Address poisoning attacker sends $153K ETH to victim and agrees to negotiate.
The address poisoning attacker, who allegedly tricked users into sending him $68 million worth of Wrapped Bitcoin (WBTC), sent $153,000 worth of Ether (ETH) back to his victims in an apparent show of good faith. In the same transaction, the attacker sent a message asking for a Telegram username to agree to a negotiation and contact the victim. The amount returned represents only 0.225% of the total funds believed to have been stolen.
According to blockchain data, on May 5, an attack victim with an account ending in 8fD5 sent three messages to an account ending in dA6D. The recipient of the message received funds from the attack account, identified on Etherscan as “FakePhishing327990”, through several intermediate accounts. This means that dA6D was likely controlled by an attacker.
The message stated that victims would offer 10% of the funds as a bounty to the attackers and would refrain from prosecution if they returned the remaining 90%. The victim said:
“We both know there is no way we can organize these funds. You are tracked. We both understand that the phrase ‘good night’ is not about your moral and ethical qualities. Nonetheless, we officially manage your rights to 10%. Send 90% back. In any case, you have 24 hours until 10:00 AM UTC on May 6, 2024 to make a decision that will change your life.”
At 11:37 AM UTC on May 9, another account ending in 72F1 responded by sending the victim 51 Ether (ETH) (equivalent to $153,000 at current prices). 72F1 also received funds from FakePhishing327990 through several intermediate accounts, indicating that these were also under the attacker’s control.
In the transaction that sent 51 ETH, the attacker also posted the message “Leave a telegram and we will contact you.” Then, at 11:43 a.m., he attempted to correct the incorrect punctuation and posted an additional message: “Please leave a telegram and we will contact you(.).”
In response, the victim posted a Telegram username where he could be contacted.
This negotiation took place after the attackers tricked the victim into accidentally sending 1,155 Wrapped Bitcoin (WBTC) (worth $68 million at the time) to his account, which was accomplished through an “address poisoning” transaction.
According to blockchain data, on May 3 at 9:17 AM, the attacker used a smart contract to transfer 0.05 tokens from the victim’s account to the attacker’s account. The token sent had no name listed on Etherscan and was simply called “ERC-20”. Under normal circumstances, an attacker cannot transfer tokens from another user without consent. However, in this case the token is custom designed to allow it to be transferred from the account without the user’s consent.
The victim mistakenly sent 1,155WBTC to this address at around 10:31 a.m. that day. These addresses may appear similar to addresses that victims use to deposit funds on centralized exchanges or for other reasons.
Additionally, the victim may have seen that 0.05 tokens have been sent to this address in the past and assumed it was safe. However, the 0.05 token appears to have been sent by the attacker and only by the victim.
Transactions that appear as if the attacker is trying to confuse the victim by spamming them, but actually come from the attacker, are what security experts call “address poisoning attacks.” Experts recommend that users carefully check the sending address of a transaction before confirming it to avoid costly errors resulting from this type of attack.
Related: How to prevent zero-value transmission address poisoning attacks