Key takeaways
Address poisoning is an increasingly common crypto scam in the industry. It leverages the transparency of public blockchains to “poison” addresses that interact frequently in an attempt to trick victims sending funds intended for a familiar address.
The Binance security team closely monitors new threats to protect its users, and has developed a unique algorithm to detect address poisoning. It has thus managed to report more than 15 million spoofed addresses to date on the Ethereum and BSC networks.
To avoid falling into the trap of this scam, you just need to adopt certain simple security principles during transfers and use common sense.
Address poisoning, or address spoofing, is a new and growing scam affecting cryptos. Criminals leverage the transparency of public blockchains to identify pairs of addresses that often exchange funds and “poison” the transaction history of one of them by sending it a small amount of crypto from of a similar, but not identical, address to their usual counterparty. The perpetrator hopes that the next time the victim is about to send funds to the usual address, they will unwittingly copy the "infected" character string and send their funds to the criminal.
But who would fall for such a basic trap? In fact, many more people than you think because bad actors are deploying this tactic on a large scale. A few days ago, a trader lost roughly $68 million worth of cryptocurrencies in a single transaction due to a poisoned address.
These scams are nevertheless perfectly avoidable by applying certain simple security principles during transfers. Additionally, Binance's security team is here to provide additional protection against address poisoning: we have developed a unique method for identifying poisoned addresses, which helps us alert users before they send money to criminals. This tool was instrumental in identifying and reporting over 13.4 million spoofed addresses on BNB Smart Chain, and 1.68 million on Ethereum. Keep reading to learn more about it.
Poison the unwary
Crypto wallet addresses can contain up to 42 alphanumeric characters, and it's tedious to examine every character of the destination address when transferring crypto to a friend or withdrawing funds from a exchange platform to add them to a personal self-custodial wallet: sometimes this step is even omitted completely. Faced with the hodgepodge of seemingly random numbers and letters that make up classic addresses, the temptation is strong to rely on sticky notes.
For example, many crypto users only check the first and last characters of the address copied from their smartphone notes or transaction history, especially if they are sending funds to a wallet with which they have already interacted.
Address poisoning, also known as address spoofing, is a deceptive tactic in which scammers send small amounts of worthless cryptocurrencies, NFTs, or tokens from a wallet that replicates almost exactly perfection the address of the recipient or a frequent counterparty. This address then ends up in the target's transaction history, and that's where the real danger lies: if the victim has a habit of copying and reusing recent transaction addresses when sending cryptocurrencies, she may end up transferring her funds to the criminal's wallet.
Malicious actors scan public blockchains to identify potential victims, paying particular attention to address pairs that interact frequently. Such scams can occur on any blockchain, but Ethereum and networks such as Polygon, Avalanche, and BNB Smart Chain are particularly vulnerable due to relatively low transaction fees that allow fraudsters to deploy their schemes cheaply and in large scale.
Scammers use personalized address generators, services that allow users to personalize parts of their addresses to make them recognizable and “less random.” For example, a genuine Ethereum address like 0x19x30f…62657 could be spoofed using a similar-looking address: 0x19x30t…72657. The latter can be completely different from the intended address, while having the same first and last characters.
L’antidote Binance
Recognizing that address poisoning was an emerging but increasingly common threat to cryptocurrency users, Binance security experts developed a process to identify and counter this danger. Our multi-step approach begins by examining network logs to distinguish typical transfers from questionable transfers, such as those with a transfer value of 0 or transfers of unrecognized tokens.
We then match suspicious transfers to the regular transfers they appear to be targeting based on similarities between the sending and destination addresses. Finally, we check that the timestamp of the classic transfer precedes that of the dubious transfers: this allows us to detect the moment of the poisoning as well as the spoofed addresses on which the malicious actors expect to receive the victims' money.
Once reported as spoofed, addresses are recorded in the database of HashDit, a Web3 security company and Binance security partner. Many crypto service providers use HashDit's API to strengthen their defenses against various scams, such as Trust Wallet, which leverages a database of poison addresses to alert users about to transfer funds to a recipient who has the subject of usurpation. HashDit also offers user products such as web browser extensions and Metamask Snaps; thus, Binance's efforts to report poisoned addresses have repercussions across the crypto ecosystem.
Thanks to Binance security experts' proactive approach to this threat, we have already reported over 15 million poisoned addresses to date across the BSC and Ethereum networks, and are adding 300,000 new intelligences on average each week to database as criminals continue to attempt to trap unsuspecting cryptocurrency users.
Stay safe
As with any scam, the best way to protect yourself is to be aware of the criminals' tactics and put in place preventative measures that minimize your vulnerability. Here are some tips to help you avoid address spoofing attempts:
Check the address carefully: When sending cryptocurrencies, always take the time to check the recipient's full address, not just the first or last characters.
Save addresses you use frequently: Take advantage of wallet features that let you save trusted addresses and assign nicknames and QR codes to them to avoid copy-pasting.
Use name services: Use services like Ethereum Name Service (ENS), which provide shorter addresses that are more easily recognizable and harder for scammers to replicate.
Conduct test transactions: When transferring large amounts of digital assets, send a small amount first to ensure the recipient address is correct.
Beware of copying and pasting: some malware is able to modify the contents of the clipboard to replace the address you copied with another address belonging to a scammer. Always check the address you just pasted, and remember to enter certain characters manually.
The increase in cases of address poisoning reminds us of the importance of constant vigilance in the field of digital assets. Get into the habit of verifying the recipient's full address, using wallet features that record trusted addresses, using services like Ethereum Name Service (ENS), and making transactions testing can significantly reduce your risk of being its next victim.
Proactive identification efforts such as those undertaken by the Binance security team are also of major importance, as they help flag spoofed addresses and preemptively alert users to potential scams. Protective measures and the dissemination of information about scams absolutely must be combined to raise public awareness of these constantly evolving threats.
