MetaMask notified the crypto community of a new type of scam called “address poisoning” in a recent post.
The scam was called “quite innocuous compared to other types of scams.” However, the company warned that address poisoning still has the potential to trick unsuspecting users into losing funds.
“address poisoning is an attack vector that unlike other scams, which often use methods that have served many scammers so well, such as unlimited token approvals, phishing for your Secret Recovery Phrase, etc. trust the carelessness and haste of the user above all else.”
How “address poisoning” works
Address poisoning targets wallet addresses that are long hexadecimal numbers that are hard to remember and easy to confuse with other similar addresses.
Cryptographic addresses are often shortened to show the first few characters, a white space, and then the last few. Fraudsters exploit the tendency to rely on the familiarity of first and last characters.
When making transactions, the usual routine is to copy and paste an address. Many wallet providers, including MetaMask, have a one-click feature to copy an address.
Address poisoning takes advantage of the inattention of users at this point in the transaction process. Specifically, scammers observe and track transactions of particular tokens, with stablecoins being the common target. Then, using a vanity address generator, the scammer will create an address that matches the destination address, especially the first and last characters.
The scammer sends a nominal value transaction from the newly generated address to the destination address; at this point, the latter is poisoned.
In the future, when you want to send a transaction, the user may mistakenly copy the wrong address based on familiarity of the first and last characters. Once executed, the funds end up in the hands of the scammer.
“And since on-chain transactions like this are immutable (cannot be changed once confirmed), any lost funds will be irretrievable.”
MetaMask explains how to stay safe
Unfortunately, the nature of public blockchains means that anyone, including scammers, can send transactions to any address if they choose.
MetaMask reiterated the importance of checking all address characters when sending funds, not just the first and last characters.
“Develop the habit of thoroughly reviewing each character of an address before sending a transaction. This is the only way to be completely sure that you are sending to the right place.”
Other strategies to avoid falling victim to address poisoning include not using transaction history to copy addresses, whitelisting frequently used addresses to avoid copy and paste altogether, and using test transactions, especially when transferring large sums.
