According to the real-time scam analytics platform Scam Sniffer, an attacker has stolen over $2 million in cryptocurrency from ten users of Safe Wallet (formerly known as Gnosis Safe) in the past week. The attacker, employing a technique known as ‘address poisoning’, has stolen over $5 million since October using this strategy.
Dune Analytics reveals that this hacker has victimized 21 individuals, with two of the victims losing over $1.4 million each. Notably, even though Safe users were using one of the most secure multi-signature wallets available, it does not offer protection against this type of attack.
The concept of ‘address poisoning’ is relatively straightforward yet highly effective in hacking. Instead of exploiting smart contracts or technology, it preys on human inattentiveness.
The attacker analyzes a wallet’s regular transactions to specific addresses and then creates a wallet with a similar starting and ending sequence. They proceed to send a small transaction from this mimicked wallet to the targeted address. An inattentive victim, reviewing their transaction history, mistakenly copies this look-alike wallet’s address and ends up sending money to it.
Typically, attackers aim to work at scale, targeting the transaction history of many wallets to enhance their chances of successfully tricking a victim. This tactic is effective even against users with multi-signature wallets, where transactions require the approval of several individuals.
Even large exchanges aren’t immune to such attacks. For example, Binance nearly lost $20 million when an operator accidentally sent money to an incorrect address, copied from transaction history. Luckily, they managed to coordinate with Tether to freeze the funds in time.
To safeguard against such attacks, users must understand some basic principles.
The most important is to be diligent and attentive when sending transactions, particularly large ones. Rushing and lack of attention can lead to significant financial losses.
Additionally, avoid copying the address for your intended transaction from the transaction history. Always double-check the full address several times before confirming the transaction.
Moreover, as a precaution, you can send a small “test transaction” to the intended wallet to protect against this and other types of attacks. This method ensures that, in the event of an issue, you only risk a minimal amount and can quickly identify if something is amiss.
For instance, in the aforementioned hack, one victim had $10 million in the wallet but, “fortunately”, incurred a loss of only $400k. While $400k is a substantial amount for a “test transaction,” the loss is considerably less severe than losing the entire $10 million.
So, the key takeaway is to never rush, always double-check, and consider sending a test transaction to ensure the safety of your money.