Address Poisoning - Letter From the Chief

This ran as Letter from the Chief in the newsletter from the Department of Public Safety where I serve as a reserve investigator.

Late last year, thieves using address poisoning schemes stole more than $2 million from small investors and cryptocurrency enthusiasts. We have seen a marked increase in people falling for a clever and simple scam that targets cryptocurrency holders: address poisoning.

While the police department would never recommend any specific investment, we recognize that even with the wild fluctuations in prices of cryptocurrencies, large banks and brokerages still offer them, and people are still eager to participate and invest in them. In this newsletter, we will tell you how this scam works, and how to protect yourself.

At its heart, this attack depends on the complexity and non-human readable nature of wallet addresses - the Cryptocurrency version of an “account number”.

Where a bank account number might be six- to 12 digits, a Bitcoin address looks something like, “bf1fd2bcladdb35ad22493d83kkfdbc0a1d”. And that’s hard to read.

Certainly it is hard to remember.

Here’s something easy to remember: in the Blockchain world, if you send money to the wrong place, it is really hard to ever get it back.

Many people only send cryptocurrency to a small number of addresses, and they rather predictably fall into a habit that is unsafe: Since bf1fd2bcladdb35ad22493d83kkfdbc0a1d is so hard to remember, “let me just eyeball it.”

A common trick less experienced cryptocurrency users try, when they are preparing to send some crypto to an address, is to simply verify by eye that the first and the last four-to-five characters of the address being provided by a transaction partner match the expected address - in this case, “fd2bc” and “c0a1d”.

“If those match,”" they think, “I will just go with the flow.”

This is a very bad practice.

The way this can be exploited is actually fairly straightforward, but the effect can be the irretrievable loss of your funds.

First, it’s important to know that, contrary to common perception, all transactions on a public blockchain are, well, public. To see some examples, head to the free site and have a look.

Criminals can monitor transfer information of a certain type, and when they identify a transfer pattern (say, once a week, or of a certain type of stablecoin), they can capture the from and to addresses.

Then they construct an address that contains identical starting and ending numbers to the ones used in transfers that you often make.

Next, using methods ranging from really easy to really complex, they can trick you into initiating a transfer to the wrong address. This can be sending you a very small amount of crypto and hoping you select that address from your history, to more proactive ways to trick you into sending.

An easy way? Crafting a phishing email related to a transaction that you regularly make, and substituting their address for yours.

In this example, the address you normally send to, again, is bf1fd2bcladdb35ad22493d83kkfdbc0a1d, but the email reads:

“As usual, please transfer to bf1fd2bclbeec98df33493d83kkfdbc0a1d. Please make sure to copy and paste this address to avoid any mistakes!”

As you can see, it is really difficult to distinguish the fake address from the real one, especially since the first and last 8 characters of both are the same.

More complex methods include “on-chain address poisoning” attacks, which are too complicated to go in here (but contact us if you are interested in learning more).

Technology like blockchain and cryptocurrency can be very exciting and fun to learn about, but there are risks that must be well understood. Your wallet - whether you use a service like Coinbase or Circle, or your own hardware wallet such as Ledger or Trezor - won’t guard against this risk for you, at least not yet.

You simply have to pay close attention and verify all addresses to which you send cryptocurrency.