User falls for scam and loses more than R$300 million in cryptocurrencies

A cryptocurrency investor fell for a scam known as poisoned address and lost a fortune. According to the security company CertiKthe loss was US$68 million in Wrapped Bitcoin (WBTC), or around R$350 million in current values.

The attack brought together ingenuity on the part of the hacker and a dose of carelessness on the part of the investor. The hacker simulated a transaction of 0.05 Ethereum (ETH) and managed to trick the investor into thinking it was a legitimate address.

The victim then sent 1,155 WBTC to the wallet without realizing it was a scam. After the action, Etherscan marked the scammer’s address as fake phishing and, until this article was written, the funds are still in the wallet.

What is this attack?

Address poisoning is a technique that involves tricking the victim into sending a legitimate transaction to the wrong wallet address. In the attack, the hacker creates an address very similar to a real address, but with some modified characters.

Because wallet addresses have many characters, users often only look at the beginning and end. In this way, hackers almost always modify the characters in the middle, to make it easier to carry out the scam.

In this sense, hackers create an address by imitating the first and last six characters of the real wallet address. By betting on the victim’s inattention, hackers send the fake address posing as a real one. If the scam victim sends their cryptocurrencies, they are lost forever.

In addition to Certik, Cyvers platforms and blockchain detective ZachXBT confirmed the theft of $68 million. By marking the address on Etherscan, it is hoped that the hacker can be caught and the money recovered.

Cryptocurrency investors lost US$2 billion to hackers, scams and exploits in decentralized finance (DeFi) in 2023. In addition, hackers have already managed to steal US$333 million in the first quarter alone.

To avoid falling for this address poisoning scam, check all characters before making any transactions to an external wallet. Whenever possible, ask the sender to send the address more than once and check it to avoid losses.