Scammers may commit address poisoning by sending meaningless transactions to your account from an wallet address that is very similar to the one you use.
In case you were unaware of this fact beforehand, your wallet consists of one or more accounts, each of which has its own unique address that was created cryptographically. These are lengthy hexadecimal numbers, which means that they include both numerical and (a few) alphabetical characters. This is because hexadecimal numbers employ both sets of characters. Because of this characteristic, they are incomprehensible to the vast majority of individuals and, more importantly, very difficult to recall.
Because of this, the vast majority of web3 software enables you to copy and paste addresses, rather of having to commit them to memory and type them out. As a result, you have probably grown to depend on this feature. This not only helps you save a lot of time, but it also eliminates the possibility of making any errors and guarantees that your money will be sent to the correct address at all times. You may copy your address with a single click or touch, which is one way in which it helps simplify the copy-and-paste process.
This inclination to copy-and-paste is what address poisoning speculatively takes use of as per experts.
How to do it:
You email a buddy a transaction that is completely ordinary, run-of-the-mill, and unremarkable.
The con artist takes note of the transaction because he or she is using software that tracks the transfer of certain tokens (often stablecoins). They produce an address that is quite similar to yours by using something called a “vanity” address generator, of which there are several available via a simple online search. Sometimes, it will be very similar to the address of your acquaintance.
Because they are so lengthy, addresses for cryptocurrency wallets are generally reduced. It’s possible that you’ll just see the first bunch of characters, but it’s also possible that you’ll only see the first 5–10 or so and the last 5–10 or so without seeing anything in the midst. The majority of individuals are able to identify addresses in this manner; they do not remember each individual character, but rather they are able to recall the beginning and the end of the address. This is the pattern that address poisoning capitalizes on to its advantage.
The con artist will then make a transaction with a trivial amount from another account to the fake one that they have made, which is designed to seem very similar to yours. In most cases, these transactions involve the transfer of zero tokens. They have ruined your finances by doing this to you.
Because their fake address looks so much like yours, there is a good chance that, the next time you require your address, you will mistakenly copy their address from your transaction history and paste it somewhere else. This is because their fake address looks so much like yours. It is only natural that if you inadvertently paste their address, you would transfer money to them rather than to yourself. And since on-chain transactions like as this one are irreversible, which means they cannot be changed after they have been validated, the monies that were lost will be permanently gone.
And that’s it: all they want is for you to copy the erroneous address from the transaction history in your wallet, which is the only thing they hope will happen.
What steps may I take to safeguard urself?
To begin, there is no way to prevent other individuals, even fraudsters, from making transactions to your address. You have no control over this. We are dealing with public blockchains, which means that anybody, located anywhere, is free to do anything they choose.
The one thing that we have control over, however, is whether or not we fall for the hoax by copying the URL. This is a hard one, and awareness is important: even individuals who believe themselves to be generally careful and double-check the beginning and/or finish of an address before they copy it may become victims here. This is because it is easy to make a mistake while copying an address.
The following is what we suggest you do:
Before sending anything, it is imperative that you verify and double-check the addresses. This should not need an explanation. Even though it is important for each transaction, you should double check the address especially carefully if the assets you are transferring have a significant financial or emotional impact on you. It is the only method to guarantee one’s total safety to check each and every character.
If you must copy addresses from your transaction history, do so with extreme caution and avoid doing so whenever possible. Both the transaction history stored in your wallet, such as MetaMask, and the history shown on the block explorer will be affected by this change. This piece of advice applies just as much to your own address as it does to the addresses of other people to whom you could be transferring money (for example, if you’re moving cash from a centralized exchange to your MetaMask and need to copy your MetaMask address).
Make use of a physical wallet. Before letting you to execute a transaction, most hardware wallets demand that you verify and validate the recipient address of each transaction you want to send. Even while it is possible for you to become a victim of this scam regardless of whether or not this feature is present, this alert may help you establish the habit of continuously scrutinizing each address that you use.
Include addresses that are used regularly in your address book. You can discover this in the MetaMask settings by going to the Contacts menu. If you have the address of a contact stored in this location, you can be sure that it is the correct one, and you won’t have to depend on copying and pasting each time that you need it.
Take into consideration the use of test transactions. Before proceeding with a bigger transaction, you may validate an address by first sending a small amount of money to it. This allows you to verify that the address is valid. Given that doing so necessitates the payment of gas taxes for two separate transactions, the desirability of doing so is highly dependent on the cost of gas at the time.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.