Crypto wallet provider MetaMask has warned the crypto community of a new type of scam called “address poisoning”.
“Address poisoning is an attack vector that, in contrast to other scams — which often use methods that have served many scammers so well, such as unlimited token approvals, phishing for your Secret Recovery Phrase, etc. — relies on user carelessness and haste above all else,” MetaMask said in a recent blog post.
Each account in a crypto wallet has a cryptographically-generated address containing long, hexadecimal numbers that can be hard to remember and mistaken for similar addresses. Therefore, users tend to copy and paste addresses instead of memorising them.
A new scam called ‘Address Poisoning’ is on the rise. Here’s how it works: after you send a normal transaction, the scammer sends a $0 token txn, ‘poisoning’ the txn history. (1/3)
— MetaMask Support (@MetaMaskSupport) January 11, 2023
Crypto addresses usually display the first few characters, a blank, and then the last few. Scammers take advantage of people’s tendency to trust familiar characters at the beginning and the end of a message.
To execute the scam, hackers “poison” transaction histories by sending wallets $0 tokens. They use vanity address generators to generate wallet addresses that match the first and last characters of their victim’s wallet address.
It is unlikely that hackers will gain access to users’ wallets, but those who copy their wallet addresses from their transaction history may mistakenly send funds to copycat addresses.
We are seeing a possible exit scam of ~$2.5m
Recently created “CirculateBUSD” and “CirculateWBNB “contracts have been drained by the contract creator
Funds bridged to Ethereum and deposited into @TornadoCash pic.twitter.com/TPbkgKS0vG
— CertiK Alert (@CertiKAlert) January 12, 2023
“Address poisoning involves scammers sending transactions of no value to your account from an address that’s very similar to your own,” MetaMask explained.
“Their hope is that you will then absent-mindedly copy this address from your transaction history in future.”
How to avoid address poisoning
Metamask recommends double-checking addresses before sending money to protect wallets from address poisoning.
“Develop a habit of thoroughly checking every single character of an address before you send a transaction. This is the only way to be completely sure you’re sending to the right place,” it said.
MetaMask also suggests not copying addresses from transaction histories, whitelisting frequently used addresses, and using test transactions when transferring large sums.