New Tactics and Trends about Transfer Phising Attacks, $8 Million has been stolen
This article is jointly published by X-explore and WuBlockchain.
Ⅰ. Introduction
The zero-value transfer phishing attack, which has been ongoing for nearly half a year, has recently undergone a technological upgrade. On-chain monitoring has revealed that it has now evolved into small-value transfer phishing and fake token transfer phishing. The new attack methods have already generated profits of up to $8 million, and combined with our previous report on zero-value transfer phishing ( Address Poisoning Attack, A continuing Threat ), the total loss on the chain has reached $32 million.
We urge users to triple-check the correctness of the address when making transactions. Wallet APP and blockchain browser teams should promptly improve product security features.
In addition, X-explore can provide real-time address labels for this attack.
Ⅱ. (Old) Overview of Zero-Value Transfer Fishing Attacks
Since November 2022, a new phishing method has emerged on the chain. Attackers construct addresses that are similar to the intended recipients of normal transactions, and then send large amounts of false token transfer data with a value of zero to on-chain users. This allows them to profit from mistaken transactions.
This type of attack has the following characteristics:
- The attack is covert and pervasive. Attackers construct addresses that have only one character difference or no difference at all from legitimate addresses. Blockchain browsers automatically omit the middle characters of an address. Therefore, attackers only need to focus on creating addresses that appear identical to the original ones. Additionally, as mainstream token logic does not verify zero-value transfers, anyone can initiate such transfers, which means any transactions can be inserted into anyone's transaction list.
- The cost is low, and the return is high. The gas cost of Zero Value Phishing on the ETH chain alone is around 2,000 ETH (about $4M), and the accumulated funds obtained through this scam amount up to $21M.
Ⅲ. (Latest) Small-Amount Transfer Fishing Attacks
1. Introduction to the Principle
After monitoring normal token transfers, the attacker narrows the original token amount by tens or hundreds of thousands of times, and then forwards it to the victim through the phishing wallet in order to skip the monitoring of traditional zero value token phishing, including bypassing Etherscan's zero-value transfer phishing attack warning. By increasing the credibility of the address through actual transfers, more victims are deceived.
2. Attack Situation
The small-value transfer phishing attack first occurred on February 19, 2023 and lasted until March 26, with a total of 250,000 phishing attacks inserted into users' transaction lists. Currently, there is only one small-value transfer phishing attacker on the Ethereum network.
The attacker launched 30,000 contract calls for the attacks, with a total gas fee cost of 404 ETH (about $727k), and the cost for the small-value tokens was approximately $40k. Among them, the cost of phishing tokens for USDT accounted for 71% of all phishing tokens.
There were a total of 73,000 victims of the poisoning attacks, and a total of 23 unfortunate users transferred to the wrong address, totaling $1.2 million. Among the stolen funds, USDC and USDT accounted for 51% and 49%, respectively.
3. Attack Tracing
The attacker's direct source of funds comes from other phishing addresses. Tracing back to the earliest address, the source of funds is FixedFloat. The attacker's real address is User1:0xe153605BA5bDAa492246603982AbfCcb297c72e9, and two other commonly used addresses are also associated with this address: User2:0x0a153cd1b0f36447e4d541e08fabd45f7a302817 and User3:0x5b8544e1e7958715ededa0e843561ebbf0c728a8. The attacker's address is also associated with deposit addresses from Binance, Coinbase, Kucoin, and Kraken exchanges, which can be further investigated through the exchange's KYC information.
The attacker's fund flow mainly consists of three parts:
Ⅰ. Transferring funds is the cost of other attacks, such as gas fees for zero-value transfer phishing.
Ⅱ. Keeping the funds in the current address, or participating in staking to earn profits.
Ⅲ. Laundering the funds. For example, the attacker transferred 130 ETH to Avalanche, then through multiple hops, transferred them back to ETH, and finally converted them into USDT, which was laundered into MEXC for withdrawal. The MEXC user deposit address is 0xDa818c1174105a49C8B3Fe43a96039024244df6B.
Ⅳ. (Latest) Fake Token Transfer Fishing Attacks
1. Introduction to the Principle
After monitoring token transfers, the attacker creates fake tokens with the same name and constructs transfer records of the same quantity to the user. The phishing wallet and the original address have exactly the same number of digits in the visualization on the browser, with only one or two letters' case differences in the checksum result.
2. Attack Situation
The fake token transfer attack has been ongoing since March 18, 2023, and is expected to continue as a long-term phishing attack, similar to zero-value token transfer phishing.
Since March 18th, within 19 days, the gas cost for the fake token poisoning phishing attack has spent 158 ETH, completing 423,000 address poisonings and accumulating 102,000 addresses that have been subjected to fake token poisoning phishing attacks.
In the past 19 days, a total of 27 victims suffered losses, with a stolen amount of $6.75 million, of which 60% was USDT and 40% was USDC.
The worst victim mistakenly transferred a total of $4 million worth of USDC in two consecutive transactions (0x02f35f520e12c9383f8e014fbe03ad73524be95d).
3. Attack Tracing
The source and flow of funds for the attacker are both related to Tornado.cash. Just from the address 0x6AA7BA04DD9F3a09a02941901af10d12C8D1C245, there has been an inflow of 1500 ETH into Tornado.cash.
V. Conclusion
-
This article provides data visualization and continuous tracking of the two upgraded methods of Transfer Phising Attacks, revealing the latest trends and techniques of on-chain phishing attacks by hackers.
-
Due to these malicious attacks, the user experience on Etherscan browser has dramatically decreased. It takes several seconds to distinguish whether a transaction is real or fake, and a large amount of fake data occupies the space on the blockchain, making it difficult to distinguish between real and fake.
-
We propose all on-chain users stop copying addresses from the blockchain for transactions and not trust the identification and prevention methods of blockchain browsers and wallets. Hackers always stay ahead of any defense techniques, and the addresses they construct are always hard to defend against. We recommend that all on-chain users obtain addresses offline and confirm them again before conducting transactions and building their own address books.
Dune Dashboard: https://dune.com/opang/zero-value-token-transfer-phishing-scam
The x-explore platform is capable of providing real-time monitoring of phishing attacks on the blockchain. We welcome all blockchain browsers and wallet teams to consult with us.
For more, please follow x-explore.
Mirror: https://mirror.xyz/x-explore.eth
Twitter: https://twitter.com/x_explore_eth
免责声明:文章中的所有内容仅代表作者的观点,与本平台无关。用户不应以本文作为投资决策的参考。
你也可能喜欢
每日动态:XRP重返加密货币前三,Michael Saylor建议微软采用比特币等
XRP与数字资产基础设施公司Ripple密切相关,已超越Tether的USDT和Solana的SOL,成为全球第三大加密货币,市值约为1500亿美元。Michael Saylor敦促微软首席执行官Satya Nadella及其董事会在资产负债表上采用比特币,称其为“你能拥有的最佳资产”。MicroStrategy在11月25日至12月1日期间,以平均价格95,976美元购买了15,400枚BTC,总价约为15亿美元。
Coinbase的法币到加密货币通道集成了Apple Pay
简要概述 Coinbase 正在将 Apple Pay 集成到其法币到加密货币的入金解决方案中,该解决方案此前被称为 Coinbase Pay。
耐克旗下NFT可穿戴设备初创公司RTFKT正在关闭
简要概述 RTFKT,这家于2021年被耐克收购的数字可穿戴设备NFT初创公司,正在关闭。根据周一的公告,该项目拥有超过二十个系列,在NFT项目收入排名中位列第九,总生命周期收入接近5000万美元。
WisdomTree向美国证券交易委员会提交现货XRP ETF申请
简要概述 WisdomTree XRP基金将在Cboe BZX交易所上市。WisdomTree此前于11月25日在特拉华州注册了一个XRP实体