Hello dear readers and a very warm welcome back to Mega Crypto Casino, where we take pride in bringing you a range of articles on the subject of crypto casinos, crypto currencies, blockchain and everything associated. As is our wont; we hope that after your visit here, you will have gained an insight into a subject that could one day prove to be of real and practical value to you.
So onward.
It’s odd, how even the smallest of things can make us think back across the decades to lessons we learned in the distant past, and whose application and utility is every bit as relevant today as it ever was back then.
So it was, that in 1979, I found myself at The Midland Bank learning the basics of banking procedures. Of course, there were no PCs, no mobiles and no internet back then, and many things were still physically written down, using ledgers as the primary record.
Sometimes one would have to take information such as an account number from the original ledger and transcribe it onto a secondary record. A customer might subsequently request a loan or other service from the bank, and a relevant contract or agreement would then have to be drawn up.
Now the easiest thing would be for the banker completing the paperwork to take the relevant details from the secondary record, as this was invariably more easily to hand. However, the ‘proper’ method as taught by the pedantic senior staff was to go to the primary source, copy the details from there and then, just for efficiency, double-check that the customer’s data had, in fact, previously been accurately transcribed onto the secondary record. One was expected never to transcribe from the secondary record directly onto contracts or agreements ... always from the primary record.
“Oh great.” I can almost hear some of you saying.
“Your title promised me some free crypto and all I get are some recollections from nearly 50 years ago ... so how do I get my free crypto?”
Well dear readers, if you are already one of our regulars, then I have no doubt that you already guessed that there is no such thing as ‘free crypto’, ‘free money’, or free anything in this world. But having got everyone onboard thus far and having already shared a valuable lesson right from the get-go, we are now in the perfect position to look at quite a clever scam doing the rounds, at how it works and how those lessons from half a century ago can potentially help you to avoid losing everything.
Let’s take a look.
So ... you’re looking through your crypto wallet and all of a sudden you notice that you have received a small amount of crypto from out of the blue: You weren’t expecting this, you don’t know where it’s from ... it seems to be literally ‘free crypto’ ... yay!
But hold your horses; most likely, its actually part of a sophisticated scam that cannot be stopped and that no wallet is immune to, whether it’s a hot wallet, a cold wallet, an exchange wallet, or whatever; but having noticed it is already the first step to avoiding it. Alternately (and far worse), you may not even have noticed at all.
So, what exactly is this threat?
Well, the scam is commonly known as ‘crypto wallet poisoning’ (also sometimes called address poisoning) and relies entirely on the human habit of relying on shortcuts and the fact that the blockchain, although anonymous, is a public ledger accessible to anyone, thus enabling the trawling of specific groups of victims: Let’s take a look at how one can be initially identified for targeting.
There are two main modus operandi for victim selection; one is specific targeting and the other is completely random.
Lucky Dip
The first of these methods is to literally cast the net out randomly, in the hope of catching a proverbial fish.
What happens is that an attacker will send out millions of ‘dust transactions’ (the transfer of a minuscule number of coins), often just a few hundred Satoshis or mere cents; typically, too small to be practically traded or spent, which will all land in potential victims’ wallets.
The process is highly automated and without any overly complex requirements: The core tasks such as scanning public blockchain data and sending transactions are easily achieved by automation and scripting.
Specific Targets
The opposite approach is of course, the targeting of specific wallet types in order to increase a payout, should a victim fall into their trap. Again, victims are not actually selected by hand; instead, the scammers query blockchain data using their own blockchain node, public blockchain APIs, block chain indexing services and similar automatable methodologies.
Their ideal search criteria would be;
- Wallets which have received funds recently.
- Wallets which have made multiple transfers to the same recipient.
- Wallets which frequently send transactions.
- Wallets which interact with specific protocols or token contracts.
- Wallets which hold balances above a certain threshold.
The idea behind this targeting being that they might then be more likely to hook their ideal victim;
- Whales!
- DAO (Decentralised Autonomous Organisation) treasuries. Very basically, a community-controlled pool of digital assets secured by smart contracts.
- Company wallets.
- High-net-worth traders.
- DeFi users (because their on-chain activity suggests they're both active and likely to move valuable assets).
... But quite honestly, if they happen to hook an average Joe; they’ll take his money as happily as anyone else’s
SO WHAT!!!?
Well dear readers, we’ve got this far, and once again, by virtue of my perceptive powers, I intuit that some of you may be thinking:
“So What?”
“All you’ve told me is that someone anonymously sent me some money.”
“I’ve not lost anything, why should I care ... in fact I did actually make some ‘free money’ after all.”
Fool’s Gold
Well, before you hop, skip and jump down the road singing ‘We’re in the money’ from the film ‘Gold Diggers of 1933’ featuring Ginger Rogers (indulge me ... I have a long lifetime of obscure facts and references); and before you try to spend any of that ‘free money’, lets quickly take a look at what you actually got and what the nature of the game actually is.
As they say; “all that glitters is not gold”, and so it is with the ‘free’ funds that you may have received.
Now as I mentioned you will have received a small amount of coin.
How much?
Well an example might prove sobering:
You may have commonly received 100 Satoshis, which at today’s values would equate to $0.059 USD (just under 6 cents) or £0.045 GBP which is four-and-a-half pence.
Similarly, you might receive just a fraction of a cent in other coins, or if your blockchain supports it, a zero-value transaction, or a worthless token of some sort.
Whatever the case, you’ve not meaningfully gained anything by your fortuitous receipt ... but that’s not the point!
All is Revealed
The whole point of scammers sending you anything at all is solely so that they can have their sending wallet recorded in your transaction history.
You see, as alluded to in our example from 1979, it is human nature to go for the easiest and most convenient option, and many, many people when sending from their crypto wallet to another wallet that they have sent to previously, very often just copy the receiving wallet address from their transaction history tab, rather than look it up afresh.
I’m sure you can now see where we’re going with this?
Even worse, the scammers have added an additional level of cunning in order to ensure their success. You see, many of us might still be inclined to give a transaction a cursory check whilst setting up the payment, and a vast majority would be satisfied to very quickly glance at just the first few and last few characters of a wallet address; in fact, many wallets only display the first and last few characters anyway.
So to take advantage of this, the attacker creates thousands or even millions of wallet addresses until one resembles an address the victim regularly uses, for example:
Legitimate address:
0xA4B9...7F2C
Attacker's address:
0xA4B9...7F20
... not exact, but these ‘vanity’ addresses can certainly be good enough to fool people at-a-glance, and as mentioned, very many people incline towards copying an address from previous transactions via their address history.
So, perhaps days or even weeks later, when the victim wants to send cryptocurrency to someone they've paid before, instead of retrieving the address from:
- An address book.
- The recipient directly.
- A verified ENS or other naming service.
... they may simply copy an address from their transaction history.
If they accidentally select the poisoned address, they will unwittingly and irretrievably send funds to the attacker; and that is why this type of attack is so very effective; it simply exploits normal human behaviour rather than any software vulnerability.
Cheap as Chips
Now, as you have seen, the entire modus operandi is to send out ‘free crypto’ to specifically targeted wallets or, in many cases, in ‘spray and pray’ distributions, and you might be wondering as to the economics of this model.
Well, if a typical USDT disbursement came to say $0.05 USD, then just $1,000 USD ‘stake’ would deliver 20,000 potential victims.
Further costs; and depending on the blockchain, even a ‘zero value’ transaction will still incur a transaction charge, for example:
- Bitcoin; in the region of $0.20–$5 depending on network congestion; (charges are based on transaction size, not the amount sent).
- Ethereum; in the region of $0.05–$5 on the main network, dependent upon on gas prices. A simple transfer uses about 21,000 gas whether the value is 0 or 100 ETH.
- Polygon; typically less than $0.01.
- Solana; typically around $0.0001–$0.01.
- BNB Chain; typically a few cents.
But as you can see; even these fees are sometimes negligible in relation to the opportunity cost, and attackers can further reduce their cost base by concentrating on networks with low transaction fees, making large-scale campaigns relatively inexpensive. On networks where fees are higher, attackers may still retain an economic edge by targeting fewer wallets or simply waiting for periods of lower network congestion.
However, dependent upon the coin and the network, an attacker might be able to send just a fraction of an actual coin in value. Let’s take a look:
- Bitcoin; if attackers sent 1 Satoshi; $1,000 would yield 1 million potential victims.
- Tron; if attackers sent 0.00001TRX; $1,000 would yield 3.3 Trillion potential victims.
- Solana; if attackers sent 10⁻⁹ SOL; $1,000 would yield 6.6 Trillion potential victims.
In the UK, we have an idiom; ‘cheap-as-chips’ and that pretty much sums up the economics of this type of scam. For a relatively small outlay; for instance, if a campaign costs a couple of thousand dollars to run but leads to even one mistaken transfer worth tens or hundreds of thousands of dollars, it can be very profitable indeed.
And as we are all crypto gamblers here at Mega Crypto Casino, we can all recognise that those kinds of odds and that kind of incentive is the reason that wallet poisoning continues to appear unabated across public blockchain ecosystems.
"Let's Be Careful Out There."
So there we have it dear readers; you now know enough about wallet poisoning attacks to be aware of what they are, how they work and the signs to watch for indicating that you yourself, could be a potential victim. But just for the sake of efficiency, and because as always, we want the very best for you all, let us now outline the steps to take to completely avoid being scammed:
- Make like it’s 1979 again and don’t fall into slack habits.
- Verify the full destination address (or at least more than the first and last few characters) before confirming a transfer).
- Save frequently used addresses to a trusted address book if your wallet supports it.
- Be sceptical of unexpected tiny transfers or unfamiliar tokens appearing in your wallet history.
- For larger transfers, always send a small test transaction first and confirm it reaches the intended recipient before sending the full amount.
- If you're using a hardware wallet, and the wallet model supports it, review the recipient address on the hardware device's screen before approving the transaction, since that display is intended to show exactly where your funds will be sent.
Also it’s worth mentioning that although ‘wallet poisoning’ sounds hugely dramatic, in actual fact, because such an attack does not rely upon malware, private key theft, seed phrase compromise, smart contract exploits or the breaking of cryptography.
Even should you have been ‘set up’ for such an attack, your actual wallet is NOT in any way compromised. So before you go sinking it into the nearest canal or busting it up with a hammer in a fit of rage ... relax, it’s all ok.
... in fact, by implementing the countermeasures just outlined, in a very small way, you can come out a winner.
If you recall, the potential attacker will have sent you something tangible and of actual value; possibly up to the value of 5 cents and that is ‘clean and clear’ funds in your account; technically you have actually received free money.
Now, if you just took that 5 cents and invested it at a rate of 4% compound per annum, in 82 years you would have built that into $1.24 ... a whopping 2,480% of the original value (does not constitute financial advice; past performance is no guarantee of future performance)! I’d say that was a win in anyone’s book.
So, there we have it dear readers; and that’s it for another week, and as always, thank you for joining us here at MegaCrypto Casino. We hope that you have found this particular article useful and informative, and we sincerely hope that the information found herein will keep you informed and safe.
... and in this increasingly turbulent world ... ”let’s be careful out there”.