Address poisoning, also known as address spoofing is an attack vector that capitalizes on user carelessness and haste. Unlike other scams, such as unlimited token approvals or phishing for secret recovery phrases, address spoofing is not as harmful as other methods. However, it can still result in a loss of funds.
The scammers are targeting users of Ethereum and EVMs such as Binance Smart Chain or Polygon. The attack aims to trick victims into transferring their assets to a fraudulent address that is designed to look very similar to their own. The attacker creates a “vanity address” which can be a custom address with a specific set of characters made to look similar to the intended recipient’s address.
When the victim carelessly copies the address from a previous transaction, they may accidentally send their assets to the fraudulent address instead. It's important to carefully confirm the address before making a transfer to ensure that assets are not accidentally sent to the wrong account.
Blockchain address spoofing can occur on any type of blockchain. However, blockchains such as Polygon, Avalanche, and Binance Smart Chain are often targeted due to their low transaction fees, which make it easy to deploy scams to a large number of users on a large scale.
Blockchains are a matter of public record, so it's very easy for scammers to find and choose a large number of addresses from any block explorer and send spoofed transactions to these addresses.
Update: Address poisoning scams continue to evolve. In addition to sending fake 0-value transactions, scammers are now also sending fake tokens that appear to be USDT but are actually worthless.
Furthermore, they have taken an additional step and are now sending transactions with tokens that have no value but appear to have a value. For instance, a user sent a legitimate transaction worth 5300 USDC, and the scammer imitated it by sending a transaction with a token that has no value but shows a value of 5300.
On the Ethereum and Ethereum Virtual Machine (EVM) blockchains, anyone is allowed to send any token from any address to any other address, as long as they do not exceed their allowance.
For example, if my allowance for the scammers is 0, and they send a token that looks similar to USDT but is actually a 0-value token, they can still send that token away from my account.
It is important to always double-check the address before making a transfer, even if the transaction appears to be for a legitimate token. If you are unsure about the legitimacy of a transaction, it is best to contact us via our chatbot Hal who will help resolve your issue.