A new wallet address fraud that targets careless copy pasters is becoming rampant, according to MetaMask. In a series of tweets yesterday, the MetaMask team took steps to warn unsuspecting users of a growing type of scam called “address poisoning.”
Scammers extract the first and last four alpha-numerical combinations in a wallet address and use them to create a fake new address. A $0 transaction is then sent from the newly created fake address to replace the matching stored address in your transaction history. Address poisoning targets crypto users who blindly copy and paste addresses in their transaction history without a much-needed extra cross-check.
The security update, however, was greeted with displeasure from a section of the crypto community who believe the world’s largest crypto wallet provider may have acted too slowly to bring it to public notice. A Twitter user Tuzun (0xTuzun), who had posted a public warning of the incident as far back as December 2nd, 2022, gave further insight into the nature of the attack and the scope of wallets affected.
According to Tuzun, over 340,000 addresses have been poisoned since December 2022, fleecing nearly 95 wallets of unsuspecting victims of approximately $1.6 million. The analysis puts the total cost of the attacks at a little over $25,000, signalling a profit margin above 6,000%.
Exploitation on BSC and ETH addresses date back to the 22nd and 27th of November 2022, respectively, with a broad range of attackers emanating from regions of the Asian time zone, according to Tuzun’s findings.
Tuzun had used the on-chain monitoring platform, Xplore, to track down some suspected culprits, further recommending that MetaMask upgrade its UI features to make users identify wallet addresses in transaction history by colour markers. Users were also advised to double-check the alpha-numerical composition on wallet addresses beyond the first four digits before transferring funds.
The poison address scam adds to the list of growing scams in the crypto industry that resulted in a collective loss of over $3.5 billion last year.
Last May, MetaMask signed a partnership with Asset Reality–a Saas tool for crypto asset recovery–aimed at helping victims of crypto scams recover their stolen assets. Eight months later, it is unclear how much asset recovery progress both companies have made. MetaMask is yet to respond to the affected users and any feasible compensation plans for losses incurred.