Topic: What are Address Poisoning Scams? (Read 671 times)

I am pretty sure that there is a large enough group of people that do it for it to be worth the time and effort for scammers to come up with schemes like address poisoning. If that wasn't the case, you wouldn't have people like this guy who lost millions. Besides, people lose hundreds of millions yearly on different crypto scams. A good amount from that isn't due to hacking, but social engineering scams they fall victims to.

I see if thats the case then its kinda dangerous. Good thing I am always copying from my own wallet either from app or something safe. Does anybody used a wallet from a transaction and copied it? Maybe he is just unlucky to use that from the explorer when checking his transaction but really too bad on his side.

It doesn't have to be fake coins and tokens. In the example of the person who lost tens of millions of dollars in wBTC, he didn't receive fake tokens. He received a 0-value ETH transaction because the Ethereum network allows it. That transaction now shows up at the top of their wallet's transaction history. If they make a mistake and copy the address from there, thinking it's a different one, they will send their coins to a scammer.

Don't take shortcuts and you should be fine. These scams are successful because people are lazy to do things right.   

I see thats why there are some few transactions sent to our address. Anyway as long as we dont interact with these fakes coins or tokens that we knew we didnt sign up or do will be safe but sometime with clutters on our wallet we likely seen some of these and thought of it as legit.

Too many same name coins I received from to my wallet and obviously they are fake cause it can be seen on our wallets as flagged scam sometimes.

Dust attacks and address poisoning scams serve different purposes. Dust attacks are a means of trying to identify the users behind certain addresses by having them spend or consolidate the dust together with other coins in addresses connected to a verified identity. It's not a scheme to steal and scam people. Poisoning attacks are exactly that, a scheme to trick people and steal from them.    

That's not very likely to happen. These altcoins are account-based, not UTXO-based. Like I said previously, it's very likely you are using the same altcoin address for all your tokens. You can't freeze 1 cent of unwanted ETH in an address that holds the rest of your ETH.

This is a good info actually, not everyone  using  a wallet is aware of this besides we have alot of visitors who might need it amd even some users. I know people see it to be so dump to copy address from history but what you think might be so dumb to you, some still do it because they are ignorant  of it.
However I feel this is like a younger sibling   to dust attack although they both have the word "dust" involve .
In my view actually, this address  poisoning can also serve as dust attack  so far the user only needs to spend the coin sent with or without additionals... extra measures could be taken on addresses poisoning transaction like placing the new coin or new token address under coin control by not spending it or freezing the address entirely if there's choice for multiple adress .

Tell your friend to not use transaction histories for information about destination addresses. He may never run into problems, but it could also happen the next time he does it. I see no reason to gamble like that.

There is no reason why poisoning scams couldn't be used in Bitcoin and against Bitcoin users. But there a few reasons why they are less effective:

1. They cost more. Compared to Ethereum, Polygon or BSC, you have to pay more in fees to transfer Bitcoin. It might be enough to pay a few cents on alternative networks, but you may need $1 or $2 for bitcoin and maybe much more.

2. Bitcoin has a dust threshold. There is a minimum amount of satoshis that you have to send, which is known as the dust limit. I think 0-value outputs were possible on the Bitcoin network in the past but not anymore. Or, if they are, they are non-standard. Many alternative chains allow 0-value transactions.

3. Bitcoin isn't account-based. With Ethereum, Tron, etc., you have one account for the native coins and you use the same account for all your tokens. With Bitcoin, you have outputs spread across multiple addresses. Address reuse isn't popular for privacy reasons. Also, it doesn't save you any money to use the same address over and over again. You can't target a Bitcoin address as easy in an attempt to fool the user like you would for those alternative chains. If you and me did some trades, I would give you a new BTC address every time. But if we used ETH, all transactions would probably go into the same address even if its tokens and not the native coin.   

4. It's harder to generate similar-looking Bitcoin addresses. I am not an expert in this topic, but I think it takes more computational power to generate a similar-looking Bitcoin address compared to an Ethereum one, for example. And it gets exponentially harder the more unique custom characters you want. It's also close to impossible to make the last characters identical (like in the example of the person who lost +$70 million) because there is a checksum.   

When you need $10 for each address you try to lure into this scam it suddenly becomes really expensive to launch such an attack, plus the lack of activity, on BTC people don't deal with the other 100 confusing tokens and airdrops.
There are cases of the same kind of attacks with BTC but it's all a matter of how profitable they are.


It's just 70 million, let me copy the address from the history, not check it once more, what could get wrong, it's not like it's such a big sum anyhow, right? Probably the spammers are just as surprised as him.

Asking on behalf of a friend, is this address poisoning possible on a Bitcoin wallet? He is still copying addresses from his wallet transaction history, I want to know but I do tell him it's a bad practice, it is always better to copy from the receiver, either exchange or receivers themselves rather than your transaction history.

I was once a victim of this scam too, I lost a lot of money but after a few days I was able to get over the pain and learn my lesson, this happened on my Ethereum wallet though and I have always heard about Tron too but not Bitcoin.

The original topic of this thread also doesn't include Bitcoin in the list, maybe thats the case? I will be waiting for someone to reply me on this, maybe this address poisoning is only possible on smart contract-based blockchain projects.

An address poisoning scam involving wrapped bitcoin (wBTC) on the Ethereum network resulted in a victim losing over 1155 wBTC, worth $74 million currently. The scam happened on 3 May.

A little earlier, the victim received a 0-value transaction that was recorded in their transaction history. This transaction came from an address that had similar characters at the beginning and the end to the address the victim wanted to send the tokens to. Both addresses begin with "0xd9A1" and end with "853a91."

The victim wasn't careful and didn't check the whole address they were sending to. They probably copied the receiving address from their transaction history and ended up sending a fortune to a scammer.
It's a good lesson for everyone reading this. Don't be in a hurry, and take your time. Check the transaction data once or twice, and when you are sure everything is correct, check it a third time.


Read more about it here:
https://cryptopotato.com/costly-mistake-victim-loses-68-million-in-address-poisoning-scam/

Yes, they are vanity addresses. You can use your computational power to create a custom address for you. Of course, you can't customize the entire address, just a few characters. That's how it is for Bitcoin and I assume for other cryptocurrencies as well. Depending on the quality of your hardware, it can take a few seconds, minutes, or hours to create a custom vanity address with a few unique characters.

But I wouldn't play around with those. You will probably be reusing them, and you shouldn't for privacy reasons. There have also been various scams with fake vanity address generators.

How are these identical addresses are created?

I am not a crypto expert, so I don't know how creation of address works. Can we actually choose numeric numbers and alphabets of a address when we create them? Not all but the starting and ending part. I was just reading a topic of this address poisoning. And there was a mention of this thing "similar vanity address" (Address poisoning scams). I knew that seed phrase could be chosen manually, but now I see address could be also. I could be wrong though. Need some clarity here.

They could easily generate addresses on an open source using the profanity address generator, but there are I think vanity address generators, I think they could generate a custom prefix and suffix. They can generate a lot of addresses when I take a lot on how profanity works. There are issues I think on profanity where it could generate an address that is already owned by other users, but it was already abandoned by the creator because of the exploits.

We are all guilty of just looking at the first four or last character, I guess it is also possible on the Bitcoin network since you could just send micro-transactions as well.

My guess is that if you clicked on the confirm button, Binance would start checking your transaction data. They would look if you have the needed amount of coins in your wallet and that you are sending the BTC to a valid address. The entered address wouldn't pass the test. 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBg is a normal BTC address, 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBh is an invalid one. You can check that on any blockchain explorer. Enter the first one, and it will show you its transaction history. But for the second one, the site will tell you that the address doesn't exist or is invalid (depending on what type of error the service was configured to show).

You can easily check that with a software or hardware wallet. The client shouldn't allow you to create the transaction using the 2nd addy. When you send BTC through Ledger Live, the first step is entering the receiving address. When you enter a correct one, the continue button gets enabled. Paste a non-existing one and you won't be able to click on continue, and an error message informs you that you made a mistake.

Don't take my word for it, but I think it was nothing at all over Tron. You would get 0 USDT, for example. Nothing else.

Isn't it micro transactions? like, for example, sending 0.000001 TRX is it possible to receive nothing in a wallet by just paying fees? I think it wouldn't register on your transaction history if it doesnt have value.


I think they are using tools like a profanity address generator, which could generate a custom prefix and suffix.

Tested this on binance and binance doesn't seem to warn the users in this case. Just used a random address.

Correct address : 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBg
Wrong address : 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBh

Replaced the last character alone and binance accepted it. I didn't proceed with the payment authentication but do you think they would have warned us after the authentication ?

Bitcoin addresses (I assume similar rules apply to the addresses of other cryptocurrencies) have a 4-byte checksum in the end. That number sequence protects against making copy/paste mistakes with addresses. Take a BTC address, paste it into your wallet software and change one of its characters, and the software will tell you that the address is invalid or non-existing. And you can't send to such an address, maybe not even with the worst type of wallet. More than only one character would have to change for the checksum to be OK: 

No it's definitely very hard to get more than 20 similar characters but there are two things to consider

1. May be the scammer can get 8 characters same i.e. the first 4 and last 4 characters.
Many people just check the first few and last few characters but tend to avoid the middle ones.

2. Just one different character is enough to send the amount to a different address.
May be we made a mistake in copy pasting or something but even if one character is wrongly entered then there are possibilities that the amount will be lost.

As for checking every character manually part it's quite easy. I have a strong short term memory and can remember 5-6 characters at once immediately.
So I verify the address 5 characters at a time and the whole address is verified by every character in not more than 30 seconds.
Would you risk your BTC for 30 seconds or lets say 1 minute ?

I don't think they can duplicate 20. But the problem is, if you check only the first 3-4 and the last 3-4, how are you going to know if the rest matches or not?

I can't remember the thread where this was discussed but it was probably in the technical Bitcoin boards. Someone created a discussion showing that scammers can match more than the usual couple of starting and ending characters in a bitcoin address from a huge pool of already generated addresses. I don't think it was used in a scheme to scam someone, but to show the current capabilities. Doublechecking only a few characters in the beginning and end is getting less and less safe. Do more for your own safety. 

The scammers didn't send anything at all. The transactions were empty, they only paid the network fees.

I'm just curious on this one.

Is it possible on the tron network that they can generate these type of wallet addresses so, this is like vanity addresses? where the first and last addresses can be modified depending on what are the characters they want to generate?

Honestly, I'm guilty on this one that I just look at the first and last characters of my addresses but this is for bitcoin and not with tron or any other altcoin.