Topic: A very strange dust attack or an attempted robbery? - page 2. (Read 275 times)

This is what the scammers are banking on, people checking starting and ending digits
to addresses. I think the majority of people verify their sending addresses like this, its convenient.

This type if attack seems complex and seems to rely as posted above on a deal of luck
but like a lot of scams they seem to work on the law of averages, somewhere and some
time someone will get tricked unfortunately

Never seen this, now I know what it is called, but I figure you got the intent right. I've been guilty of double-triple-checking addresses only by checking with the first and last few characters, but it's rare for me anyway when sending to myself, to not mark the receiving address first from my own wallet.

I even make sure I choose an address in my list that I can easily recognise (usually a string of characters inside in my own language).

"Nice" to see people still haven't exhausted their creativity when it comes to trying to game Bitcoin... "not nice" that some people could very easily fall for that,

By design double-spend attacks have a low success rate due to their complexity to execute. As you have mentioned you might have missed that transaction completely if you haven't checked your wallet within that specific timeframe. So the attacker needs to rely on their luck as well and a dust attack can put a red flag into the owner's mind that their wallet is targeted by a scammer. So they will be more cautious every time they do something with their wallet.

I had completely forgotten about it, I guess seeing the dust double spent threw me off. There are so many things weird with this particular attacker. This type of attack looks to have a very low success rate as it is, which means decreasing that "window of opportunity" to scam makes no sense. For example I wouldn't have seen this transaction if I had checked my wallet a couple of hours later.

That's the best approach every time one sends money.
But in this very case an even better approach is to not reuse address. Nowadays all the modern wallets are HD. It's safer to pick a completely different address from the wallet. This way the new address will probably not be similar with the attacker address and avoiding reuse is a good practice anyway.

This is Address poisoning attack. Not something new. I get to know about this cam few months back and according to many studies these types of attacks has been useful for hackers/scammers because it helped them to scam hell lot of money and AFAIK, I started to see topic related to this issue back in few months but the hype of this issue started from December 2022.

Scam with USDT TRC20 token
What are Address Poisoning Scams?

And you are 100% right about it, in such scams, victim only fall prey to these attacks once he used to copy address from the last transaction made to his/her account. The best practice is to compare the full address rather then just checking the initials and final words of your address. When I get to know about this address, I always compare the whole address even if I have to make a smaller transaction too.

This looks like a Dusting Attack[1] but in a slightly different and extremely weird way!
The attacker seems to be searching the chain for funded addresses like [2] then uses a "brute force tool" similar to vanity address generators to find an address that looks similar to your address like [3] but they try to be sneaky and search for an address with matching beginning and end. Examples:

1LTaZWnFTAsTqBfkSEShSXEh5VTiWUKQh8 Someone's address holding 2.56BTC
1LTKTBLDQxxf5QvgRFMzuyPMnRUULCKQh8 Attacker's address

1GZ3EfTjHVxLqnKi7yhEGCoffdATJEKeR7 2.49BTC
1GZKQVjY21SAas1tjnibAHHHNF9B8nKeR7 dust

12XqeqZRVkBDgmPLVY4ZC6Y4ruUUEug8Fx 32,321BTC
12XgkRFEdE3oSvy4tzzp8jVtsdMATwg8Fx dust

1FZy7CPFA2UqqQJYUA1cG9KvdDFbSMBJYG 15,739BTC
1FZBQjXH1RhbfpYtA3LoVrzJKqiAWSBJYG dust

Then the attacker sends two dust amounts to these similar looking addresses in the same transaction (eg. 600 sat to you, 600 sat to their own address).

Feel free to share your thoughts on why would someone do something weird like this but my guess is that they hope someone would see the incoming transaction, then try to spend that output and their own coins but copy the attacker's address that looks similar instead of their own and send all their coins there so that the attacker can steal it!

But there are two weird parts involved in this "operation":
1. Usually in this type of attack they rely on the user's greed to rush them into making the mistake and send their coins to the attacker. For example one somewhat similar attack I've seen was to use some shittokens on Omni layer in an address empty of bitcoin and send the key to the user who would then get greedy and funds the key with bitcoin so they can spend the token but before they can do anything the attacker steals their bitcoins.
But there are no tokens involved here as far as I can tell (not even the scamjunk called Ordinals) and the amount they send the user is dust!
2. They didn't even let the dust amount remain in user's wallet. As you can see now, the transaction is already double spent and none of the addresses I shared above (the ones with high balances like 2.56) have the dust any more while the scammer's address holds slightly higher than 2x the dust limit possibly wanting to repeat the attack once again but this time the sender address and the change address and your address all 3 would look similar.

The only reason why I found this is because I received one of these transactions recently and was surprised when I saw the similar addresses in the output. The attacker seems to have given up on trying to scam the big whales though as the first couple of txs in the address are sent to those.

[1] https://bitcoin.stackexchange.com/questions/81508/deanonymizing-dust-attack
[2] https://blockchair.com/bitcoin/address/1LTaZWnFTAsTqBfkSEShSXEh5VTiWUKQh8
[3] https://blockchair.com/bitcoin/address/1LTKTBLDQxxf5QvgRFMzuyPMnRUULCKQh8
[4] bc1qfyftjfs2aufq566mlwldkzgl9v6rxqqg7ta75p