Address Poisoning in Crypto and How to Avoid It

Written by

Shane Farrell

Marketing Manager

Caption Here

Last week, a victim mistakenly sent around $70 million worth of Wrapped Bitcoin (WBTC) to a scammer’s address in a presumed address poisoning attack. The incident underscores not just the sophistication of crypto scams but the need for heightened vigilance among users.

This blog explains address poisoning attacks and how to prevent becoming a victim.

What is Address Poisoning?

Address poisoning is a scam where a malicious actor creates a crypto address to mimic one frequently used by their target in the hopes that the victim will mistakenly send funds to the fraudulent address. The attacker ensures the malicious address is logged in the victim’s transaction history by sending a transaction (typically of minimal to no value) to the victim’s wallet.

Address poisoning scams are particularly insidious because they rely on human error to be successful. Specifically, they exploit the common practice of only verifying the first and last characters of an address during transactions.

Protecting Yourself from Address Poisoning

Unfortunately, given the open nature of blockchain and decentralized tech, there is no way of preventing attackers from sending you money. However, the mere fact of being aware of these types of attacks is important as it encourages vigilance. Beyond awareness, here are five concrete steps you should follow to avoid becoming the victim of an address poisoning attack:

  • Verify Addresses Thoroughly: Always double-check every character of the address when sending or receiving crypto. Although this seems tedious, it’s essential for safety. Be cautious with copy-paste; malware that alters clipboard content can replace copied addresses with the attacker’s. Always recheck the address after pasting.
  • Practice Transaction Discipline: Before sending large amounts, conduct a test transaction with a small amount to ensure the address is correct. In addition, verify transaction details through a separate communication channel with the recipient to ensure that the address hasn’t been altered by malware or replaced due to clipboard tampering.
  • Leverage Wallet Features: Use your crypto wallet’s address book feature to whitelist trusted addresses, minimizing the risk of selecting a fraudulent address.
  • Maintain Software Hygiene: Regularly update your crypto wallet apps to include security patches that can protect against new vulnerabilities. In addition, use reliable security and malware detection software to alert you to suspicious activities.
  • Beware of Scams in Transaction Histories: Watch out for small, unusual deposits — scammers may use these to make their addresses appear familiar. Platforms like Etherscan don’t show transactions with zero token values or ones believed to be suspicious. But you can never be too careful.
Etherscan showing potential spam

Source: Etherscan.io

Defense’s Approach to Security

Scams, such as address poisoning, significantly erode trust in the crypto and decentralized tech space and undermine the transformative technology it is built on.

That is why at Defense, we believe it is important to highlight security risks not only in the code that we audit, but also to inform users of risks that are related to human behavior and error.

After all, improving the security of projects built on decentralized systems is only part of the battle. We believe that to ensure the long-term success of these technologies, in addition to boosting institutional and retail confidence in crypto and DeFi, users must be safeguarded against malicious entities.