Bitcoin address poisoning attacks

[albon]

It is known that this type of attack is not new, but it’s clear that it has had a significant impact after scammers started using address poisoning with Bitcoin. Perhaps the victims believed that such attacks only happen with altcoins, , so in their haste to copy wallet addresses without verifying, they became victims of this attack which relies on human error.

If people were aware of this mistake that many have fallen into, they would certainly be more responsible and cautious in avoiding being scammed through address poisoning.

[moneystery]

the hacker is really patient to wait for the target to make a mistake ... but sometimes a bad thing happens when a person is too careless and does not pay attention to his destination address and just send it without doing a thorough check on his destination address. and therefore, it is always important to check the destination address, and avoid copying the address in the history transaction. author recommendations to use the label/contact feature on the wallet can also be used to help sender store their important addresses and avoid them to copy the address from the same place repeatedly.

[Rustam Meraj]

It is known that this type of attack is not new, but it’s clear that it has had a significant impact after scammers started using address poisoning with Bitcoin. Perhaps the victims believed that such attacks only happen with altcoins, , so in their haste to copy wallet addresses without verifying, they became victims of this attack which relies on human error.

If people were aware of this mistake that many have fallen into, they would certainly be more responsible and cautious in avoiding being scammed through address poisoning.

I think recent increase in address poisoning attacks on Bitcoin users is warning sign for cryptocurrency community. Some people might have stopped being careful because they thought these attacks only happened with other types of cryptocurrency. This shows big mistake in being careful. People making mistakes is big reason for these attacks. It is very important for users to check wallet addresses carefully before sending money. If people knew more about risks of address poisoning they would probably be more careful and take steps to protect themselves. In the end teaching people and making them aware is best way to stop these scams and make cryptocurrency world safer.

[Outhue]

Am I dumb or something? Since attackers needs to exploit the BTC wallet interface why are we not asking ourselves how this will be carried out? Isn't the access needs to be granted somehow by the wallet owner? How can someone or a hacker have the ability to mimic your wallet interface?

Let's say I am using trust wallet now and I had to copy the last address I sent BTC to, the only way this can be possible is if.....

Clipboard malware is active, maybe while copy pasting the clipboard hijack malware switch the copied address to another.

Or some form of permission is been asked by the attacker, after you as the wallet owner clicked on a link, can someone please explain this to me or something.

[Agbamoni]

After i noticed a change in my bitcoin address one time i don't make the mistake of not looking at the address before sending any coin. If there was a way for Bitcoin address to not have similar ones it will be better.

It is not that difficult to cultivate security practices every time we want to make a transactions. Highest 2 minutes to check if our address is the same. People who often fall for these scams is because they do things reluctantly not minding what will happen.

[sokani]

Am I dumb or something? Since attackers needs to exploit the BTC wallet interface why are we not asking ourselves how this will be carried out? Isn't the access needs to be granted somehow by the wallet owner? How can someone or a hacker have the ability to mimic your wallet interface?

It can be done with the help of a Bitcoin vanity generator. You can read about it here: https://bitcointalk.org/index.php?topic=25804.0

What scammers normally do is that, they will pick out an address from the blockchain with frequent wallet activities. Generate a similar looking address and send dust to it with hope that in attempt to copy the address, the potential victim would mistakenly copy the fake address and send Bitcoin.

Let's say I am using trust wallet now and I had to copy the last address I sent BTC to, the only way this can be possible is if.....

Clipboard malware is active, maybe while copy pasting the clipboard hijack malware switch the copied address to another.

Address poisoning can be avoided by copying the address directly from the wallet and not from transaction history.

Clipboard malware is different. It's mostly spread through malicious file downloads but in both cases it good to crosscheck the receiving address.

[Catenaccio]

You are getting it wrong but good that you know about the attacks. Address poisoning attack is different from dust attack. In Dust attack, the attacker will send minute or small amount of bitcoin to the victims and it is used for tracing the persons coins. In address poisoning, similar address that looks like the victim's address is generated. Can you see that both are very different.

I didn't say Bitcoin dust attack is address poisoning but there are many Bitcoin wallets that support change addresses and people need to use change addresses more.

Change addresses can enhance privacy and possibly reduce many types of attack. If you have a solution to prevent attacks or reduce risk, why don't use it especially it's free. With a good Bitcoin wallet, you can use change addresses very easy and also free.

[promise444c5]

If there was a way for Bitcoin address to not have similar ones it will be better.

Bitcoin  addresses are actually  unique to each other, only the prefix could be  same across some addresses and that's actually  based on their Locking Script  ..
We have :
P2PK ( 1 )
P2SH ( 3 )
P2WPKH (bc1q)
P2TR (bc1p)
...in bracket is the address prefix
Thus, address are not similar in anyway  but the common address  prefix just tells the Locking Script used

[HONDACD125]

Without being part of a social attack, it's difficult for such attacks to generate returns. Such anonymous attacks are a waste of time. But what's difficult about address verification? It only takes a minute and can save you from many of these attacks.

That's what I do. We often see threads and news about scammers finding new ways of attacking us either through malware, address poisoning, clipboard malware, and whatnot, so it's important for every person making a cryptocurrency transaction to always double-check the address that they copy and paste somewhere to make a transaction, looking at the address for 5 seconds from where it was copied and to where it is copied would allow you to evaluate and understand whether the address is correct or not.

If someone is in a hurry and never double-checks the address they are making a transaction to, they will be more vulnerable to such attacks, and newbies often become victims of such things only because of this reason. They never check the addresses they copy and make transactions to, since crypto transactions are non-reversible, there is no point in checking the address once the transaction is broadcasted.

[DYING_S0UL]

Let's say I am using trust wallet now and I had to copy the last address I sent BTC to, the only way this can be possible is if.....

Clipboard malware is active, maybe while copy pasting the clipboard hijack malware switch the copied address to another.

Or some form of permission is been asked by the attacker, after you as the wallet owner clicked on a link, can someone please explain this to me or something.

If I understood correctly, I believe there is another way to achieve this where the scammer uses the dusting attack! He just needs to generate a vanity address matching the victims address and send a tiny amount of cryptocurrency (a dusting transaction) from this vanity address. And later if the user isn't careful enough and copies address from previous transactions history, then there is a good chance that he might end up copying the scammers address and send the funds to the wrong address without even realizing it.

[GreatArkansas]

(....)

If I understood correctly, I believe there is another way to achieve this where the scammer uses the dusting attack! He just needs to generate a vanity address matching the victims address and send a tiny amount of cryptocurrency (a dusting transaction) from this vanity address. And later if the user isn't careful enough and copies address from previous transactions history, then there is a good chance that he might end up copying the scammers address and send the funds to the wrong address without even realizing it.

This is pure effort if generating a vanity address for your target, I am curious how much time it needed to copy an address with identical characters on the first and last few characters of every Bitcoin address, like it's worth it for these attackers to do it?

I also heard last time in Ethereum network where the victim lost millions when he was able to sent the funds to the identical address that did address poisoning attack.

[Outhue]

Am I dumb or something? Since attackers needs to exploit the BTC wallet interface why are we not asking ourselves how this will be carried out? Isn't the access needs to be granted somehow by the wallet owner? How can someone or a hacker have the ability to mimic your wallet interface?

It can be done with the help of a Bitcoin vanity generator. You can read about it here: https://bitcointalk.org/index.php?topic=25804.0

What scammers normally do is that, they will pick out an address from the blockchain with frequent wallet activities. Generate a similar looking address and send dust to it with hope that in attempt to copy the address, the potential victim would mistakenly copy the fake address and send Bitcoin.

Let's say I am using trust wallet now and I had to copy the last address I sent BTC to, the only way this can be possible is if.....

Clipboard malware is active, maybe while copy pasting the clipboard hijack malware switch the copied address to another.

Address poisoning can be avoided by copying the address directly from the wallet and not from transaction history.

Clipboard malware is different. It's mostly spread through malicious file downloads but in both cases it good to crosscheck the receiving address.

Ohhh thanks for explaining this better, I was confused to be honest because I've never fall for such scam before but I guess that's because I don't copy address from transaction history, to think of this is even scary, because transaction history is available on explorers which can easily be tampred. I am used to copying inside my bitcoin wallet rather.

As for the clipboard malware it is not always about downloading malicious file alone, someone close to be was a victim years back, all he did was downloaded a third party keyboard on his smartphone and he is also using a rooted Android phone, the keyboard was the problem but the script was activated because he is running a rooted phone.

This attack will hijack any sensitive words or passwords and send them into the cloud without you knowing and when you copy paste address it changes like it always happen on a malware infected computer.

[yamin_galib]

Actually, this whole Bitcoin address poisoning thing is incredibly sneaky.It's honestly messed out that someone could just give you a small amount of BTC from an address that seems like one you have used previously assuming you would replicate it by error. And that truly works as most of us just glance at the first and final few characters of an address before transmitting crypto.
The insane aspect is the low effort the scam artist makes.They merely depend on you being a bit negligent; they have no need for hacking anything. And clearly many are falling for it millions lost in just a couple of months?
Most reasonable technique to be secure is Always carefully check the complete address before sending.cease copying addresses from your transaction history. If anything appears unusual it probably is. Also, those weird tiny transactions showing up?Usually best to ignore them; they are merely bait.

[|MINER|]

(....)

If I understood correctly, I believe there is another way to achieve this where the scammer uses the dusting attack! He just needs to generate a vanity address matching the victims address and send a tiny amount of cryptocurrency (a dusting transaction) from this vanity address. And later if the user isn't careful enough and copies address from previous transactions history, then there is a good chance that he might end up copying the scammers address and send the funds to the wrong address without even realizing it.

This is pure effort if generating a vanity address for your target, I am curious how much time it needed to copy an address with identical characters on the first and last few characters of every Bitcoin address, like it's worth it for these attackers to do it?

To know this answer, we need to know a little more in depth.First, we need to know through which process hackers perform this task.
Hackers basically generate addresses by brute-force using tools like vanitygen by matching the couple of first and last characters of an address.

Now it is a general knowledge that the better the configuration of the computer, the faster it can bruteforce.

For example, it may take some seconds to generate an address by matching the 1st 4 characters and the last 4 characters by using a GPU, or if hackers use ASIC miners, it may they will be generated immediately.
For example I am giving an image here-

here you will find more details

[DYING_S0UL]

(....)

If I understood correctly, I believe there is another way to achieve this where the scammer uses the dusting attack! He just needs to generate a vanity address matching the victims address and send a tiny amount of cryptocurrency (a dusting transaction) from this vanity address. And later if the user isn't careful enough and copies address from previous transactions history, then there is a good chance that he might end up copying the scammers address and send the funds to the wrong address without even realizing it.

This is pure effort if generating a vanity address for your target, I am curious how much time it needed to copy an address with identical characters on the first and last few characters of every Bitcoin address, like it's worth it for these attackers to do it?

I also heard last time in Ethereum network where the victim lost millions when he was able to sent the funds to the identical address that did address poisoning attack.

It depends on what tools are you using for brute forcing, how much computational power you have and what/which/how many character are you trying to match! The more the characters the harder it is to get a matching hit! To get an extensive idea on this you should check this topic by 1miau about [Guide] How to create your customized Bitcoin-Address (vanitygen) – step by step

The longer your prefix, the less likely a quick hit. Upper case letters are more likely to find than lower case letters. For example, the prefix 1Bitmover would take 2 months for 50% chance. The lower case 1bitmover is 58 times less likely. ⁽²⁾

[d5000]

An idea to get rid of this attack, or to make it harder, would be to create an alternative address representation format. i.e. alternatives to the normal Base58 and bech32 representations. Wallet software could show both, or offer the opportunity to show them as alternatives.

I wonder if this has already been discussed somewhere?

The challenge is that the new format needs to make it difficult to create addresses which look similar in both formats. The simplest way to do this would be something like splitting the address or the public key hash into parts and recombine it.

On the other hand this could give people a false sense of security if the attacker achieves that both representations look similar ...

-snip-

Could become a sort of simple rule of thumb: for valious transfers, use legacy (base58) addresses with many uppercase characters at the start so they become more difficult to poison.

[notocactus]

Could become a sort of simple rule of thumb: for valious transfers, use legacy (base58) addresses with many uppercase characters at the start so they become more difficult to poison.

Your idea sounds great for OPSEC to proactively avoid Address poisoning attacks, but if I am only a normal Bitcoin user, not a programmer, I just think it's hard for me to intentionally create such addresses.

If I completely depend on the wallet software for address creation, I will have chance of getting such addresses, or not, or I will have to trigger the wallet software giving me many different addresses until one that is usable for me.

Legacy addresses, Nested Segwit addresses are case-sensitve.
Native Segwit addresses (bech32) are not case-sensitive.

[RockBell]

the hacker is really patient to wait for the target to make a mistake ... but sometimes a bad thing happens when a person is too careless and does not pay attention to his destination address and just send it without doing a thorough check on his destination address. and therefore, it is always important to check the destination address, and avoid copying the address in the history transaction. author recommendations to use the label/contact feature on the wallet can also be used to help sender store their important addresses and avoid them to copy the address from the same place repeatedly.

The hackers always are on search and they are always very observant of who there target is and they don't want to shot a short and it does not meet there target and a lot of have been happening in the crypto world. That they have sabotage the asset of people especially clicking on random links, because the moment you click on those link they will automatically have access to your wallet.

And when they have access and before anything should happen once there is a incoming transaction before the wallet does final confirmation the bot would have gotten a signal and the next thing might be to snip it, even before touch the walletbit will still take it. So this why a lot of things have to be avoided, and there are people that willing give out there seed phrase, because of there own greed. People need to follow every news so as to know things that can be easily avoided.

[OcTradism]

So this why a lot of things have to be avoided, and there are people that willing give out there seed phrase, because of there own greed. People need to follow every news so as to know things that can be easily avoided.

The Bitcoin address poisoning attacks are not related to seed phrase, but Bitcoin addresses that are posted publicly somewhere. Or attackers can find those addresses through block explorers.

Your post is about wallet mnemonic seed shared publicly that is a more stupid and dangerous action. If they shared their wallet seed like this, they lost that wallet and those bitcoins.

It's your private key (or wallet mnemonic seed), it's your bitcoin. By sharing your wallet mnemonic seed, you lose your bitcoin.

[joniboini]

People need to follow every news so as to know things that can be easily avoided.

I believe people who care about security will do that even if we don't tell them. There's little we can do to influence how seriously people take security unless we can spend a lot of money to do something like a mass marketing campaign. On top of that, people like to rely on something instead of verifying everything on their own because people generally want simplicity and dislike anything tedious. Even if you only make a transaction once a week, it can be tiresome to some people. CMIIW.

Anyway, one of my addresses still got attacked by a poisoning attack every now and then, even though I no longer have anything valuable on it. Either the scammers don't update their list, or they're betting on me reusing the address and making a mistake. Luckily, it isn't that difficult to notice them.