Address poisoning attacks
Address poisoning, also known as address spoofing is an attack vector that capitalizes on user carelessness and haste. Unlike other scams, such as unlimited token approvals or phishing for secret recovery phrases, address spoofing is not as harmful as other methods. However, it can still result in a loss of funds.
Let's examine how this scam is typically carried out.
The scammers are targeting users of Ethereum and EVMs such as Binance Smart Chain or Polygon. The attack aims to trick victims into transferring their assets to a fraudulent address that is designed to look very similar to their own. The attacker creates a “vanity address” which can be a custom address with a specific set of characters made to look similar to the intended recipient’s address.
When the victim carelessly copies the address from a previous transaction, they may accidentally send their assets to the fraudulent address instead. It's important to carefully confirm the address before making a transfer to ensure that assets are not accidentally sent to the wrong account.
Blockchain address spoofing can occur on any type of blockchain. However, blockchains such as Polygon, Avalanche, and Binance Smart Chain are often targeted due to their low transaction fees, which make it easy to deploy scams to a large number of users on a large scale.
Blockchains are a matter of public record, so it's very easy for scammers to find and choose a large number of addresses from any block explorer and send spoofed transactions to these addresses.
We are currently developing a feature that will allow you to hide these transactions in Trezor Suite, but in the meantime, these transactions must just be ignored.
Update: Address poisoning scams continue to evolve. In addition to sending fake 0-value transactions, scammers are now also sending fake tokens that appear to be USDT but are actually worthless.
Furthermore, they have taken an additional step and are now sending transactions with tokens that have no value but appear to have a value. For instance, a user sent a legitimate transaction worth 5300 USDC, and the scammer imitated it by sending a transaction with a token that has no value but shows a value of 5300.
On the Ethereum and Ethereum Virtual Machine (EVM) blockchains, anyone is allowed to send any token from any address to any other address, as long as they do not exceed their allowance.
For example, if my allowance for the scammers is 0, and they send a token that looks similar to USDT but is actually a 0-value token, they can still send that token away from my account.
It is important to always double-check the address before making a transfer, even if the transaction appears to be for a legitimate token. If you are unsure about the legitimacy of a transaction, it is best to contact us via our chatbot Hal who will help resolve your issue.
Trezor Suite will notify you about suspicious transactions that could be considered an address poisoning attack:
What can you do to protect yourself?
While it is not possible to prevent individuals, including scammers, from sending transactions to your address on a public blockchain, we can prevent ourselves from becoming victims of scams by being cautious when copying addresses. This can be a tricky situation, and it is important to be aware that even those who are diligent in double-checking addresses can still fall victim.Here are some suggestions:
- The most important step in avoiding this type of scam is to thoroughly verify and double-check the address before confirming the transaction on your Trezor. This is crucial for all transactions, but especially when sending assets of significant value. The only way to ensure safety is to carefully check every character of the address.
- When sending transactions, avoid copying addresses from transaction history, whether it be from your Trezor Suite or a block explorer. This advice applies not only to addresses of others you may be sending funds to, but also your own address, such as when moving funds from a centralized exchange to your Trezor device.
- An effective method to verify an address before sending a large amount of funds is to send a test transaction with a small amount. This approach requires paying the gas fee twice, which may not be feasible depending on the current gas price.