Address poisoning attacker agrees to negotiate by sending $153K ETH to victim
The address poisoning attacker who tricked the user into sending them $68 million in Wrapped Bitcoin (WBTC) pretended to return $153,000 worth of Ether (ETH) to the victim. In the same transaction, the attacker agreed to negotiate and asked for a Telegram user name where the victim could be contacted. The money sent back represents only 0.225 percent of the money that was allegedly stolen.
Blockchain data shows that on May 5, a victim of the attack whose account ends in 8fD5 sent three messages to an account ending in dA6D. The recipient of the message received funds from an attacker account named “FakePhishing327990” on Etherscan via multiple intermediate accounts. This suggests that dA6D may be uncontrolled by the inhibitor.
The messages suggest that the victim is willing to give the attacker 10% of the funds as a reward and avoid prosecution if they return the other 90%. The victim said:
“We both know there's no way we're going to clear this money. You are wanted. We also both understand that the phrase ‘sleep well' is not about your moral and ethical qualities. However, we will officially manage your 10% entitlement. Send 90% back. Either way, you have 24 hours before 10am UTC, 6 May 2024 to make a life-changing decision.
On May 9 at 11:37 AM UTC, another account ending in 72F1 responded by sending 51 Ether (ETH) (worth $153,000 at today's prices) to the victim. 72F1 received funds from fakephishing327990 through multiple intermediate accounts, indicating that it was under the attacker's control.
In the transaction that sent 51 ETH, the attacker posted a message saying “Please send your telegram and I will contact you”. Then at 11:43 am they tried to rectify their bad system by posting a further message saying “Please leave your telegram and I will contact you”.[.]”
In response, the victim posted a Telegram username where they could be contacted.
The transaction occurred when the attacker tricked the victim into mistakenly sending 1,155 Wrapped Bitcoin (WBTC) (worth $68 million at the time) to their account in an “address poisoning” transaction.
Blockchain data shows that on May 3 at 9:17 PM, the attacker used a smart contract to transfer 0.05 tokens from the victim's account to the attacker's account. The transferred token did not have a name listed on Etherscan and was simply called “ERC-20”. Under normal circumstances, an attacker cannot transfer a token from another user without their permission. But in this case, the token had a custom design that allowed it to be transferred from an account without the user's permission.
On the same day at 10:31 AM, the victim mistakenly sent 1,155 WBTC to this address. The address may appear to be the same as the address the victim used to deposit the funds into a central exchange or otherwise.
Also, the victim may have thought that they have sent 0.05 tokens to this address before and therefore it is safe. However, the 0.05 tokens were sent by the attacker and appear to come only from the victim.
Security experts call it an “address poisoning attack” when an attacker tries to confuse victims by sending them transactions that appear to come from them but actually come from the attacker. To avoid costly mistakes from such attacks, experts recommend that users carefully check the addresses sent in transactions before verifying them.
Related: How to Avoid Zero Value Forwarding Address Poisoning Attacks
