Dissecting Payload-based Transaction Phishing on Ethereum

TL;DR

This paper provides the first comprehensive analysis of payload-based transaction phishing on Ethereum, including dataset creation, categorization, detection methods, large-scale detection, and real-world impact mitigation.

Contribution

It introduces the first ground-truth dataset for PTXPHISH, proposes a high-accuracy detection approach, and reports large-scale phishing incidents with mitigation efforts.

Findings

Over 130,000 phishing transactions detected

Losses exceeding $341.9 million from PTXPHISH

Detection accuracy over 99% on the dataset

Abstract

In recent years, a more advanced form of phishing has arisen on Ethereum, surpassing early-stage, simple transaction phishing. This new form, which we refer to as payload-based transaction phishing (PTXPHISH), manipulates smart contract interactions through the execution of malicious payloads to deceive users. PTXPHISH has rapidly emerged as a significant threat, leading to incidents that caused losses exceeding \$70 million in 2023 reports. Despite its substantial impact, no previous studies have systematically explored PTXPHISH In this paper, we present the first comprehensive study of the PTXPHISH on Ethereum. Firstly, we conduct a long-term data collection and put considerable effort into establishing the first ground-truth PTXPHISH dataset, consisting of 5,000 phishing transactions. Based on the dataset, we dissect PTXPHISH, categorizing phishing tactics into four primary categories and eleven sub-categories. Secondly, we propose a rule-based multi-dimensional detection approach to identify PTXPHISH, achieving over 99% accuracy in the ground-truth dataset. Finally, we conducted a large-scale detection spanning 300 days and discovered a total of 130,637 phishing transactions on Ethereum, resulting in losses exceeding $341.9 million. Our in-depth analysis of these phishing transactions yielded valuable and insightful findings. Furthermore, our work has made significant contributions to mitigating real-world threats. We have reported 1,726 phishing addresses to the community, accounting for 42.7% of total community contributions during the same period. Additionally, we have sent 2,539 on-chain alert messages, assisting 1,980 victims. This research serves as a valuable reference in combating the emerging PTXPHISH and safeguarding users' assets.