Blockchain Address Poisoning

TL;DR

This paper investigates blockchain address poisoning attacks, revealing extensive on-chain attack data, analyzing attacker strategies, and proposing detection and defense methods to mitigate this significant cryptocurrency threat.

Contribution

It introduces a detection system, extensive measurements, attacker analysis, and modeling of address generation, advancing understanding and defense against address poisoning in blockchains.

Findings

13 times more attack attempts detected than previously reported

Over 270 million attack attempts targeting 17 million victims

At least 83.8 million USD in losses from poisoning attacks

Abstract

In many blockchains, e.g., Ethereum, Binance Smart Chain (BSC), the primary representation used for wallet addresses is a hardly memorable 40-digit hexadecimal string. As a result, users often select addresses from their recent transaction history, which enables blockchain address poisoning. The adversary first generates lookalike addresses similar to one with which the victim has previously interacted, and then engages with the victim to ``poison'' their transaction history. The goal is to have the victim mistakenly send tokens to the lookalike address, as opposed to the intended recipient. Compared to contemporary studies, this paper provides four notable contributions. First, we develop a detection system and perform measurements over two years on both Ethereum and BSC. We identify 13~times more attack attempts than reported previously -- totaling 270M on-chain attacks targeting 17M victims. 6,633 incidents have caused at least 83.8M USD in losses, which makes blockchain address poisoning one of the largest cryptocurrency phishing schemes observed in the wild. Second, we analyze a few large attack entities using improved clustering techniques, and model attacker profitability and competition. Third, we reveal attack strategies -- targeted populations, success conditions (address similarity, timing), and cross-chain attacks. Fourth, we mathematically define and simulate the lookalike address generation process across various software- and hardware-based implementations, and identify a large-scale attacker group that appears to use GPUs. We also discuss defensive countermeasures.