Blockchain Address Poisoning: Unveiling the Largest Cryptocurrency Phishing Scheme

Introduction: The Rise of Blockchain Address Poisoning

Blockchain technology, particularly in popular cryptocurrencies like Ethereum and Binance Smart Chain (BSC), offers decentralized and transparent transactions. However, its reliance on hexadecimal wallet addresses—long, hard-to-remember strings—introduces a unique vulnerability: blockchain address poisoning. In this attack, adversaries generate lookalike addresses similar to those that a victim frequently interacts with, and flood the victim's transaction history with these fraudulent addresses. The victim may mistakenly send tokens to the attacker’s lookalike address, believing it to be the intended recipient. This form of attack is particularly dangerous because, unlike traditional bank transactions, blockchain transfers are irreversible, making fund recovery extremely difficult. By measuring real-world attack attempts over two years, we present significant findings and propose methods to mitigate this growing threat.

The Challenge: Why Address Poisoning is So Effective

The simplicity of blockchain address generation—based on public cryptographic keys—makes it difficult for users to remember their wallet addresses. As a result, many people select addresses from their transaction history, which opens the door for address poisoning. This attack takes advantage of human error, relying on users' tendency to select familiar, yet subtly altered, wallet addresses from their past transactions.

In contrast to phishing schemes that target users' private credentials through fake websites or emails, address poisoning focuses solely on confusing the user by exploiting similar-looking addresses. The attack is not a multi-stage operation but a single, catastrophic mistake on the user’s part—sending tokens to the wrong address. This direct approach, along with the difficulty of tracing and recovering funds, makes blockchain address poisoning one of the largest and most damaging phishing schemes in the cryptocurrency world.

Methodology: Measuring the Impact of Address Poisoning

To better understand the scale and impact of blockchain address poisoning, the development of  a detection system and ran measurements on Ethereum and BSC between July 2022 and June 2024. Our system captured over 270 million attack attempts, which is 13 times higher than previous studies. These attacks targeted over 17 million victims, with 6,633 successful transfers resulting in over 83.8 million USD in losses.

by further analyzing attack groups using advanced clustering techniques, allowing us to model attacker profitability and competition. Our measurements reveal that attackers can optimize their operations by bundling transfers into single transactions, reusing addresses, and leveraging smart contracts. Interestingly, some attackers used GPUs to generate lookalike addresses at a significantly faster rate compared to those using CPUs.

Attack Strategies: Who is Targeted and How

this analysis uncovered several key patterns in attacker behavior. First, the victims of address poisoning attacks were more likely to have had larger balances at the time of the attack and had engaged in more frequent transactions. This suggests that attackers are targeting more active users who might be less cautious when selecting an address from their history.

Additionally,  the attack success was higher when the lookalike address was very similar to the victim’s usual addresses, both in terms of address format and timing. Attackers tend to focus on mimicking the start and end of the address, taking advantage of the fact that users often only look at the first few and last few characters when selecting a recipient.

 research  paper also found that lookalike addresses can be cross-chain, meaning attackers can reuse addresses across Ethereum and BSC, capitalizing on the compatibility of wallet addresses across these chains. This cross-chain attack strategy highlights the need for a more comprehensive approach to address poisoning detection that spans multiple blockchain ecosystems.

Simulation and Findings: How Attackers Generate Lookalike Addresses

In simulations, we implemented address-generation scripts to better understand how attackers create lookalike addresses. We ran these scripts both with and without optimizations, using different CPUs and GPUs. Our benchmarks revealed that one sophisticated attack group was likely using GPUs for efficient lookalike address generation, while others relied on CPUs, which were significantly slower.

This discovery suggests that, while address poisoning is accessible to a wide range of attackers with varying levels of resources, there is an opportunity for even more powerful attacks if attackers were to optimize their strategies further. This finding also highlights the potential for future attacks to become even more prevalent and dangerous as adversaries adopt increasingly sophisticated methods.

Defensive Countermeasures: Mitigating Blockchain Address Poisoning

In response to the growing threat of address poisoning, we propose several defensive countermeasures at the protocol, contract, wallet, and user interface levels:

• Protocol-Level Mitigation: Blockchain protocols could implement a checksum or additional verification step when users select an address from their transaction history. This could help prevent the accidental selection of lookalike addresses.

• Contract-Level Mitigation: Smart contracts could introduce safeguards that flag unusually similar addresses, alerting users if they are about to send funds to a suspicious address.

• Wallet-Level Mitigation: Wallet software could include a feature that warns users when they are sending tokens to an address that closely resembles one they have interacted with in the past.

• User Interface Improvements: Wallet interfaces could be designed to show more of the address, reducing the likelihood of users mistaking a lookalike address for a legitimate one. Additionally, implementing more robust warnings and verifications would help reduce human error.

Conclusion: A Growing Threat That Needs Immediate Attention

Blockchain address poisoning has emerged as one of the most significant threats to cryptocurrency users. With millions of attack attempts targeting millions of victims, the scale of the issue is enormous. Our study underscores the need for enhanced detection systems, better user interfaces, and robust security protocols to address the risks posed by address poisoning.

While attackers continue to optimize their strategies, we believe that implementing the proposed defensive measures can help mitigate the impact of these attacks. As blockchain technology continues to evolve, so too must our strategies for defending against sophisticated phishing schemes like address poisoning.

What’s Next?

How do you think blockchain protocols can evolve to address the growing threat of address poisoning? Could new wallet designs or user interfaces play a significant role in reducing this risk, or is there a need for deeper protocol-level changes? Let's explore these questions further!