Main Takeaways
A rising crypto scam dubbed address poisoning exploits the transparency of public blockchains, allowing scammers to "poison" frequently interacting addresses to trick victims into misplacing funds meant for a familiar address.
Binance’s security team stays on top of the latest threats to protect our users. The team has developed a unique algorithm for detecting address poisoning, which has helped to flag over 15 million spoofed addresses to date on the Ethereum and BSC networks.
Falling victim to this scam is entirely avoidable through simple transfer hygiene principles and common-sense security measures.
A new crypto scam is on the rise, called address poisoning or address spoofing. Perpetrators use the transparency of public blockchains to identify pairs of addresses that transact with each other often and “poison” one of the addresses’ transaction history by sending to it a small amount of crypto from an address that is similar but not identical to their usual counterpart. The scammers hope that the next time the victim is about to send funds to the familiar address, they will unwittingly copy the “poisoned” string of characters and misplace the funds for the criminals' benefit.
One might think, who would fall for such a basic trick? In fact, more people than you think, especially when criminals deploy this technique at scale. Just a few days ago, a trader lost some $68 million worth of crypto in a single transaction to an address-poisoning scammer.
The good news is that falling victim to this scam is totally avoidable if you follow some simple principles of transfer hygiene. Moreover, the Binance security team is there to further protect you from address poisoning scams. We have developed a unique method of identifying poisoned addresses, which helps us to alert users before they send money to criminals and was instrumental in identifying and flagging more than 13.4 million spoofed addresses on BNB Smart Chain and 1.68 million on Ethereum. Here’s what you need to know.
Poison for the Unwary
Crypto wallet addresses can consist of as much as 42 alphanumeric characters. We have all been there – when transferring some crypto to a friend or withdrawing funds from an exchange to our own self-custodial wallet, we don’t always scrutinize each character of the destination address. Dealing with a hodgepodge of seemingly random digits and letters that is an average address, the temptation is strong to rely on cognitive shortcuts.
For example, it is common for crypto users to only glance at the first and last several characters of the address copied from one’s smartphone notes or transaction history, especially if this is a wallet with which one has previously interacted.
Address poisoning, also known as address spoofing, is a deceptive tactic where scammers send small amounts of cryptocurrency, NFTs, or worthless tokens from a wallet that closely mimics the recipient's or a frequently used partner's address, thus making its way to transaction history. If the victim is in the habit of copying and reusing addresses from recent transactions when sending crypto, they can end up sending their funds to the scammer’s wallet.
Criminals scan public blockchains to identify potential victims, often looking for pairs of addresses that interact frequently. Such scams can occur on any blockchain, but Ethereum and networks like Polygon, Avalanche, and BNB Smart Chain are particularly vulnerable – the latter three due to relatively low transaction fees, which enable bad actors to deploy their schemes cheaply and at scale.
Scammers rely on vanity address generators – services that allow users to customize parts of addresses to make them appear recognizable and “less random.” For example, an authentic Ethereum address like 0x19x30f…62657 could be spoofed using a similar-looking 0x19x30t…72657, which can be totally different in the middle while maintaining the first and last few characters.
The Binance Antidote
Having recognized the emerging address poisoning as an increasingly common threat for crypto users, Binance’s security experts developed a process to identify and counteract this scheme. We implement a multi-step approach that begins with examining the network logs to separate regular transfer events from those that seem suspicious, such as those with a transfer value of 0 or unrecognized token transfers.
We then connect the suspicious transfers to those regular transfers that they seem to be preying on, pairing them based on similarities between sender and recipient addresses. Finally, we ensure that the timestamp of the regular transfer precedes that of the suspicious transfers, which allows us to detect the point of poisoning, along with the spoofed addresses to which the bad actors will expect to receive victims’ money.
Once flagged as spoofed, the addresses are recorded in the database of Web3 security firm HashDit, Binance’s security partner. Many cryptocurrency service providers use HashDit’s API to boost their defenses against a variety of scams. One of them, for example, is Trust Wallet, which uses a database of poisoned addresses to alert users when they are about to transfer funds to a spoofed recipient. HashDit also offers user-facing products such as web browser extensions and Metamask Snaps, meaning that Binance’s efforts to flag poisoned addresses make an impact on the crypto ecosystem level.
Thanks to Binance security experts’ proactive approach to this threat, we have already flagged more than 15 million poisoned addresses to date on BSC and Ethereum networks, adding an average of 300,000 new records every week as criminals continue to lay traps for unsuspecting crypto users.
Staying Safe
As with any other scam, you are the safest when you are aware of criminals’ tactics and practice preventive behaviors that help minimize the risk of falling prey to them. Below are some tips that will help you steer clear of address spoofing scams.
Double-check the Address: When sending crypto, always take the time to verify the recipient’s entire address, not just the beginning or end.
Save Frequently Used Addresses: Utilize wallet features to save trusted addresses and assign nicknames and QR codes to them to avoid the need for frequent copying and pasting.
Use Name Services: Employ services like Ethereum Name Service (ENS), which provide shorter, more recognizable addresses that are difficult for scammers to replicate.
Conduct Test Transactions: When transferring significant amounts of digital assets, send a small amount first to make sure that the recipient address is correct.
Be Vigilant with Copying and Pasting: Malware can alter clipboard content to replace your copied address with one owned by a scammer. Always recheck the address after pasting and consider typing out some characters manually.
The rise of address poisoning scams emphasizes the importance of constant vigilance in the digital asset space. Routine checking of the entire recipient address, utilizing wallet features that save trusted addresses, employing services like Ethereum Name Service (ENS), as well as conducting test transactions can substantially reduce the likelihood of being scammed.
Proactive identification efforts, like that of Binance’s security team, also play an important role in flagging spoofed addresses and alerting users to potential scams preemptively. It is vital to combine safeguarding measures and scam-awareness educational efforts in the face of continually evolving threats.