Hash (SHA 1): 221158eb736fa9ed3c6fb54451647bd73ca362c7
Number: Lianyuan Technology PandaLY Anti-Fraud Guide No.003
With the Federal Reserve’s announcement of a 50 basis point (50 BP) interest rate cut in September, a massive trading boom was triggered in the crypto market, and on-chain transaction data surged instantly. Amid the intense market volatility, investors rushed to adjust their asset portfolios, trying to seize this opportunity to obtain higher returns. However, with this wave of transactions comes not only the opportunity to grow wealth, but also security threats lurking in the dark. The PandaLY security team found that as trading volume soared, hackers were also active in secret, taking advantage of investors’ negligence in high-frequency trading, and the forged wallet address scam showed explosive growth.
Among the security cases we have received recently, the proportion of fraud cases involving forged wallet addresses has increased dramatically. This type of scam carefully forges a fake address that is similar to the last few digits of the user's real wallet address, inducing the user to accidentally transfer funds to a wallet controlled by the hacker when transferring on the chain. Since many users rely on memorizing the last few digits of the wallet address, or are accustomed to copying addresses from historical transaction records for transfers, this gives hackers an opportunity to take advantage of it, resulting in a large amount of funds falling into the hands of scammers unknowingly.
Behind this phenomenon, in addition to the intense market volatility, there are several key factors. First, investors' operating habits when transferring money on the chain make this type of scam extremely confusing, especially when the transaction data on the chain increases sharply, and users often lack the time and energy to carefully check. Secondly, these hacker techniques are becoming more and more sophisticated, and they can quickly generate fake addresses, and even accurately match the first or last few digits of the user's wallet, further increasing the concealment of the scam.
Therefore, in order to help investors transfer money safely and avoid scams in this wave of market enthusiasm, the PandaLY security team will analyze the operating mechanism of such scams in detail and reveal the technical principles behind them. At the same time, we will also provide you with a set of practical prevention guides to help you protect your digital assets from being infringed in high-frequency transactions.
1. Technical principles of forged wallet address fraud
Wallet address generation mechanism
In blockchain transactions, wallet addresses are the user's identity identifiers, and each address is unique, which ensures the security and immutability of transactions. However, generating wallet addresses with specific characters is not as complicated as imagined. Taking the Ethereum network as an example, the characters of each wallet address are a hexadecimal number (0-9 and A-F), which means that if a hacker wants to generate a wallet address with the same last N characters, the probability of success is 1 in 16 to the Nth power.
Although this probability seems extremely low, for hackers, with the help of scripts and computing power, they can easily generate these fake addresses through traversal. For example:
The probability of generating a 4-bit identical address is 1/65536, and it can be generated within a few seconds using ordinary computing equipment and scripts.
The probability of having 5 identical digits in an address is 1/1048576. Although the difficulty has increased, it can still be generated in a shorter time with appropriate scripts and higher-performance devices.
The probability of having 7 identical digits in an address is only 1/268435456. Hackers would need more powerful computing power and longer traversal time, but it is technically not impossible.
According to recent statistics, the PandaLY security team analyzed some cases of forged addresses and found that most of the fake addresses generated by hackers are the same as the last 5 to 7 digits of the target address. These fake addresses are often generated through a simple traversal method. Hackers only need a few hours or even days to generate enough fake address libraries and select targets for fraud.
Hacker’s fake wallet generation strategy
The hacker's attack strategy is very targeted. They usually choose high-net-worth users as their targets, especially those who frequently transfer large amounts on the chain and frequently interact between multiple wallets. Once these users are targeted, hackers will begin to deploy fake wallet addresses and continue to monitor the transaction behavior of these target users.
The hacker's attack steps are roughly as follows:
1 Identify the target: Hackers will use on-chain data analysis tools to screen out accounts that frequently conduct large transactions, especially those users with multiple interactive addresses.
2 Generate a fake address: Hackers use the traversal method to generate a wallet address with the same last few digits as the target address. Usually, hackers will generate multiple fake addresses to ensure that they can cover the wallets commonly used by the target user.
3 On-chain monitoring: Hackers monitor the transaction dynamics of the target account in real time. When the target account transfers funds, the hacker will immediately use a fake address to transfer the same amount to forge similar transaction records.
4. Confusing users: When users make their next transfer, they often copy the wallet address from the historical transaction record. If users only rely on memory or simply check the last few digits of the address, they are very likely to accidentally transfer funds to the hacker's forged wallet.
This attack strategy is extremely deceptive, especially in the case of high-frequency transactions, when users are usually less aware of the risks and are more easily confused by forged addresses. Once funds are transferred to a forged wallet, it is extremely difficult to track and recover them, often resulting in irreversible losses for users.
2. Analysis of the Scam
According to the latest data from the PandaLY security team, with the surge in on-chain transaction volume, fake wallet address scams have occurred frequently in recent days, especially on high-volume networks such as Ethereum and TRON. Fake wallet address fraud cases have increased by 45% in the past quarter, and most of the victims are high-frequency trading users. The fraud rate of such users is 35% higher than that of ordinary users, and these victims often mistakenly transfer funds to fake addresses when making multiple transfers in a short period of time.
In these cases, about 60% of the forged addresses have the same last 5 to 6 digits as the target address, and even 25% of the forged addresses match the last 7 digits of the target address. This high degree of matching is very confusing, making it easy for users to misjudge and transfer funds to wallets controlled by hackers. Once funds are transferred to a fake address, it is extremely difficult to recover them. The current fund recovery rate for such cases is only 15%, which further highlights the importance of preventive measures.
Through in-depth analysis of typical cases, the PandaLY team found that hackers usually use on-chain monitoring tools to accurately capture the transaction timing of target users and forge seemingly identical transaction records to confuse users' judgment. Especially those users who frequently conduct large transactions often only check the last few digits of the wallet address in an emergency, thus falling into the scam.
Scam implementation process
The core of the fake wallet address scam is that hackers use technical means to generate fake addresses with the same characters as the target address to confuse users. When users transfer funds on the chain, they usually rely on the wallet address quick copy function in the historical transaction records, which gives hackers an opportunity.
The specific process is as follows:
1. Hackers target users: Target users are usually those who frequently conduct large-value on-chain transactions.
2. Generate a fake address: The hacker traverses the script and generates a wallet address with the same last few digits as the target address.
3. Monitor transaction behavior: Hackers monitor the on-chain transactions of the target account in real time. When the user initiates a transaction, the hacker simultaneously initiates a transaction of the same amount to confuse the records.
4. User misoperation: When the user makes the next transfer, it is very likely that he will only check the last few digits of the wallet address, resulting in copying a forged address and mistakenly transferring funds to the hacker's wallet.
Address poisoning attack
In addition, since the object of encrypted asset transfer is a string of address hashes, users generally use the address copy function provided by the wallet or browser to paste and input the wallet address of the transfer counterparty. Since blockchain browsers and web3 wallet pages generally do not display the full addresses of both parties to the transaction, but display the first address with an ellipsis in the middle, if the phishing address is the same as the real counterparty address, the victim may easily mistake the phishing address as the address they really want to interact with for the transaction.
When conducting an address poisoning attack, the attacker will monitor the transaction information of stablecoins (such as USDT, USDC) or other high-value tokens on the chain, and use tools such as a fancy number generator (such as Profanity 2) to quickly generate a phishing address with the same first and last characters as the victim’s address.
According to the different principles of launching attack transactions, address poisoning phishing can be divided into the following three categories:
Zero transfer phishing
The zero transfer attack exploits the judgment condition of the transferFrom function on the authorization amount. When the number of tokens transferred is zero, the transaction can be successfully carried out and the event log of the token transfer will be issued even if the sender’s authorization is not obtained. When the blockchain browser and wallet monitor this event, they will display the token transfer transaction in the user’s transaction history.
The transfer initiator address is the victim’s own address, and the recipient address is a phishing address that is identical to the real recipient address[ 21 ]. If the victim is careless and directly copies the address of the historical transaction the next time he transfers money, it is easy to mistakenly copy it to the phishing address prepared by the hacker, thus transferring funds to the wrong account.
For this most basic address poisoning attack, we only need to identify transactions with zero transferred tokens.
In order to bypass the checks of wallets and blockchain browsers for zero-value transfers, small-amount transfer phishing and fake currency phishing have emerged.
Small transfer phishing
Small-amount attacks are a variation of zero-value transfer phishing. Unlike counterfeit currency attacks, small-amount attacks use real value tokens, which can bypass counterfeit currency checks, but the number of tokens transferred is often less than $1, which is one millionth or even less of the real transaction. Sometimes, in order to make the phishing transaction look more similar to the real transaction history, the phishing attacker will carefully design the transfer amount and replace the thousand separator of the real transaction amount with a decimal point.
The phishing attacker uses a counterfeit address with the same beginning and end to send fake coins with the above quantity characteristics to the target victim, so that the user mistakenly believes that the phishing address is the real transfer initiator address, and copies the address in subsequent transactions to transfer money to it.
Counterfeit currency phishing
When displaying the token transfer history, general blockchain browsers and wallets will use the value of the Symbol variable in the token contract as the currency name. The counterfeit coin attack takes advantage of the fact that the Symbol of the ERC-20 protocol token can be arbitrarily defined, and sets the Symbol string of the fraudulent token contract to the same string as high-value tokens or stablecoins such as USDT/WETH/USDC, and uses a high-imitation address with the same beginning and end to send counterfeit coins with the same number of real historical transactions to the target victim, causing the user to mistakenly believe that the phishing address is the real transfer initiator address, and copy the address in subsequent transactions to transfer money to it.
In addition, in order to save gas fees (especially on chains with expensive gas fees such as Ethereum), fraudsters performing address poisoning attacks generally deploy a phishing contract to transfer tokens to multiple victims in one transaction.
Why are users easily vulnerable?
When users frequently use on-chain browsers to search for transaction records, they often rely on the last few digits of the wallet address for quick confirmation, which becomes a major vulnerability exploited by hackers. Due to the transaction speed and frequency requirements, users often ignore the complete verification of the address, especially when conducting multiple similar transactions, which makes it easier to mistakenly transfer funds to the forged address generated by hackers.
This type of fraud takes advantage of the "simplified" habits of users, and this seemingly efficient operation method is actually very risky. In order to prevent such risks, users should fully check the wallet address every time they make a transfer, and never make a quick confirmation based on the last few digits of the address.
3. Measures to prevent fake wallet address scams
1. Don’t match wallet addresses based on memory alone
In blockchain transactions, users' operating habits often create opportunities for hackers. Many people rely on memory to check the last few digits of a wallet address when they frequently use it. On the surface, remembering the first or last few digits of the address seems to be a convenient way to simplify transactions, especially when users are used to fast operations. However, this habit is extremely dangerous. Hackers take advantage of this user's "laziness" and deceive users by generating fake addresses that are similar to some characters of the target address.
Not only that, hackers can even use technical means to generate pseudo addresses that are identical to the target address before and after, thereby further increasing the confusion. Just checking the first or last few digits of the address is not enough to ensure security. Hackers will quickly deploy similar addresses by monitoring on-chain activities and "take action" when the target user transfers money.
Therefore, the safest approach is to carefully check the entire address every time you transfer money, especially when making large transactions, to ensure that all characters are consistent. You can also use security plug-ins or automated tools to reduce potential errors in manual operations. In addition, regularly updating the transaction process and reminding yourself to pay attention to details are important steps to avoid being tricked by negligence.
2. Use the whitelist function
In order to deal with the problem of address confusion in frequent transactions, many mainstream wallets and trading platforms have launched a "whitelist" function, which is an extremely effective security measure. Through the whitelist function, users can save commonly used payment addresses to avoid manually entering addresses for each transaction, thereby reducing the risk of human input errors or being deceived by fake addresses.
On trading platforms such as Binance or Coinbase, users can set the payment address to a fixed address in advance, and after enabling the whitelist function, unauthorized new addresses cannot be added. In this way, even if hackers try to tamper with the address using phishing attacks, the funds will be safely transferred to the preset address in the whitelist.
For decentralized wallets (such as MetaMask), the whitelist function is equally important. Users can save frequently used addresses to avoid having to re-enter a long string of address characters for each transfer, reducing the possibility of misoperation. In addition, when trading on the chain, through this whitelist mechanism, users can quickly check and use verified addresses in a shorter time to ensure the security of each transaction.
The whitelist function not only effectively prevents manual errors by users, but also provides a convenient and safe operation experience for high-frequency traders. Regular maintenance and updating of the whitelist and deleting infrequently used or risky addresses are also key to improving security.
3. Purchase ENS (Ethereum Domain Name Service) address
ENS (Ethereum Name Service) is an innovative technology that allows users to bind complex Ethereum wallet addresses to short, easy-to-remember domain names. This provides users with an extremely convenient and secure solution, especially when they need to enter addresses frequently. By mapping the wallet address to an easy-to-remember ENS domain name (such as "mywallet.eth"), users no longer need to enter the 42-digit Ethereum address word by word, avoiding the risk of losing funds due to manual input errors.
However, ENS domain names are not permanently valid. Each ENS address has an expiration date, and users need to renew it regularly to ensure long-term use of the domain name. If the domain name expires and is not renewed, other people can register the ENS address, which may threaten the user's transaction security. Once an ENS address is registered by someone else, all transaction addresses bound to the ENS domain name may point to the hacker's wallet, resulting in financial loss. Therefore, after purchasing an ENS domain name, users need to set a renewal reminder to ensure timely renewal before the expiration date to avoid the address being registered by others.
At the same time, although ENS greatly simplifies address management, it also brings new security risks. If hackers register well-known or commonly used ENS addresses, they may use them for phishing activities. Therefore, users should carefully choose to purchase ENS domain names and regularly check their validity and bound address information.
In general, ENS is not only a tool to improve user experience, but also can be used as a security measure, but you still need to pay attention to renewal and maintenance issues when using it to prevent potential security risks. By using ENS appropriately, users can significantly reduce the possibility of input errors when transferring money and improve transaction security.
Conclusion
In summary, as the volatility of the crypto market intensifies, investors are facing unprecedented security risks while pursuing high returns, especially the proliferation of fake wallet address scams. Hackers use investors' operating habits and negligence to transfer large amounts of funds to their control by generating fake addresses that are very similar to real addresses. The PandaLY security team calls on investors to avoid relying on memory matching or copying addresses in historical records, and always carefully check every character. At the same time, make reasonable use of security tools such as whitelist functions and ENS addresses to strengthen the protection of funds. Safe investment is not a blind pursuit of high returns, but a strict precaution of every detail. Only by raising vigilance and improving operating habits can we achieve steady appreciation of assets in the crypto market full of opportunities and risks.
Lianyuan Technology is a company focused on blockchain security. Our core work includes blockchain security research, on-chain data analysis, and asset and contract vulnerability rescue. We have successfully recovered multiple stolen digital assets for individuals and institutions. At the same time, we are committed to providing industry organizations with project security analysis reports, on-chain traceability, and technical consulting/support services.
Thank you for reading, we will continue to focus on and share blockchain security content.
