Crypto wallet provider Metamask has warned customers of a new type of scam that could exploit their lack of caution.
The scheme, dubbed “Address Poisoning,” lets threat actors divert transactions into attacker-owned wallet addresses with a surprisingly rudimentary technique.
Wallet addresses consist of randomly generated strings of alphanumeric characters. Depending on the blockchain, they could be 25 to 40 characters long (excluding the prefix).
Providers use shortened versions that only display the first and the last few characters in the address to make them easier to work with. In an Address Poisoning attack, perpetrators poison victims’ transaction histories using similar addresses with identical short forms (i.e., the same first and last characters).
“Since they're so long, crypto wallet addresses are typically shortened,” reads Metamask’s announcement. “You might see the first lot of characters only, or sometimes you may see the initial 5-10 or so and the final 5-10 or so, skipping the middle. This is how most people recognize addresses: not by knowing every single character, but by becoming familiar with the start and finish. This is the tendency that address poisoning preys on.”
First, the attacker monitors the blockchain for transactions to avoid hitting burners or dead wallets. After acquiring the target, the attacker uses a vanity address generator to create a nearly identical address that matches their target’s first and last characters.
The scammer then sends a small amount of crypto (or even $0) to the victim from the closely-matching dummy wallet, effectively poisoning the victim’s transaction history. Wallet apps boast convenient features that let users copy addresses safely; however, some may copy addresses directly from the blockchain or their transaction history.
Address poisoning might trick users into inadvertently copying the attacker’s address instead of their own and pasting it someplace else. If, for instance, you’re trying to send funds to a particular wallet you own and accidentally paste the fake address, you’ll send the funds to them.
Although this attack doesn’t grant scammers access to your wallet, it could easily cost you funds. As with all on-chain operations, they’re impossible to recover once the transaction goes through.
The best ways to protect against address poisoning include: