Safe Wallet scammer steals $2M through ‘address poisoning’ in one week

A crypto hacker specializing in “address poisoning attacks” has managed to steal over $2 million from Safe Wallet users alone in the past week, with its total victim count now reaching 21. 

On Dec. 3, Web3 scam detection platform Scam Sniffer reported that around ten Safe Wallets lost $2.05 million to address poisoning attacks since Nov. 26.

According to Dune Analytics data compiled by Scam Sniffer, the same attacker has reportedly stolen at least $5 million from around 21 victims in the past four months.

Scam Sniffer, reported that one of the victims even held $10 million in crypto in a Safe Wallet, but “luckily” only lost $400,000 of it. 

about ~10 Safe wallets have lost $2.05 million to “address poisoning” attacks in the past week.

the same attacker has stolen $5 million from ~21 victims in the past four months so far. pic.twitter.com/fu4kxaI3py

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 3, 2023

Address poisoning is when an attacker creates a similar-looking address to the one a targeted victim regularly sends funds to — usually using the same beginning and ending characters.

The hacker often sends a small amount of crypto from the newly-created wallet to the target to “poison” their transaction history. An unwitting victim could then mistakingly copy the look-alike address from transaction history and send funds to the hacker’s wallet instead of the intended destination.

Cointelegraph has reached out to Safe Wallet for comment on the matter.

A recent high-profile address poisoning attack seemingly carried out by the same attacker occurred on Nov. 30 when real-world asset lending protocol Florence Finance lost $1.45 million in USDC.

At the time, blockchain security firm PeckShield, which reported the incident, showed how the attacker may have been able to trick the protocol, with both the poison and real address beginning with “0xB087” and ending with “5870.”

#PeckShieldAlert #FlorenceFinance fell victim to a #AddressPoisoning scam, resulting in a loss of ~$1.45M $USDC. Intended address: 0xB087cfa70498175a1579104a1E1240Bd947f5870Phishing address: 0xB087269DE7ba93d0Db2e12ff164D60F0b3675870 pic.twitter.com/x1BJ77lhFv

— PeckShieldAlert (@PeckShieldAlert) November 30, 2023

In November, Scam Sniffer reported that hackers have been abusing Ethereum’s ‘Create2’ Solidity function to bypass wallet security alerts. This has led to Wallet Drainers stealing around $60 million from almost 100,000 victims over six months, it noted. Address poisoning has been one of the methods they used to accumulate their ill-gotten gains.

Related: What are address poisoning attacks in crypto and how to avoid them?

Create2 pre-calculates contract addresses, enabling malicious actors to generate new similar wallet addresses which are then deployed after the victim authorizes a bogus signature or transfer request.

According to the security team at SlowMist, a group has been using Create2 since August to “continuously steal nearly $3 million in assets from 11 victims, with one victim losing up to $1.6 million.”

Magazine: Should crypto projects ever negotiate with hackers? Probably