Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
173 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Blockchain Address Poisoning (2501.16681v3)

Published 28 Jan 2025 in cs.CR

Abstract: In many blockchains, e.g., Ethereum, Binance Smart Chain (BSC), the primary representation used for wallet addresses is a hardly memorable 40-digit hexadecimal string. As a result, users often select addresses from their recent transaction history, which enables blockchain address poisoning. The adversary first generates lookalike addresses similar to one with which the victim has previously interacted, and then engages with the victim to ``poison'' their transaction history. The goal is to have the victim mistakenly send tokens to the lookalike address, as opposed to the intended recipient. Compared to contemporary studies, this paper provides four notable contributions. First, we develop a detection system and perform measurements over two years on both Ethereum and BSC. We identify 13~times more attack attempts than reported previously -- totaling 270M on-chain attacks targeting 17M victims. 6,633 incidents have caused at least 83.8M USD in losses, which makes blockchain address poisoning one of the largest cryptocurrency phishing schemes observed in the wild. Second, we analyze a few large attack entities using improved clustering techniques, and model attacker profitability and competition. Third, we reveal attack strategies -- targeted populations, success conditions (address similarity, timing), and cross-chain attacks. Fourth, we mathematically define and simulate the lookalike address generation process across various software- and hardware-based implementations, and identify a large-scale attacker group that appears to use GPUs. We also discuss defensive countermeasures.

Summary

  • The paper identifies the explosive scale of blockchain address poisoning with 270 million attack attempts impacting 17 million users and causing over $83.8 million in losses.
  • The paper characterizes key phishing techniques such as tiny transfers, zero-value transfers, and counterfeit token transfers that poison transaction histories.
  • The paper proposes multi-layered mitigation strategies, including protocol improvements and enhanced wallet interfaces, to counter these sophisticated attacks.

Overview of Blockchain Address Poisoning

The paper presents an extensive investigation into blockchain address poisoning, a form of phishing that exploits users’ tendencies to select wallet addresses from their transaction histories on account-based blockchains like Ethereum and Binance Smart Chain (BSC). The central objective of such attacks is to deceive users into sending tokens to addresses that visually resemble legitimate ones. The analysis carried out in the paper delineates the attack's scope, characterizes the attack vectors, and proposes mitigation strategies to counteract this increasingly prevalent threat.

Key Findings and Contributions

  1. Identification and Scale of Attacks: The researchers developed a detection system capable of identifying blockchain address poisoning attacks over a two-year period. Their results indicate an alarming scale, with 270 million on-chain attack attempts targeting 17 million victims, leading to substantial financial losses estimated at over $83.8 million USD. The sheer scale underscores the breadth of these attacks, positioning blockchain address poisoning as one of the most severe cryptocurrency phishing schemes observed.
  2. Characterization of Attack Techniques: The paper outlines the primary techniques employed in blockchain address poisoning: tiny transfers, zero-value transfers, and counterfeit token transfers. These methods are utilized to “poison” a victim’s transaction history, increasing the likelihood of a victim inadvertently sending funds to an attacker’s address. A thorough analysis reveals that attackers often target users with higher balances or those frequently engaged in transactions, indicating a preference for more lucrative targets.
  3. Attack Profitability and Group Dynamics: By clustering attack instances, the paper identifies several large attack groups that employ varied strategies to maximize their success. Despite high variability in attack outcomes, substantial profit margins are evident among large groups, suggesting well-organized operations. Notably, the computational prowess required to generate convincing lookalike addresses indicates that sophisticated groups likely employ advanced resources, such as GPUs, reflecting a professional level of operation.
  4. Simulations and Hardware Capabilities: The research explores the computational aspects of lookalike address generation, providing insights into the hardware capabilities attackers might possess. Through simulations, the paper estimates the resources needed to generate addresses with specific prefix and suffix matches, underscoring the sheer computational effort involved in such fraud activities.
  5. Proposed Mitigations: To counter address poisoning, the authors suggest interventions at various levels. Protocol-level mitigations might include mapping human-readable names to complex addresses, while contract-level changes could enforce stricter controls on zero-value transactions. Improvements in wallet design and user interfaces could also help users discern phishing attempts by enhancing address clarity and transaction transparency.

Implications and Future Directions

The findings of this paper have profound implications for both security practitioners and blockchain users. The comprehensive nature of the analysis not only highlights critical weaknesses in current blockchain systems but also provides a blueprint for addressing these vulnerabilities. Practically, the research suggests that applications of similar detection frameworks can be extended to other blockchains displaying similar vulnerabilities.

From a theoretical perspective, this research contributes to our understanding of phishing mechanics in decentralized environments, distinguishing blockchain-specific threats from traditional phishing attacks.

Moving forward, this work paves the way for further research into refining detection algorithms and integrating robust security measures at both the user interface and protocol levels. The ongoing evolution in blockchain ecosystems necessitates that future efforts also focus on adaptive and proactive defenses against increasingly sophisticated malicious practices.

Youtube Logo Streamline Icon: https://streamlinehq.com