On the evening of May 3, Beijing time, a cryptocurrency whale suffered a significant loss after mistakenly transferring 1,155 Bitcoin to a phishing wallet due to address poisoning. This resulted in a loss of approximately $71 million.
Address poisoning is a common scam tactic where scammers send a small amount of digital assets to a potential victim’s address, using a wallet address that closely resembles the potential victim’s real wallet address. As such, they make the fraudulent wallet part of the victim’s wallet’s transaction history, hoping that they will accidentally copy that address and send funds to it, effectively sending those funds directly to the scammer’s wallet. This is possible because often, cryptocurrency users only check the first and last couple of digits of a wallet address when making a transfer, as those are often some of the only digits visible on popular blockchain explorers like Etherscan.
If you’re wondering whether attacks like these are common – the answer is yes. Research by Tay Vano (Twitter) shows that this attack was done by a sophisticated group of scammers that stole about $500k - $1m/month from approx. 20 different victims since at least March 2023, before stealing the $71M as one of their biggest attacks to date.
Additional research by Dr. Martin Hiesboeck (Twitter) further confirms the group of hackers was well-prepared, used an automated script, and had access to significant computational power due to the GPUs required to do the calculations to generate the fraudulent address almost instantly.
In other words, the attacks used to steal crypto funds are getting more sophisticated, and so should your security measures.
There are simple security measures that you can put in place to make financial loss less likely, such as:
(1) Add wallet addresses you use often to an address book and give them names.
(2) Always double-check wallet addresses entirely before signing a transaction.
(3) Always perform test transfers using an insignificant amount of money.
(4) Split large transfers into multiple transactions.
But if you truly want to rule out the possibility of loss due to human error - which, when managing a large amount of assets, and especially when it’s OPM (other people’s money) is a must - you should be using security tools that automatically reject suspicious transactions.
We built DeFi Armor - used by funds like Delphi and Spartan - for exactly that purpose. DeFi Armor is a co-signer on top of your existing custody solution that performs a deep simulation on each transaction. Both co-signer and custody signatures are required for transactions to pass.
The co-signer stores an additional private key and rejects transactions automatically if they do not pass the security engine (i.e. assets to non-whitelisted addresses, addresses that have been flagged for suspicious activity). That means that you won’t even be able to sign a potentially malicious transaction - DeFi Armor rejects it before you even receive the notification to sign, taking away the possibility for human error.
In other words, using DeFi Armor solves the risk of losing assets due to wallet address poisoning.
What’s unique about DeFi Armor is that it also allows firms to separate trading keys and administrative keys, adding an additional layer of security, virtually removing the risk of fund loss due to private key compromise. We’ve explained that more in-depth in this case study on the $160M Wintermute hack.
If you want to get a free demo of DeFi Armor, schedule a call with our team here.
Stay safe.