Cybersecurity researchers have published fascinating new details of communication-free theft affecting bitcoin (BTC) savers.
Purposefully targeting hard-working laborers who dollar cost average (DCA) into BTC with regular purchases, a new attack steals coins without even establishing contact with the victim.
Jameson Lopp blogged notes for his MIT Bitcoin Club Expo speech about this tactic that he calls an “address poisoning attack.” A form of spoofing, the exploit manipulates wallet interfaces’ displays and copy-and-pastes defaults.
Here’s a step-by-step guide to how the attack works.
The bitcoin address poisoning attack
First, the attacker identifies someone who is regularly sending BTC to the exact same hardware wallet address for a consistent period of time — usually weeks or months. These might be DCA BTC savers, BTC merchants, or other users who reuse addresses consistently.
Next, the attacker utilizes a vanity address creator to create a fake wallet that has identical leading and trailing characters to the victim’s frequently-used wallet.
Then, the attacker dusts a tiny amount of BTC to the victim using the vanity address.
The victim then opens their own wallet software and copies their most recent address from their transaction history.
It’s at this point that the theft occurs. If the victim pastes the spoofed vanity address and checks only a few leading and trailing characters and then sends their BTC, they have just sent money to the thief.
In summary, the attack tricks users into sending BTC to the hacker’s vanity address that shares the same leading and trailing characters as the victim’s otherwise authentic wallet.
Dusting to lure BTC victims
Lopp credited Mononaut with first flagging this attack. Mononaut described it as an “address poisoning dust attack” because the attacker sends a small amount of BTC or “dust” to an address in order to execute it.
Lopp simply removed the word “dust” from his naming convention for simplicity.
The attack is elegant in that the attacker never needs to communicate with the victim. Instead, the hacker simply researches prime targets who regularly re-use addresses, dusts their wallet with a vanity address, and then waits for the victim to copy-and-paste from their transaction history.
This tactic is especially difficult for an average user to detect because the spoofed addresses match many characters of an otherwise legitimate address.
This can trick users who often do not view much more than the beginning and end of the address displayed in their wallet’s transaction history.
Sadly, vanity address generators can mass-produce cheap spoof addresses for this type of attack. Already, victims have fallen for the spoof and voluntarily sent funds to fake wallets.
Read more: Bitcoin Lightning bug could jam and steal millions of dollars
Less than $1 per poisoning attack
Of course, the attack is not entirely free. The dusting process is the most expensive part because it requires an on-chain transaction and at least some amount of BTC.
Mononaut estimated that one attacker was spending about 60 cents per dust, which definitely adds up across the 1,400 remaining potential victims.
For BTC users interested in protecting themselves from this type of attack, Lopp and Mononaut recommend several practices.
First, users should verify the entire address, character-for-character.
Second, users should avoid reusing addresses. For privacy and security reasons, it’s always best practice to generate a new wallet for every BTC transaction.
Third, they shouldn’t copy addresses from their transaction history and trust that address for a new transaction. Instead, they should independently check every character for each new transaction.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.
The post Your BTC can be swiped by spoofers without them even contacting you appeared first on Protos.
