Author

Topic: A very strange dust attack or an attempted robbery? (Read 275 times)

legendary
Activity: 3472
Merit: 10611
besides he just copied first 2 and last 4 characters.
Yeah, it's the poor mans scam for sure Cheesy
The scammer probably had a slow machine that couldn't brute force more than 2 from the start and 4 checksum characters. In fact the forth letter was the first thing I noticed that helped me recognize the difference.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
It seems that the attacker is not making any vanity bech32 addresses according to the explanation in OP, just legacy addresses.

I mean what is this guy thinking. Does he really think some random guy is going to send money to address he just got sats from? Most likely what will happen is they will just keep the sats and not send it anywhere. It's a pretty lame scam attempt that won't work at all - besides he just copied first 2 and last 4 characters.
sr. member
Activity: 966
Merit: 306
I believe what @albert0bsd means by "block" is to either "freeze" or "hide" these outputs either manually or automatically so that you don't see them when spending from your wallet to avoid such mistakes. For example Electrum has manual output/coin freezing option.
You are right.
To freeze an address, right click on that address, choose Freeze.
To freeze an UTXO, right click on that address, choose Add to Coin control. Then on Coins tab, right click on an UTXO, choose Freeze (two options, Freeze coins; Freeze address).

Dust Attack, what it is, why it is dangerous and how to prevent falling to it
Freeze an address in Electrum
Guide to freeze address in Electrum wallet
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
It surely is a lot of trouble for the small chance that people will actually "copy&paste" the wrong address? In any way, since the "Clipboard" attacks, I am double checking all addresses I use, before I click on the "enter" button, because I know they try things similar to this in that hack.

It is sad that people will go so far and put in so much effort to steal people's money, when they have the skills to work for that money. I guess it is easier to steal, than making an honest living these days.  Angry
hero member
Activity: 644
Merit: 661
- Jay -
I'm confused about where they get those thousands of addresses for dust attacks.

Technically, I don't know how this works further with them but I think this wasting of time since we know most people will always double-check transactions before sending or transferring to another address.
There are ways they can do that.

Most people will most of the time double check just the first and last few words, there can still be loopholes which scammers can exploit. Scammers are after the few times where we forget to double check or after those users that do not check at all.

I believe what @albert0bsd means by "block" is to either "freeze" or "hide" these outputs either manually or automatically so that you don't see them when spending from your wallet to avoid such mistakes. For example Electrum has manual output/coin freezing option.
AFAIK some wallets allow one to do this manually after they have already received the dust transaction or any type of transaction that they will not want to be mixed with their other outputs, but I do not know of any automatic way to do this, where an incoming transaction gets automatically frozen based on some preset rules, like:
- less than a certain amount of sats or,
- from a certain address.

This will be a useful but I do not know if it is available now.

- Jay -
legendary
Activity: 3472
Merit: 10611
-Using a good wallet that lets you block incoming dust transactions is a smart move.
You cannot block incoming tx's into your wallet, in other words you can't stop someone from sending you BTC's.
I believe what @albert0bsd means by "block" is to either "freeze" or "hide" these outputs either manually or automatically so that you don't see them when spending from your wallet to avoid such mistakes. For example Electrum has manual output/coin freezing option.
sr. member
Activity: 966
Merit: 306
They move from altcoins to Bitcoin but using a same method for Address Poisoning Attacks.

Metamask: Address Poisoning scams

I see many exchanges recent years upgrade their systems to remind users to check first and last characters of address they are sending cryptocurrency to. In addition, if possible, if have time (I am surely have time because it's my money), checking all characters or some characters in the middle of address is useful to avoid Address Poisoning scams.

How to lose your Bitcoins with CTRL-C CTRL-V. Copy some characters in the middle of address and find it in a receiving address is helpful too.
legendary
Activity: 2492
Merit: 1232
I'm confused about where they get those thousands of addresses for dust attacks.

Technically, I don't know how this works further with them but I think this wasting of time since we know most people will always double-check transactions before sending or transferring to another address.

I remember last year one of my Bitcoin addresses was part of a dust attack but I successfully withdrew it and nothing happened.

By the way OP, thanks for sharing this.
hero member
Activity: 2212
Merit: 805
Top Crypto Casino
People selected their address from the transaction history! Why Someone would do that when they could select their address from the receive button. Such careless people are the victims in most of the cases, I think. It is pretty annoying to cross-check every character, so I think name service is the most convenient way for a user. I am not sure if there is any for making transactions with bitcoin or not, but it is pretty popular in EVM-based blockchain.

Name services are cool but they're not well integrated to platforms that support EVM-based services and I haven't heard about any for Bitcoin. I'm not surprised that some users still fall victim to these kind of attacks and there's the clipboard hack as well that allows a user copy their address but when it's time to paste, it pastes a similar address like the ones posted in OP that has almost or the same first and last few characters.




Only way is for users to take full responsibility and be super careful whenever they want to spend BTC.
hero member
Activity: 862
Merit: 662
You cannot block incoming tx's into your wallet, in other words you can't stop someone from sending you BTC's.

Yes you are right we can't block those input TX. What i mean it was hidden it or at least to have a way block the UTXO preventing to be spend it to another of our own address.



And yes just like you said we can spend it with out problem to another address as payment to someone else, we can said, thanks for pay our fees Smiley



legendary
Activity: 1064
Merit: 1228
Playgram - The Telegram Casino
I'm not sure how many users are fooled by these strange attacks - but I think it's true that the success rate of these attacks is very low. In fact I'm sure some of the destination addresses are addresses that were never actually used and those dust transactions were the only transactions available in history.

For example, for this address: https://blockchair.com/bitcoin/address/1GZKQVjY21SAas1tjnibAHHHNF9B8nKeR7

Quote
1GZ3EfTjHVxLqnKi7yhEGCoffdATJEKeR7 2.49BTC
1GZKQVjY21SAas1tjnibAHHHNF9B8nKeR7 dust


hero member
Activity: 994
Merit: 1089
I have my adress linked on a favorite page in the browser, for example in blockchair or whatever, also in ninjastatic , if you put an adress here in the forum can work. So i only copy paste the adress from there.
These are not recommended places to copy your wallets address if you want to avoid this kind of attack. Copy your wallet address only from your wallets addresses tab, or you select or generate new addresses from your wallets receive tab so you wouldn't reuse addresses, which is both bad for privacy and vulnerable to this attack.
-Never be too quick to spend funds you've received, especially if it's a small and strange transaction.
You can spend dust tx's and it is not risky to do so if you know what you are doing, sometimes dust attack is an attack on your privacy and a way an attacker can link your utxo's if you spend the dust utxo with the others in your wallet, using coin control is one way of spending dust tx's without losing your privacy.
-Using a good wallet that lets you block incoming dust transactions is a smart move.
You cannot block incoming tx's into your wallet, in other words you can't stop someone from sending you BTC's.
hero member
Activity: 2464
Merit: 594
This scenario is indeed unusual and suspicious, possibly indicating an attempted scam or a variant of a 'dusting attack' with a unique approach. The attacker's precise motive is misdirection: they aim to confuse users into sending their funds to the wrong address by generating addresses that closely resemble the legitimate ones. The attacker will succeed if the user accidentally copies the attacker's address instead of their own during a transaction.

This is new information to me, and I'm thankful I came across this thread to learn about it. Now that I'm aware of this type of trick, I'll be more cautious and double-check addresses to ensure they are identical when conducting Bitcoin transactions.
hero member
Activity: 862
Merit: 662
Thank you for sharing your post, as this kind of awareness is vital for ensuring the security of our satoshis.

Yes they expect that some less experienced users fall for it.

Some recomendations for new users will be:

-Never be too quick to spend funds you've received, especially if it's a small and strange transaction.
-Always make sure the FULL destination address matches where you want your money to go.
-Using a good wallet that lets you block incoming dust transactions is a smart move.
-You've gotta be careful, and don't rush into sending money without double-checking everything.

It's kind of frustrating that those scammers always try always shady tactics, but by sharing info and educating others i think that we are doing it good Smiley

Regads!
sr. member
Activity: 602
Merit: 295
People selected their address from the transaction history! Why Someone would do that when they could select their address from the receive button. Such careless people are the victims in most of the cases, I think. It is pretty annoying to cross-check every character, so I think name service is the most convenient way for a user. I am not sure if there is any for making transactions with bitcoin or not, but it is pretty popular in EVM-based blockchain.

Name service is definitely a bad idea because it requires a some certain extensions or plugins to save them and generate a name to this alphanumerics. This kind of service is even more dangerous or easy to attack than randomly copying the address. Just like the copy and paste address is prone to keyboard malware’s this also is too. It is more dangerous again because you definitely need to expose your address to the internet, an attacker can also temper with such sites and change the address without you knowing through malware.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
This is Address poisoning attack. Not something new....

But with GPUs getting more and more powerful it's starting to show up more since what would have used to be days or weeks of trying to get an address is now seconds.

You can import one of many lists of addresses with balances and then get 6 or 7 characters in just about no time.

I'm 100% sure there is some hack of vanitysearch out there that would do it. Heck VS might actually do it, I didn't look.

-Dave

full member
Activity: 504
Merit: 212
a dust attack can put a red flag into the owner's mind that their wallet is targeted by a scammer. So they will be more cautious every time they do something with their wallet.
Because you can't stop someone from sending you BTC's, any user with a BTC address can be attacked with a dust transaction, and it doesn't mean they are exactly targeted by scammers. Nevertheless it is easy to avoid dust attacks if you know what you are doing, addresses should never be selected from your transaction history and you should fully crosscheck all the characters in your address and not only the first and last characters.

People selected their address from the transaction history! Why Someone would do that when they could select their address from the receive button. Such careless people are the victims in most of the cases, I think. It is pretty annoying to cross-check every character, so I think name service is the most convenient way for a user. I am not sure if there is any for making transactions with bitcoin or not, but it is pretty popular in EVM-based blockchain.
sr. member
Activity: 616
Merit: 314
CONTEST ORGANIZER
Hi thanks you for sharing this cases and this information very valuable for us.

First of all one thing, i also do the check only with the start and the finish part of the adress, but when i heard about this kind of attack i do something to prevent my to fall into this trap.

I have my adress linked on a favorite page in the browser, for example in blockchair or whatever, also in ninjastatic , if you put an adress here in the forum can work. So i only copy paste the adress from there.

Its ok to do this simple trick to avoid this attack? Or im making a shit movement?
hero member
Activity: 994
Merit: 1089
a dust attack can put a red flag into the owner's mind that their wallet is targeted by a scammer. So they will be more cautious every time they do something with their wallet.
Because you can't stop someone from sending you BTC's, any user with a BTC address can be attacked with a dust transaction, and it doesn't mean they are exactly targeted by scammers. Nevertheless it is easy to avoid dust attacks if you know what you are doing, addresses should never be selected from your transaction history and you should fully crosscheck all the characters in your address and not only the first and last characters.
This type if attack seems complex and seems to rely as posted above on a deal of luck
Just like most scams, you have to be lucky that you get victims who don't know what they are doing.
legendary
Activity: 2702
Merit: 4002
I used to see such attacks on the Ethereum blockchain, where they exploit a loophole that allows sending zero transactions from your wallet, but such attacks can be solved at the level of explorer or the wallet, either by hiding dust transactions or preventing spending from them, although I suspected that these attacks would be random to this degree due to the need for extra resources in brute force.

Moving this topic to Beginners & Help would be better.
legendary
Activity: 2436
Merit: 1362
This is what the scammers are banking on, people checking starting and ending digits
to addresses. I think the majority of people verify their sending addresses like this, its convenient.

This type if attack seems complex and seems to rely as posted above on a deal of luck
but like a lot of scams they seem to work on the law of averages, somewhere and some
time someone will get tricked unfortunately
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
Never seen this, now I know what it is called, but I figure you got the intent right. I've been guilty of double-triple-checking addresses only by checking with the first and last few characters, but it's rare for me anyway when sending to myself, to not mark the receiving address first from my own wallet.

I even make sure I choose an address in my list that I can easily recognise (usually a string of characters inside in my own language).

"Nice" to see people still haven't exhausted their creativity when it comes to trying to game Bitcoin... "not nice" that some people could very easily fall for that,
full member
Activity: 504
Merit: 212
This is Address poisoning attack. Not something new.
I had completely forgotten about it, I guess seeing the dust double spent threw me off. There are so many things weird with this particular attacker. This type of attack looks to have a very low success rate as it is, which means decreasing that "window of opportunity" to scam makes no sense. For example I wouldn't have seen this transaction if I had checked my wallet a couple of hours later.

By design double-spend attacks have a low success rate due to their complexity to execute. As you have mentioned you might have missed that transaction completely if you haven't checked your wallet within that specific timeframe. So the attacker needs to rely on their luck as well and a dust attack can put a red flag into the owner's mind that their wallet is targeted by a scammer. So they will be more cautious every time they do something with their wallet.
legendary
Activity: 3472
Merit: 10611
This is Address poisoning attack. Not something new.
I had completely forgotten about it, I guess seeing the dust double spent threw me off. There are so many things weird with this particular attacker. This type of attack looks to have a very low success rate as it is, which means decreasing that "window of opportunity" to scam makes no sense. For example I wouldn't have seen this transaction if I had checked my wallet a couple of hours later.

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
The best practice is to compare the full address rather then just checking the initials and final words of your address

That's the best approach every time one sends money.
But in this very case an even better approach is to not reuse address. Nowadays all the modern wallets are HD. It's safer to pick a completely different address from the wallet. This way the new address will probably not be similar with the attacker address and avoiding reuse is a good practice anyway.
hero member
Activity: 1386
Merit: 513
Payment Gateway Allows Recurring Payments
This looks like a Dusting Attack[1] but in a slightly different and extremely weird way!
.................
Feel free to share your thoughts on why would someone do something weird like this but my guess is that they hope someone would see the incoming transaction, then try to spend that output and their own coins but copy the attacker's address that looks similar instead of their own and send all their coins there so that the attacker can steal it!
This is Address poisoning attack. Not something new. I get to know about this cam few months back and according to many studies these types of attacks has been useful for hackers/scammers because it helped them to scam hell lot of money and AFAIK, I started to see topic related to this issue back in few months but the hype of this issue started from December 2022.

Scam with USDT TRC20 token
What are Address Poisoning Scams?

And you are 100% right about it, in such scams, victim only fall prey to these attacks once he used to copy address from the last transaction made to his/her account. The best practice is to compare the full address rather then just checking the initials and final words of your address. When I get to know about this address, I always compare the whole address even if I have to make a smaller transaction too.
legendary
Activity: 3472
Merit: 10611
This looks like a Dusting Attack[1] but in a slightly different and extremely weird way!
The attacker seems to be searching the chain for funded addresses like [2] then uses a "brute force tool" similar to vanity address generators to find an address that looks similar to your address like [3] but they try to be sneaky and search for an address with matching beginning and end. Examples:

1LTaZWnFTAsTqBfkSEShSXEh5VTiWUKQh8 Someone's address holding 2.56BTC
1LTKTBLDQxxf5QvgRFMzuyPMnRUULCKQh8 Attacker's address

1GZ3EfTjHVxLqnKi7yhEGCoffdATJEKeR7 2.49BTC
1GZKQVjY21SAas1tjnibAHHHNF9B8nKeR7 dust

12XqeqZRVkBDgmPLVY4ZC6Y4ruUUEug8Fx 32,321BTC
12XgkRFEdE3oSvy4tzzp8jVtsdMATwg8Fx dust

1FZy7CPFA2UqqQJYUA1cG9KvdDFbSMBJYG 15,739BTC
1FZBQjXH1RhbfpYtA3LoVrzJKqiAWSBJYG dust

Then the attacker sends two dust amounts to these similar looking addresses in the same transaction (eg. 600 sat to you, 600 sat to their own address).

Feel free to share your thoughts on why would someone do something weird like this but my guess is that they hope someone would see the incoming transaction, then try to spend that output and their own coins but copy the attacker's address that looks similar instead of their own and send all their coins there so that the attacker can steal it!

But there are two weird parts involved in this "operation":
1. Usually in this type of attack they rely on the user's greed to rush them into making the mistake and send their coins to the attacker. For example one somewhat similar attack I've seen was to use some shittokens on Omni layer in an address empty of bitcoin and send the key to the user who would then get greedy and funds the key with bitcoin so they can spend the token but before they can do anything the attacker steals their bitcoins.
But there are no tokens involved here as far as I can tell (not even the scamjunk called Ordinals) and the amount they send the user is dust!
2. They didn't even let the dust amount remain in user's wallet. As you can see now, the transaction is already double spent and none of the addresses I shared above (the ones with high balances like 2.56) have the dust any more while the scammer's address holds slightly higher than 2x the dust limit possibly wanting to repeat the attack once again but this time the sender address and the change address and your address all 3 would look similar.

The only reason why I found this is because I received one of these transactions recently and was surprised when I saw the similar addresses in the output. The attacker seems to have given up on trying to scam the big whales though as the first couple of txs in the address are sent to those.

[1] https://bitcoin.stackexchange.com/questions/81508/deanonymizing-dust-attack
[2] https://blockchair.com/bitcoin/address/1LTaZWnFTAsTqBfkSEShSXEh5VTiWUKQh8
[3] https://blockchair.com/bitcoin/address/1LTKTBLDQxxf5QvgRFMzuyPMnRUULCKQh8
[4] bc1qfyftjfs2aufq566mlwldkzgl9v6rxqqg7ta75p
Jump to: