A cryptocurrency dealer misplaced $50 million in Tether’s USDT after falling sufferer to a classy “address poisoning” assault.
On December 20, blockchain safety agency Rip-off Sniffer reported that the assault started after the sufferer despatched a small $50 take a look at transaction to his personal deal with.
Sponsored
How The Handle Poisoning Scheme Unfolded
Notably, merchants use this normal precaution to verify that they’re sending funds to the proper deal with.
Nevertheless, that exercise alerted an automatic script managed by the attacker, which instantly generated a “spoofed” pockets deal with.
The pretend deal with is designed to match the meant recipient’s deal with initially and finish of the alphanumeric string. The variations seem solely within the center characters, making the fraud troublesome to detect at a look.
The attacker then despatched a negligible quantity of cryptocurrency from the spoofed deal with to the sufferer’s pockets.
Sponsored
That transaction successfully positioned the fraudulent deal with into the sufferer’s latest transaction historical past, the place many pockets interfaces show solely truncated deal with particulars.
Counting on that visible shorthand, the sufferer copied the deal with from their transaction historical past with out checking the total string. So, as a substitute of transferring funds to a safe private pockets, the dealer despatched 49,999,950 USDT on to the attacker.
After receiving the funds, the malicious attacker shortly moved to restrict the chance of asset seizure, in accordance with on-chain data. The attacker instantly swapped the stolen USDT, which its issuer can freeze, for the DAI stablecoin utilizing MetaMask Swap.
Attacker Strikes to Obscure Transaction Path. Supply: Slowmist
The attacker then transformed the funds into roughly 16,680 ETH.
Sponsored
To additional obscure the transaction path, the attacker deposited the ETH into Twister Money. The decentralized mixing service is designed to sever the seen hyperlink between sending and receiving addresses.
Sufferer Presents $1 Million Bounty
In an try to get well the property, the sufferer despatched an on-chain message providing a $1 million white-hat bounty in return for 98% of the stolen funds.
“We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities,” the message said.
Sponsored
The message warned that the sufferer would pursue “relentless” authorized motion if the attacker didn’t comply inside 48 hours.
“If you fail to comply: We will escalate the matter through legal and international law enforcement channels. Your identity will be uncovered and shared with the appropriate authorities. We will relentlessly pursue criminal and civil action until full justice is served. This is not a request. You are being given one final chance to avoid irreversible consequences,” the sufferer said.
The incident underscores a persistent vulnerability in how digital wallets show transaction data and the way attackers exploit consumer conduct reasonably than flaws in blockchain code.
Safety analysts have repeatedly warned that pockets suppliers’ observe of abbreviating lengthy deal with strings for usability and design causes creates a persistent threat.
If this downside just isn’t solved, attackers are prone to proceed exploiting customers’ tendency to confirm solely the primary and previous few characters of an deal with.
