Safe Wallet users fall victim to sophisticated scam, losing millions to hackers exploiting Ethereum's 'Create2' function.
Recently, the cryptocurrency community has been hit by a sophisticated scam known as "address poisoning," which has resulted in the theft of over $2 million from users of Safe Wallet in just one week. This scam has affected around 21 victims, with one individual losing a staggering $400,000 from their $10 million holdings in Safe Wallet.
Address poisoning works by exploiting the way users interact with their cryptocurrency addresses. A scammer creates a wallet address that closely resembles a legitimate address that the victim frequently uses. When the victim intends to send funds to their usual address, they might accidentally send it to the scammer's similar-looking address instead. This is particularly effective because the scammer's address only needs to be visually similar to the real one, not identical, to trick an unsuspecting user.
The scammer takes advantage of the 'Create2' Solidity function in Ethereum, which allows for more complex interactions with addresses. By sending small token deposits from their fake address to the target's wallet, the scammer's address becomes part of the victim's transaction history. This increases the chances that the victim will select the scammer's address for a future transaction, mistaking it for their own.
The small deposits, often seen as inconsequential, are the "poison" in the transaction history. Once the victim sends a large amount of cryptocurrency to the wrong address, the funds are irretrievable, and the scammer can drain the assets from their fraudulent address.
To protect against such scams, it is crucial for users to validate send-to addresses thoroughly before confirming any transaction. This can be done by triple-checking the recipient address and verifying it through multiple sources or using address book functions with verified contacts.
Crypto platforms and wallet providers can also implement additional security measures to counter address spoofing risks. This could include alert systems for detecting and flagging addresses that are visually similar to those in a user's transaction history or enhanced verification procedures for transactions above certain thresholds.
While the total estimated theft from address poisoning is around $5 million over the past four months, the recent spike in such incidents highlights the growing need for increased vigilance and improved security practices within the cryptocurrency space. Users are urged to remain cautious and to adopt a meticulous approach when handling crypto transactions to safeguard their assets against such deceptive tactics.
