icon_install_ios_web icon_install_ios_web icon_install_android_web

Sicheres Investieren beginnt hier: Ein Leitfaden zum Erkennen von Betrug mit gefälschten Adressen bei On-Chain-Transaktionen

Analysevor 2 Monatenreleased 6086cf...
25 0

Hash of this article (SHA 1): 221158eb736fa9ed3c6fb54451647bd73ca362c7

No.: PandaLY Anti-Fraud Guide No.003

With the Federal Reserves announcement of a 50 basis point rate cut in September, a massive trading boom was triggered in the crypto market, and on-chain transaction data surged instantly. Amid the intense market volatility, investors rushed to adjust their assets. portfolio, trying to seize this opportunity to obtain higher returns. However, with this wave of transactions comes not only the opportunity to increase wealth, but also the security threats lurking in the dark. The PandaLY security team found that as the trading volume With the surge in prices, hackers are also secretly active, taking advantage of investors negligence in high-frequency trading, and the forged wallet address scam has seen explosive growth.

Among the security cases we have received recently, the proportion of fraud cases involving forged wallet addresses has increased dramatically. This type of scam carefully forges a fake address that is similar to the last few digits of the users real wallet address, inducing the user to accidentally transfer the wallet address to the users wallet address when transferring funds on the chain. The funds are transferred to the wallet controlled by the hacker. Since many users rely on memorizing the last few digits of the wallet address, or are accustomed to copying the address from historical transaction records for transfer, this gives hackers an opportunity to take advantage of it, resulting in a large amount of funds being lost without their knowledge. Into the hands of scammers.

Behind this phenomenon, in addition to the intense market volatility, there are several key factors. First, investors’ operating habits when transferring money on the chain make this type of scam extremely confusing, especially when the on-chain transaction data surges. In this case, users often lack the time and energy to carefully check. Secondly, these hackers’ technical means are becoming more and more sophisticated, and they can quickly generate fake addresses, and even accurately match the first or last digits of the user’s wallet address, further increasing the scam. The concealment of.

Therefore, in order to help investors transfer money safely and avoid scams in this wave of market enthusiasm, the PandaLY security team will analyze the operation mechanism of such scams in detail and reveal the technical principles behind them. A set of practical prevention Führungs to help you protect your digital assets from being harmed in high-frequency transactions.

1. Technical principles of forged wallet address fraud

Wallet address generation mechanism

Sicheres Investieren beginnt hier: Ein Leitfaden zum Erkennen von Betrug mit gefälschten Adressen bei On-Chain-Transaktionen

In blockchain transactions, the wallet address is the users identity, and each address is unique, which ensures the security and immutability of the transaction. However, generating a wallet address with specific characters is not as complicated as imagined. Taking the Ethereum network as an example, the characters of each wallet address are hexadecimal numbers (0-9 and AF), which means that if a hacker wants to generate a wallet address with the same last N characters, the probability of success is One in 16 raised to the power of N.

Although this probability seems extremely low, for hackers, with the help of scripts and computing power, they can easily generate these fake addresses through traversal. For example:

  • The probability of generating a 4-bit identical address is 1/65536, and it can be generated within a few seconds using ordinary computing equipment and scripts.

  • The probability of a 5-digit identical address is 1/1048576. Although the difficulty has increased, it can still be generated in a shorter time with appropriate scripts and higher-performance devices.

  • The probability of a 7-bit identical address is only 1/268435456. Hackers need more powerful computing power and longer traversal time, but it is technically not impossible.

According to recent statistics, the PandaLY security team analyzed some cases of forged addresses and found that most of the fake addresses generated by hackers are the same as the last 5 to 7 digits of the target address. These fake addresses are often generated through a simple traversal method. Hackers only need to In just a few hours or even days, a sufficient library of fake addresses can be generated from which targets can be selected for fraud.

Hacker’s fake wallet generation strategy

The hackers attack strategy is very targeted. They usually choose high-net-worth users as their targets, especially those who frequently transfer large amounts on the chain and frequently interact between multiple wallets. Once these users are targeted, Hackers will begin to deploy fake wallet addresses and continue to monitor the transaction behavior of these target users.

The hackers attack steps are roughly as follows:

1 Identify the target: Hackers will use on-chain data analysis tools to screen out accounts that frequently conduct large transactions, especially those users with multiple interactive addresses.

2 Generate fake addresses: Hackers use the traversal method to generate wallet addresses with the same last few digits as the target address. Usually, hackers will generate multiple fake addresses to ensure that they can cover the wallets commonly used by the target user.

3 On-chain monitoring: Hackers monitor the transaction dynamics of the target account in real time. When the target account transfers funds, the hacker will immediately use a fake address to transfer the same amount to forge similar transaction records.

4. Confusing users: When users make their next transfer, they often copy the wallet address from the historical transaction record. If users only rely on memory or simply check the last few digits of the address, they are likely to accidentally transfer funds to the hackers forged wallet. wallet.

This attack strategy is extremely deceptive, especially in the case of high-frequency transactions, when users are usually less aware of the risks and are more likely to be confused by fake addresses. Once funds are transferred to a fake wallet, it is extremely difficult to track and recover them. , which often brings irreversible losses to users.

2. Analysis of the Scam

According to the latest data from the PandaLY security team, with the surge in on-chain transaction volume, fake wallet address scams have occurred frequently in recent times, especially on high-transaction networks such as Ethereum and TRON. The number of victims increased by 45%, and most of them were high-frequency trading users. The fraud rate of such users was 35% higher than that of ordinary users. These victims often made multiple transfers in a short period of time and mistakenly transferred funds to Enter a fake address.

In these cases, about 60% of the forged addresses were identical to the last 5 to 6 digits of the target address, and even 25% of the forged addresses matched the last 7 digits of the target address. This high degree of matching is extremely deceptive, making Users can easily misjudge and mistakenly transfer funds to wallets controlled by hackers. Once funds are transferred to a fake address, it is extremely difficult to recover them. The current fund recovery rate for such cases is only 15%, which further highlights The importance of preventive measures.

Through in-depth analysis of typical cases, the PandaLY team found that hackers usually use on-chain monitoring tools to accurately capture the transaction timing of target users and forge seemingly identical transaction records to confuse users’ judgment. Users who make transactions often only check the last few digits of the wallet address in an emergency, thus falling into scams.

Scam implementation process

The core of the fake wallet address scam is that hackers use technical means to generate fake addresses with the same characters as the target address to confuse users. When users transfer funds on the chain, they usually rely on the wallet address quick copy function in the historical transaction records. This gives hackers an opportunity.

The specific process is as follows:

1. Hackers target users: Target users are usually those who frequently conduct large-value on-chain transactions.

2. Generate a fake address: The hacker traverses the script and generates a wallet address with the same last few digits as the target address.

3. Monitor transaction behavior: Hackers monitor the on-chain transactions of the target account in real time. When the user initiates a transaction, the hacker simultaneously initiates a transaction of the same amount to confuse the records.

4. User misoperation: When the user makes the next transfer, it is very likely that he will only check the last few digits of the wallet address, resulting in copying a forged address and mistakenly transferring funds to the hackers wallet.

Sicheres Investieren beginnt hier: Ein Leitfaden zum Erkennen von Betrug mit gefälschten Adressen bei On-Chain-Transaktionen

Address poisoning attack

In addition, since the object of the encrypted asset transfer is a string of address hashes, users generally use the address copy function provided by the wallet or browser to paste and input the transfer counterparty wallet address. Instead of the full addresses of both parties to the transaction, the first address is displayed with an ellipsis in the middle. If the phishing address is the same as the real counterpartys address, the victim may easily mistake the phishing address for the address they really want to interact with for the transaction.

When conducting an address poisoning attack, the attacker will monitor the transaction information of stablecoins (such as USDT, USDC) or other high-value tokens on the chain, and use tools such as a fancy number generator (such as Profanity 2) to quickly generate a number that matches the victim. Phishing addresses with the same first and last characters.

According to the different principles of launching attack transactions, address poisoning phishing can be divided into the following three categories:

  • Zero transfer phishing

The zero transfer attack exploits the transferFrom functions authorization limit judgment condition. When the number of tokens transferred is zero, the transaction can still be successfully carried out and the token transfer event log will be issued even if the senders authorization is not obtained. Blockchain browsing When the device and wallet monitor this event, the token transfer transaction will be displayed in the users transaction history.

The transfer initiator address is the victims own address, and the recipient address is a phishing address that is identical to the real recipient address[21]. If the victim is careless and directly copies the address of the historical transaction when transferring money next time, it is easy to make mistakes. Copy it to the phishing address prepared by the hacker, thereby transferring the funds to the wrong account.

For this most basic address poisoning attack, we only need to identify transactions with zero transferred tokens.

In order to bypass wallet and blockchain browser checks on zero-value transfers, small-amount transfer phishing and fake currency phishing have emerged.

  • Small transfer phishing

Small-value attacks are a variant of zero-value transfer phishing. Unlike counterfeit currency attacks, small-value attacks use real value tokens, which can bypass counterfeit currency checks, but the amount of tokens transferred is often less than $1, which is not real. The transaction is one millionth or even less. Sometimes, in order to make the phishing transaction look more similar to the real transaction history, the phishing attacker will carefully design the transfer amount and replace the thousand separator of the real transaction amount with a decimal point.

Phishing attackers use a counterfeit address with the same beginning and end to send fake coins with the above quantity characteristics to the target victim, so that the user mistakenly believes that the phishing address is the real transfer initiator address, and copies the address in subsequent transactions to transfer money to it.

  • Counterfeit currency phishing

When displaying the token transfer history, general blockchain browsers and wallets will use the value of the Symbol variable in the token contract as the currency name. The counterfeit currency attack takes advantage of the fact that the Symbol of the ERC-20 protocol token can be defined arbitrarily. , set the Symbol string of the fraud token contract to the same string as high-value tokens or stablecoins such as USDT/WETH/USDC, and use the same high-imitation address to send the same number of transactions as the real historical transaction to the target victim. Fake currency makes users mistakenly believe that the phishing address is the real transfer initiator address, and then copy the address in subsequent transactions to transfer money to it.

In addition, in order to save gas fees (especially on chains with expensive gas fees such as Ethereum), fraudsters performing address poisoning attacks generally deploy a phishing contract to transfer tokens to multiple victims in one transaction.

Why are users easily vulnerable?

When users frequently use on-chain browsers to search for transaction records, they often rely on the last few digits of the wallet address for quick confirmation, which becomes a major vulnerability exploited by hackers. Due to the requirements of transaction speed and frequency, users often ignore the complete verification of the address, especially When performing multiple similar transactions, it is easier to mistakenly transfer funds to a fake address generated by a hacker.

This type of fraud takes advantage of the simplified habits of users, and this seemingly efficient operation method is actually very risky. In order to prevent such risks, users should fully check the wallet address every time they make a transfer. Do not rely solely on the last few digits of the address for quick confirmation.

3. Measures to prevent fake wallet address scams

1. Don’t match wallet addresses based on memory alone

In blockchain transactions, users’ operating habits often create opportunities for hackers. Many people rely on memory to check the last few digits of a wallet address when they frequently use it. The first or last few digits of the address seem to be a convenient way to simplify transactions, especially when users are used to quick operations. However, this habit is extremely dangerous. Hackers take advantage of the laziness of users and generate A forged address with some characters similar to the target address is used to deceive users.

Moreover, hackers can even use technical means to generate pseudo addresses that are identical to the target address, thereby further increasing the confusion. Just checking the first or last few digits of the address is not enough to ensure security. Activities, quickly deploy similar addresses, and take action when the target user transfers money.

Therefore, the safest approach is to carefully check the entire address every time you transfer money, especially when making large transactions, to ensure that all characters are consistent. You can also use security plug-ins or automated tools to reduce potential errors in manual operations. , regularly updating your trading process and reminding yourself to pay attention to details are important steps to avoid falling into traps due to negligence.

2. Use the whitelist function

In order to deal with the problem of address confusion in frequent transactions, many mainstream wallets and trading platforms have launched a whitelist function, which is an extremely effective security measure. Through the whitelist function, users can save frequently used payment addresses. This avoids having to manually enter the address for each transaction, thereby reducing the risk of human input errors or being deceived by fake addresses.

On trading platforms such as Binance or Coinbase, users can set the payment address to a fixed address in advance, and after enabling the whitelist function, unauthorized new addresses cannot be added. In this way, even if hackers try to tamper with the address through phishing attacks, Funds are also securely transferred to a preset address in the whitelist.

For decentralized wallets (such as MetaMask), the whitelist function is equally important. Users can save frequently used addresses to avoid having to re-enter a long string of address characters for each transfer, reducing the possibility of misoperation. At the same time, through this whitelist mechanism, users can quickly check and use verified addresses in a shorter time to ensure the security of each transaction.

The whitelist function not only effectively prevents manual errors by users, but also provides a convenient and safe operation experience for high-frequency traders. Regular maintenance and updating of the whitelist and deleting infrequently used or risky addresses are also key to improving security.

3. Purchase an ENS (Ethereum Domain Name Service) address

ENS (Ethereum Name Service) is an innovative technology that allows users to bind complex Ethereum wallet addresses to short and easy-to-remember domain names. This provides users with an extremely convenient and secure solution, especially When you need to enter addresses frequently. By mapping the wallet address to an easy-to-remember ENS domain name (such as mywallet.eth), users no longer need to enter the 42-digit Ethereum address word by word, avoiding manual input errors. Risk of loss of funds.

However, ENS domain names are not permanent. Each ENS address has an expiration date, and users need to renew it regularly to ensure long-term use of the domain name. If the domain name expires and is not renewed, others can register the ENS address, which will put the users transaction security at risk. Threat. Once an ENS address is registered by someone else, all transaction addresses bound to the ENS domain name may point to the hackers wallet, resulting in financial loss. Therefore, after purchasing an ENS domain name, users need to set a renewal reminder to ensure that it is renewed in time before the expiration date. Renew to avoid the address being preempted by others.

At the same time, although ENS greatly simplifies address management, it also brings new security risks. If hackers register well-known or commonly used ENS addresses, they may use them for phishing activities. Therefore, users should carefully choose to purchase ENS. Domain names and regularly check their validity and bound address information.

In general, ENS is not only a tool to improve user experience, but also a security measure. However, you still need to pay attention to renewal and maintenance issues when using it to prevent potential security risks. By using ENS properly, users can significantly Reduce the possibility of input errors when transferring money and improve the security of transactions.

Abschluss

In summary, as the volatility of the crypto market increases, investors are facing unprecedented security risks while chasing high returns, especially the proliferation of fake wallet address scams. Hackers take advantage of investors by generating fake addresses that are very similar to real addresses. The PandaLY security team calls on investors to avoid relying on memory matching or copying addresses in history records and always check every character carefully. At the same time, make reasonable use of whitelists. Functions, ENS addresses and other security tools are used to strengthen the protection of funds. Safe investment is not a blind pursuit of high returns, but a careful precaution of every detail. Only by raising vigilance and improving operating habits can we survive in the crypto market full of opportunities and risks. , and achieve steady appreciation of assets.

Lianyuan Technology is a company focusing on blockchain security. Our core work includes blockchain security research, on-chain data analysis, and asset and contract vulnerability rescue. We have successfully recovered many stolen digital assets for individuals and institutions. At the same time, we are committed to providing industry organizations with project security analysis reports, on-chain traceability and technical consulting/support services.

Vielen Dank fürs Lesen. Wir werden uns weiterhin auf Inhalte zur Blockchain-Sicherheit konzentrieren und diese teilen.

This article is sourced from the internet: Safe investment starts here: A guide to identifying fake address scams in on-chain transactions

Related: Anti-sniper Memes debut failed, SICK, who wanted to challenge Pump.fun, caused controversy

Original author: Joyce, Jack SICK, a meme coin that has been preheated for several days and has a novel Stake-to-meme concept and anti-opening sniping function, was launched last night. It was delayed in opening at first, and after opening, the community found that the claimed anti-sniping mechanism was completely useless, and most of the people who made money were snipers who entered the market immediately after the opening. Two minutes after SICK opened, its market value was pushed to around $5 million by snipers. After 20 minutes, SICKs trading volume was $3.3 million, and its market value peaked at $6.8 million. Then it quickly collapsed and fell, and is now 60% below its peak. Afterwards, Sicks official Twitter account Sick On Sol explained that the anti-sniping function was not triggered…

© Copyright Notice

Related articles