Phishing Scam Costs Wallet $71 Million in Bitcoin Loss
A wallet recently lost 1,155 Wrapped Bitcoin (WBTC), valued at over $71 million, in a sophisticated phishing scam called 'address poisoning'.
The victim generated a new address, “0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91,” and transferred 0.05 Ethereum (ETH) to it. The scammer, using a similar address with matching initials and ending letters, sent 0 ETH to the victim, creating a transaction history that appeared legitimate.
Our system has detected a transfer of 1,155 WBTC (~$69.3m) to an address linked to address poisoning
EOA 0xd9A1 mimicked a transfer of 0.05 ETH which led the victim to send the funds to the wrong address
Stolen funds are here https://t.co/m2xpJW0QIZ pic.twitter.com/PWFhEsEN2G
— CertiK Alert (@CertiKAlert) May 3, 2024
Many wallets obfuscate the middle of an address with “…” for simplicity. When the victim attempted to transfer their WBTC to the new address, they mistakenly copied the scammer’s address, resulting in the transfer of 1,155 WBTC worth $71 million directly to the fraudster.
READ MORE: Former BTC-e Operator Pleads Guilty to Money Laundering Charges
Address poisoning involves creating a wallet address resembling the victim’s through spoofed address services or address mining and inundating the victim with numerous transactions. If the victim copies the hacker’s fake address by mistake, their funds are transferred to the hacker’s wallet instead of their own.
Changpeng Zhao, former CEO of Binance, emphasized the effectiveness of such attacks. “Scammers can craft addresses with matching starting and ending letters so convincingly that most people only verify these when sending cryptocurrency,” Zhao noted in a social media post following a similar security incident in August 2023.