Security researchers have uncovered a sophisticated scheme where threat actors have weaponized Ethereum's "Create2" function, leading to significant cryptocurrency theft.
This malicious operation, exposed by Scam Sniffer Web3 anti-scam specialists, has caused nearly 100,000 victims a combined loss of about $60 million over a six-month period.
The Ethereum network's "Constantinople" upgrade introduced the "Create2" function, a successor to the original Create function.
This feature allows for more advanced interactions with smart contracts, including pre-calculating contract addresses. However, it also introduced vulnerabilities.
Scam Sniffer's report indicates that Create2 can be manipulated to generate new contract addresses with no transaction history, enabling them to bypass wallet security alerts.
Perpetrators of this scam used these clean addresses for fraudulent transactions. Unsuspecting users would sign these transactions, unwittingly transferring their assets to the attacker-controlled addresses.
In a variation of this exploit, attackers created addresses similar to legitimate ones, deceiving users into sending assets to these fake addresses.
This strategy, known as "address poisoning," involves creating batches of addresses and selecting those that best suit the scam's needs. One victim lost a staggering $1.6 million in a single transaction to such a poisoned address.
The scam is not limited to this method alone; earlier versions saw attackers sending small amounts of crypto to potential victims, gaining their trust before executing the theft.
To protect against these and other crypto scams, users are advised to:
For further guidance on staying safe in the cryptocurrency realm, refer to expert resources and comprehensive guides on avoiding crypto scams. Staying vigilant and informed is critical to safeguarding digital assets in an increasingly complex and evolving landscape.