Users tricked into giving away $60 million of Ethereum. The cryptocurrency platform was recently hacked to steal millions from users all over the world. Almost 100,000 users all over the globe have been reportedly tricked into giving away $60 million in Ethereum.
Users Tricked Into Giving Away Ethereum
Hackers have been observed reportedly abusing a feature in the Ethereum blockchain in a bid to trick victims into sending money.
In the last six months, the criminals or threat actors were reportedly able to trick almost 100,000 people into giving away a total of $60 million, as per a new report from Scam Sniffer.
And as per the report in question, the hackers made use of a function known as Create2. This function is an opcode that enables users to predict the address of a contract just before it is deployed on the Ethereum network. Hackers, in other words, can effectively create temporary addresses for each individual transaction, addresses that greatly and easily resemble the ones where the victims in question intended to send the said funds. The scheme as you should know is dubbed “address poisoning”.
How the Threat Actors Acted
Many users, just before sending any funds, try two things. And the first is that they double-check the address of the recipient in a bid to make sure that they are sending the money to the right place. The second thing they do is that they send a small transaction first in order to make sure that everything works, just before sending the remaining funds. However, as the addresses in question are a long string of seemingly random characters, many users just cross-check the first and last couple of characters, instead of just comparing the entire strings.
By creating an address that is different in just a couple of characters, the attackers and threat actors can easily trick people into thinking that the address is valid, just before sending the funds. That, however, still gets to leave the second failsafe which is the test transaction. Criminals as you should know are working around this simply by forwarding the test transaction to the actual address.
The lookalike addresses as you should know don’t really belong directly to a wallet that is controlled by the attackers, but are rather a very smart contract that then reportedly transfers the funds to the final destination. The researchers stated that they observed multiple cases of fraud leveraging Create2, with one victim in question losing up to $1.6 million.
What Users Are Advised To Do To Keep Safe
Users are however advised to thoroughly check through the entire address just before sending the funds, and not just the first and last characters.
MORE RELATED POSTS