The cryptocurrency user lost 50 million US dollars’ worth of Tether (USDT) in an utterly ridiculous error that is now a warning to everyone involved in digital assets. There were many reports about this incident on various media outlets from security researchers working for Web3 Antivirus, demonstrating how risky it can be to hold cryptocurrency yourself unless you fully understand what you are doing; a brief moment of inattention could lead to massive financial losses.
The Multi-Million Dollar Typo
A tragic event occurred in two separate ways; however, it was started by what many experts considered as being safe. On-chain activity has been recorded showing that the victim performed what he thought was a safe method of verifying the correct address before sending a large amount of money. This was done by sending a small amount of money (approximately $50 USDT) to a real wallet address which started with “0xbaf” and ended with “F8b5”. The victim then initiated the second transfer, which for him was an enormous sum of money (close to $50 million USDT). This time the victim did not send the funds to the wallet with the correct address that was verified but instead sent them to a wallet with an address that looked almost identical to the verified wallet, only the fraudulent address began with “0xBaF” and ended with “f8b5”. This fraudulent wallet belonged to a scammer and had been sitting in wait while the victim sent them his money.
Anatomy of the Trap
The scammer’s address, 0xBaFF2F13638C04B10F8119760B2D2aE86b08f8b5, was engineered to mimic the victim’s intended destination.With the creation of a “vanity address” to suit the initial few characters and end few characters of the actual wallet address the perpetrator of this attack was able to produce what appeared to be a “distraction” to the victim.
Because most crypto wallet interfaces shorten addresses to show only the start and end (e.g., 0xbaf…f8b5), the two addresses looked virtually identical at a glance. It is probable that the victim was trying to save time by simply copying and pasting the very last transaction from their transaction history, but instead of copying the transaction that belonged to them, they mistakenly copied the scammer’s transaction instead.
Laundering the Loot
As soon as the scammer’s wallet received the stolen funds, the scammers immediately began a thorough investigation to identify potential methods for hiding the source of the funds. Security researchers noted that, immediately after the scammer moved the funds from the fraud, the scammer converted the fraudulent funds from the USDT to Dai, a stablecoin that is decentralized and cannot be frozen by the central issuer of USDT, Tether, if alerted quickly enough.
Once the scammers converted the USDT to Dai, the scammers transferred the Dai to a brand-new wallet address, and they then used one of the two protocols known as Uniswap (Uniswap X) to swap the Dai for Wrapped Ethereum (WETH). The practice of moving funds across multiple blockchains and swapping tokens in rapid succession has been widely accepted as an advanced method of laundering cryptocurrencies, which complicates law enforcement recovery efforts.
How ‘Address Poisoning’ Works
The method of attack called “dusting” is based on social engineering techniques instead of exploiting vulnerabilities within coded software. Attackers continuously watch the blockchain for wallets containing large amounts of cryptocurrency. When a high-value wallet has been identified by the attacker, they utilize specialized software to create wallet addresses that closely match a frequently used address from that wallet’s transaction history.
Once this has been done, the attacker will transfer an extremely small amount of cryptocurrency—typically only a few cents or even nothing—into the identified victim’s wallet. The transaction that constitutes this transfer will then pollute the transaction history of the victim. The intent of the attacker is to induce the victim to use this “poisoned” address when they attempt to make a subsequent transfer from their wallet based on their transaction history.
A Recurring Industry Nightmare
Sadly, this type of fraud is becoming more common among cybercriminals because criminals have had great success doing this even against even the most sophisticated of users. A high-profile incident from last year included a trader erroneously sending $70 million to a poisoned address. In a rare twist of fate, that victim managed to open a negotiation channel on-chain, eventually convincing the attacker to return 90% of the funds in exchange for a 10% “bounty.”
Others haven’t been so lucky. Two other victims collectively lost over $200,000 last year in similar attacks, with no funds recovered. The irreversible nature of blockchain transactions means that unless the scammer grows a conscience, the money is typically gone forever.
Protecting Your Portfolio
Expert opinions are becoming less reliable because they rely solely on visual checks for the first and last character of an address.
- Check Every Character:: Always perform a full-length validation against all forward and reverse characters of the address and not just the first and last characters.
- Use Address Books: Only store your trusted addresses in your wallet address book (whitelist) whitelist and not copy from your transaction history.
- Avoid History Copying: Consider your transaction history as a “danger zone” for spam and scam attacks.
As cryptocurrency continues to grow in popularity, so too does the increase in the difficulty to execute these types of attacks. For now, the $50 million loss stands as a costly monument to the mantra: “Don’t trust, verify.”
