.

Scam Sniffer's report indicates that Create2 can be manipulated to generate new contract addresses with no transaction history, enabling them to bypass wallet security alerts.

The Mechanics of the Scam

Perpetrators of this scam used these clean addresses for fraudulent transactions. Unsuspecting users would sign these transactions, unwittingly transferring their assets to the attacker-controlled addresses.

In a variation of this exploit, attackers created addresses similar to legitimate ones, deceiving users into sending assets to these fake addresses.

Address Poisoning: A New Layer of Deception

This strategy, known as "address poisoning," involves creating batches of addresses and selecting those that best suit the scam's needs. One victim lost a staggering $1.6 million in a single transaction to such a poisoned address.

The scam is not limited to this method alone; earlier versions saw attackers sending small amounts of crypto to potential victims, gaining their trust before executing the theft.

Recommendations for Safeguarding Your Cryptocurrency

To protect against these and other crypto scams, users are advised to:

  1. Use specialized software such as Bitdefender Ultimate Security to fend off phishing attempts and other digital threats.
  2. Always verify transaction addresses, especially when dealing with significant amounts.
  3. Consider using hardware wallets for added security.
  4. Regularly update and back up wallet software.

For further guidance on staying safe in the cryptocurrency realm, refer to expert resources and comprehensive guides on avoiding crypto scams. Staying vigilant and informed is critical to safeguarding digital assets in an increasingly complex and evolving landscape.




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like