Wang Chun was also a victim: A $50 million USD sky-high "tuition fee". Why is address poisoning so successful?

Original Article Title: "50 Million USD Stolen Due to Failure to Double-Check Address"

Original Article Author: Eric, Foresight News

Yesterday morning Beijing time, a blockchain analyst named Specter discovered a case where nearly 50 million USDT was transferred to a hacker's address due to a lack of careful address verification.

According to the investigation conducted by the author, the address (0xcB80784ef74C98A89b6Ab8D96ebE890859600819) withdrew 50 USDT from Binance for a large withdrawal test at around 13:00 on the 19th Beijing time.

Approximately 10 hours later, the address withdrew 49,999,950 USDT in a single transaction from Binance, adding to the previous 50 USDT, totaling exactly 50 million.

Approximately 20 minutes later, the address that received the 50 million USDT first transferred 50 USDT to address 0xbaf4…95F8b5 for testing purposes.

In less than 15 minutes after the test transaction, the hacker address 0xbaff…08f8b5 transferred 0.005 USDT to the address holding the remaining 49,999,950 USDT. The hacker's address used for the transfer had a very similar beginning and ending compared to the address that received the 50 USDT, indicating a clear "address poisoning" attack.

10 minutes later, as the address starting with 0xcB80 attempted to transfer the remaining 40+ million USDT, possibly due to negligence, it mistakenly copied the previous transaction, i.e., the address used by the hacker for "poisoning," and directly sent nearly 50 million USDT to the hacker.

Upon receiving the 50 million USD, the hacker initiated money laundering activities just 30 minutes later. According to slowmist monitoring, the hacker first converted the USDT to DAI via MetaMask, then used all the DAI to purchase approximately 16,690 Ethereum, keeping 10 ETH and transferring the remaining Ethereum to Tornado Cash.

Around 16:00 (Beijing Time) yesterday, the victim called out to the hacker on-chain, stating that criminal charges had been officially filed. With the assistance of law enforcement agencies, cybersecurity organizations, and multiple blockchain protocols, a significant amount of credible intelligence regarding the hacker's activities has been collected. The victim stated that the hacker could keep $1 million and return the remaining 98% of the funds. If the hacker complies, no further action will be taken; however, if the hacker does not cooperate, they will be pursued through legal channels for criminal and civil liability, and the hacker's identity will be publicly disclosed. As of now, the hacker has not made any moves.

According to data compiled by the Arkham platform, this address has records of large transfers with Binance, Kraken, Coinhako, and Cobo addresses. While Binance, Kraken, and Cobo are well-known, Coinhako may be a relatively unfamiliar name. Coinhako is a Singaporean local cryptocurrency exchange platform established in 2014. In 2022, it obtained a Major Payment Institution license from the Monetary Authority of Singapore, making it a regulated exchange platform in Singapore.

Given that this address interacted with multiple exchanges and Cobo custody services and demonstrated the ability to swiftly contact various parties for tracking the hacker within 24 hours of the incident, the author speculates that this address likely belongs to an organization rather than an individual.

From "Oops" to a Costly Mistake

The only explanation for a successful "address poisoning" attack is "carelessness." Such attacks can be easily avoided by double-checking the address before a transaction, but evidently, the central figure in this incident skipped this crucial step.

Address poisoning attacks emerged in 2022, with the story originating from a "fancy address" generator, a tool that allows customization of the EVM address prefix. For example, the author could generate an address starting with 0xeric to make it more recognizable.

The hacker later discovered that due to a design flaw, this tool could brute force private keys, leading to several major fund theft incidents. However, the ability to generate addresses with customized prefixes and suffixes also sparked a sinister idea: by creating addresses similar to the beginning and end of a user's commonly used transfer address and transferring funds to another address used by the user, some individuals might mistakenly send their on-chain assets to the hacker's address, assuming it to be their own due to carelessness.

Historical on-chain data shows that the address starting with 0xcB80 was one of the key targets for address poisoning by the hacker before this attack, with the address poisoning attack commencing nearly 1 year ago. This attack method fundamentally relies on the hacker betting that one day you will fall for the trick due to laziness or inattention. Ironically, this blatantly obvious attack method has led to more and more "careless" individuals becoming victims.

In response to this incident, F2Pool co-founder Wang Chun expressed sympathy for the victims. He mentioned that last year, in order to test if his address had experienced a private key leak, he sent 500 Bitcoins to it, only to have 490 Bitcoins stolen by hackers. Although Wang Chun's experience is not directly related to address poisoning attacks, he likely wanted to convey that everyone has moments of oversight and shouldn't blame the victims for their carelessness, but rather should point the finger at the hackers.

A $50 million loss is not a small amount, but it is not the highest amount stolen in such attacks. In May 2024, an address fell victim to a similar attack where over $70 million worth of wrapped Bitcoin (WBTC) was sent to a hacker's address. However, the victim ultimately recovered almost all the funds through on-chain negotiation with the assistance of security firms Match Systems and the Cryptex trading platform. In this recent incident, the hacker quickly converted the stolen funds to Ethereum and transferred them to Tornado Cash, making the possibility of recovery uncertain.

Casa co-founder and Chief Security Officer Jameson Lopp warned in April that address poisoning attacks were rapidly spreading, with over 48,000 such incidents occurring on the Bitcoin network alone since 2023.

These attack methods, including fake Zoom meeting links on Telegram, are not sophisticated, but it is precisely this "simple" approach that can catch people off guard. For those of us in the dark forest, it's always better to be extra cautious.

Original Article Link