A wallet lost 1,155 Wrapped Bitcoin (WBTC), worth over $71 million, due to a sophisticated phishing attack known as 'address poisoning'.
The incident occurred approximately six hours ago when the victim created a new address as “0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91” and transferred 0.05 Ether (ETH) to this new address. In a cunning move, the fraudster created an address with the same initials and ending letters and transferred 0 ETH to the victim, causing the transfer to appear in the transaction history.
Many wallets hide the middle part of the address with “…” for a cleaner user interface. When the victim wanted to transfer his WBTC to his new address, he accidentally copied the scammer's address with the same starting and ending letters. As a result, they transferred 1,155 WBTC worth $71 million directly to the fraudster.
Address poisoning is a type of attack where the hacker creates a wallet address similar to the victim's through spoofed address services or address mining and spams the victim with a large number of transactions. If the victim accidentally copies the hacker's fake address, they will accidentally transfer their funds to the hacker instead of their own wallet.
Changpeng Zhao, former CEO of Binance, explained that such attacks can be deceptively effective. “Scammers are now so good at generating addresses with the same starting and ending letters that most people only check this when transferring cryptocurrency,” Zhao wrote in a social media post following a similar security incident in August 2023.
*This is not investment advice.