Recently, several users reported that their assets had been stolen. At first, they were unsure how their funds had been stolen, but upon closer inspection, we discovered that this was a new type of airdrop scam.
Many of the victimsâ addresses were constantly airdropped with tiny amounts of tokens (0.01 USDT, 0.001 USDT, etc.), and they were most likely targeted because their addresses were involved in high-value transactions and trade volume. The last few digits of the attackerâs address are nearly identical to the last few digits of the userâs address. This is done to deceive the user into accidentally copying the wrong address from the transaction history and sending the funds to the incorrect address.
Related Information
Attacker Address 1: TXâŠdWfKz
User address 1: TWâŠdWfKz
Attacker address 2: TKâŠQw5oH
User address 2: TWâŠQw5oH
MistTrack Analysis
Letâs start with an overview of the two attacker addresses:
The attackerâs address (TXâŠ..dWfKz) and the userâs address (TWâŠ..dWfKz) both end in dWfKz. Even after the user mistakenly sent 115,193 USDT to the wrong address, the attacker still airdrops 0.01 USDT and 0.001 USDT to the victim address using two new addresses that also end in dWfKz.
The same thing happened to our second victim. The attackerâs address (TKâŠ. .Qw5oH) and the userâs address ( (TWâŠ. .Qw5oH) both end in Qw5oH. The victim mistakenly sent 345,940 USDT to the wrong address, and the attacker continues to airdrop 0.01 USDT to the victim address using a new addresses that also end in Qw5oH.
Next, weâll examine attacker address 1 using our AML platform MistTrack (tx.. .dWfKz). As shown in the figure below, attacker address 1 airdrops 0.01 USDT and 0.02 USDT to various target addresses, all of which have interacted with the address that ends in dWfKz.
Looking back, we can see the initial transfers for these airdrops came from the address TFâŠ. J5Jo8 on October 10, when 0.5 USDT was transferred to it.
Preliminary analysis of TF⊠.J5Jo8:
This address sent 0.5 USDT to nearly 3300 addresses, indicating that each of these receiving addresses could be an address used by the attacker to airdrop. So we decided to select one address at random to verify our theory.
MistTrack was used to analyze the last address on the above chart, TXâŠ..4yBmC. As shown in the figure below, the address TXâŠ.4yBmC is used by the attacker to airdrop 0.01 USDT to multiple addresses that end in 4yBmC.
Letâs look at the attackerâs address 2 (TKâŠ. .Qw5oH): 0.01 USDT was airdropped to multiple addresses, and the initial funding of 0.6 USDT was sent from TDâŠ. .psxmk.
As you can see from the graph below, the attacker sent 0.06 USDT to TDâŠ. .kXbFq and it also interacted with a FTX userâs deposit address that ends in Qw5oH.
So letâs reverse the process and see if other addresses have interacted with TD⊠.kXbFq. Are there any other addresses with the same ending characters as the ones that were airdropped to them?
Once again, weâll choose two addresses at random and test our theory. (for example, the Kraken deposit address TU⊠.hhcWoT and Binance deposit address TMâŠ. .QM7me).
Unfortunately, the scammer was able to deceive some unsuspecting user into sending them their funds.
Summary
This article focuses on how a scammer exploits users who copy the address from the transaction history without verifying the entire address. They accomplish this by generating a similar address that ends in the same way as the userâs address and airdropping small amounts of funds to the userâs address on a regular basis. All of this is done in the hope that users will copy the fake address and send their funds to the scammer the next time.
SlowMist would like to remind everyone that due to the immutability of blockchain technology and the irreversibility of on-chain operations, please double check the address before proceeding. Users are also encouraged to use the address book feature in their wallet so that they donât need to copy and address each time.