Crypto Trader Suffers $50 million Loss Following Address Poisoning Attack
A cryptocurrency dealer misplaced $50 million in Tether’s USDT after falling sufferer to a classy “handle poisoning” assault.
On December 20, blockchain safety agency Scam Sniffer reported that the assault started after the sufferer despatched a small $50 take a look at transaction to his personal handle.
How The Address Poisoning Scheme Unfolded
Notably, merchants use this customary precaution to verify that they’re sending funds to the right handle.
However, that exercise alerted an automatic script managed by the attacker, which instantly generated a “spoofed” wallet address.
The pretend handle is designed to match the supposed recipient’s handle at first and finish of the alphanumeric string. The variations seem solely within the center characters, making the fraud troublesome to detect at a look.
The attacker then despatched a negligible quantity of cryptocurrency from the spoofed handle to the sufferer’s pockets.
That transaction successfully positioned the fraudulent handle into the sufferer’s latest transaction historical past, the place many pockets interfaces show solely truncated handle particulars.
Relying on that visible shorthand, the sufferer copied the handle from their transaction historical past with out checking the total string. So, as a substitute of transferring funds to a safe private pockets, the dealer despatched 49,999,950 USDT on to the attacker.
After receiving the funds, the malicious attacker shortly moved to restrict the chance of asset seizure, in line with on-chain data. The attacker instantly swapped the stolen USDT, which its issuer can freeze, for the DAI stablecoin utilizing MetaMask Swap.
The attacker then transformed the funds into roughly 16,680 ETH.
To additional obscure the transaction path, the attacker deposited the ETH into Tornado Cash. The decentralized mixing service is designed to sever the seen hyperlink between sending and receiving addresses.
Victim Offers $1 Million Bounty
In an try and get well the property, the sufferer despatched an on-chain message providing a $1 million white-hat bounty in return for 98% of the stolen funds.
“We have formally filed a legal case. With the help of regulation enforcement, cybersecurity businesses, and a number of blockchain protocols, we’ve got already gathered substantial and actionable intelligence concerning your actions,” the message stated.
The message warned that the sufferer would pursue “relentless” authorized motion if the attacker did not comply inside 48 hours.
“If you fail to conform: We will escalate the matter by means of authorized and worldwide regulation enforcement channels. Your identification can be uncovered and shared with the suitable authorities. We will relentlessly pursue legal and civil motion till full justice is served. This will not be a request. You are being given one closing likelihood to keep away from irreversible penalties,” the sufferer acknowledged.
The incident underscores a persistent vulnerability in how digital wallets show transaction info and the way attackers exploit consumer conduct relatively than flaws in blockchain code.
Security analysts have repeatedly warned that pockets suppliers’ follow of abbreviating lengthy handle strings for usability and design causes creates a persistent danger.
If this drawback will not be solved, attackers are prone to proceed exploiting customers’ tendency to confirm solely the primary and previous couple of characters of an handle.
The submit Crypto Trader Suffers $50 million Loss Following Address Poisoning Attack appeared first on BeInCrypto.
