Safe Wallet Users Lose More than $5 Million in Address Poisoning Attacks

A crypto hacker, specialising in “address poisoning attacks,” has intensified efforts against Safe Wallet users, resulting in the theft of over $2 million in the past week alone. The total number of victims now stands at 21, as reported by the Web3 scam detection platform Scam Sniffer on December 3.

Despite the escalating threats and losses faced by Safe Wallet users, the platform has not issued any public statements on the matter as of press time. Scam Sniffer continues to monitor the situation and provides crucial insights into the evolving tactics employed by attackers, emphasising the ongoing challenges faced by cryptocurrency users in securing their digital assets.

Dune Analytics data, as compiled by Scam Sniffer, indicates that this attacker has successfully stolen at least $5 million from around 21 victims within the last four months. Notably, one victim, who held $10 million in crypto within a Safe Wallet, suffered a loss of $400,000 due to these attacks.

Address poisoning involves the creation of a fraudulent address closely resembling the one regularly used by the victim. The attacker initiates a small cryptocurrency transfer from the fake wallet to the target, contaminating the transaction history. Subsequently, the unwitting victim may copy the imposter’s address from their transaction records, inadvertently sending funds to the hacker’s wallet instead of the intended recipient.

Address poisoning is part of a broader trend of exploiting Ethereum’s ‘Create2’ Solidity function. Hackers leverage ‘Create2’ to pre-calculate contract addresses, allowing them to generate similar wallet addresses. This method has contributed to Wallet Drainers stealing approximately $60 million from nearly 100,000 victims over six months.

In a high-profile incident on November 30, Florence Finance, a real-world asset lending protocol, lost $1.45 million in USDC due to a similar address poisoning attack. The blockchain security firm PeckShield highlighted how the attacker exploited similarities in the addresses, both starting with “0xB087” and ending with “5870.”

* Original content written by Coinlive. Coinbold is licensed to distribute this content by Coinlive.