Wrapped Bitcoin Whale Address Poisoning Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Graphic

After receiving 0 ethereum from a wallet with a very similar address, a wrapped bitcoin holder made an unfortunate mistake in sending their funds to that wallet instead of their own. The funds were split up and transferred throughout the blockchain, and it doesn't seem clear whether any were recoverable.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12]

About The Victim

Very little is known about the victim of the address poisoning attack.

Their wallet address is 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5, which appears to be active on Ethereum[13], and not on other networks such as Binance Smart Chain[14].

The Reality

While the first and last 4 characters of the ethereum address where the wrapped bitcoin were sent were matching the correct address, the other characters in the address did not generally match, as the wallet was owned by a malicious actor.

What Happened

The victim sent their 1155 wrapped bitcoin to a malicious actor instead of transferring to their other wallet.

Key Event Timeline - Wrapped Bitcoin Whale Address Poisoning Attack
Date Event Description
May 3rd, 2024 3:14:47 AM MDT Legitimate Victim Transfer The victim makes a legitimate transfer from one of their other wallets of 0.05 ETH (presumably to cover gas fees)[6].
May 3rd, 2024 3:17:59 AM MDT Fake Zero ETH Transaction A very similar wallet address sends 0 ethereum to the same victim's wallet, which would now show up on block explorers like Etherscan[7].
May 3rd, 2024 4:31:35 AM MDT Blockchain Transaction The poisoned blockchain transaction happens, where 1,155.28802767 wrapped bitcoin are sent from the victim to the attacker wallet by mistake[8].
May 3rd, 2024 5:53:00 AM MDT Cyvers Alert Tweet Cyvers Alert detects the transaction and reports about it in a new tweet[9].
May 3rd, 2024 6:36:00 AM MDT Scam Sniffer Tweet A Twitter account called realScamSniffer posts a notification about a transaction "2 hours ago", where "another victim lost $68 million by copying the wrong address from a contaminated transfer history"[15].
May 3rd, 2024 9:50:00 AM MDT MistTrack Update Tweet MistTrack shares an update to notify that the funds have now been spread between 8 separate Ethereum wallet addresses[2].

Technical Details

"victim: 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5

wrong address: 0xd9A1C3788D81257612E2581A6ea0aDa244853a91

correct address: 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91"

Total Amount Lost

$70m from 1155 WBTC $62,889.84 x 1,155.28802767 WBTC = 72655879.2140818728

The total amount lost has been estimated at $72,656,000 USD.

Immediate Reactions

"ALERT Are we mistaken, or has someone truly lost $68M worth of $WBTC? Our system has detected another address falling victim to address poisoning, losing 1155 $WBTC."[9]


"not even sure how do you even explain this your boss"[2]


"2 hours ago, another victim lost $68 million by copying the wrong address from a contaminated transfer history."[15]

Ultimate Outcome

Funds appear to have been spread between several different blockchain addresses[2].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

It is unclear whether any further investigation has been undertaken to recover the funds.

Individual Prevention Policies

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed May 28, 2024)
  2. 2.0 2.1 2.2 2.3 MistTrack - "So far the scammers has moved the funds to the following addresses" - Twitter (Accessed May 28, 2024)
  3. Historic Bitcoin Prices - CoinMarketCap (Accessed May 16, 2021)
  4. What Are Address Poisoning Attacks? - Transak (Accessed May 28, 2024)
  5. What are address poisoning attacks in crypto and how to avoid them? - CoinTelegraph (Accessed May 28, 2024)
  6. 6.0 6.1 Victims Sends 0.05 ETH To Their Wallet - Etherscan (Accessed May 28, 2024)
  7. 7.0 7.1 Empty 0 ETH Transaction From Attacker - Etherscan (Accessed May 28, 2024)
  8. 8.0 8.1 Transfer Of 1,155.28802767 WBTC To Attacker - Etherscan (Accessed May 28, 2024)
  9. 9.0 9.1 9.2 Cyvers Alerts - "Are we mistaken, or has someone truly lost $68M worth of $WBTC? Our system has detected another address falling victim to address poisoning, losing 1155 $WBTC." - Twitter (Accessed May 28, 2024)
  10. https://etherscan.io/idm?addresses=0x1e227979f0b5bc691a70deaed2e0f39a6f538fd5,0xd9a1c3788d81257612e2581a6ea0ada244853a91&type=1
  11. https://etherscan.io/idm?addresses=0x1e227979f0b5bc691a70deaed2e0f39a6f538fd5,0x20cbf5c444d4f07f4cb5c37585e59f4ac1b472f1&type=1
  12. https://unchainedcrypto.com/68-million-stolen-in-dust-attack-returned-to-victim/#:~:text=An%20anonymous%20crypto%20whale%20lost,tokens%20that%20had%20been%20stolen.
  13. Victim Address - Etherscan (Accessed May 30, 2024)
  14. Victim Address On Binance Smart Chain - BSCScan (Accessed May 30, 2024)
  15. 15.0 15.1 realScamSniffer - "2 hours ago, another victim lost $68 million by copying the wrong address from a contaminated transfer history." - Twitter
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Wrapped_Bitcoin_Whale_Address_Poisoning_Attack&oldid=5980"