Scammers spun up at least 7,905 blockchain wallets in May to collect crypto they steal from ordinary users, according to a blockchain security company Forta Network.
Forta, which has recently launched its own token, operates a network of bots that detect various kinds of scams on Ethereum, Binance Smart Chain, Polygon, Optimism, Avalanche, Arbitrum and Fantom blockchains.
Christian Seifert, researcher-in-residence at Forta who previously worked at Microsoft’s security research division, told CoinDesk that Forta’s algorithms can detect various kinds of anomalous behavior while scanning transactions on blockchains.
Some of those anomalies are attacks on users’ wallets.
For some of the attacks, scammers rely on social engineering – sniffing around for user's personal information or deploying tricks to get crypto users to reveal their passwords or seed phrases. Other attacks only require knowing a victim’s wallet address.
See also: Calling a Hack an Exploit Minimizes Human Error | Opinion
“A lot of attacks are social engineering attacks: users are being lured to a website, a website asks them to connect their wallet, a transaction pops-up, a user approves it and their money is gone,” Seifert said.
The most prevalent kind of attack in May was the so-called “ice phishing” technique, which accounted for 55.8% of all the attacks registered by Forta. Unlike the more obvious or well-known phishing attacks (ice phishing is a play on the more common “phishing” attacks seen across the Web), this type does not aim directly for users’ private information.
Instead, an ice phisher tricks a victim into signing a malicious blockchain transaction that opens access to the victim’s wallet so the attacker can steal all the money. In such cases, victims are often lured onto a phishing website designed to mimic real crypto services.
These scams rely on "token approval" transactions, one of the most common uses for non-custodial Web3 wallets that enable users to grant smart contracts a certain amount of access to their wallets.
On its support page, MetaMask, the makers of the most popular Ethereum crypto wallet note that when granting token approval transactions "you're firmly in control and hold ultimate responsibility for everything you do. That's why it's critical you know exactly what you're signing up for when you confirm token approvals."
In a similar scam to the one mentioned above, attackers attempt to trick users into interacting with various decentralized applications (dapps), including decentralized exchanges (DEXs). Such schemes often create an illusion of a new lucrative opportunity, like an airdrop of some new token, and exploit the common tendency to fall for FOMO, or the fear of missing out, Seifert said.
However, instead of interacting with a legitimate service, a user forfeits control over their assets to an attacker by signing a token approval transaction.
“Users click, click, click and transactions pop-up, often with a timer, and users approve them without checking,” Seifert said.
According to Seifert, there are two crucial steps to ice phishing: “luring a victim onto a [malicious] website and creating a positive narrative.
“A variation of the ice phishing attack is to trick users into sending native assets to the scammer directly. This is achieved by signing a 'security update' function of the scammer's contract,” Seifert said, adding that usually, small amounts of crypto is stolen this way.
NFTs, airdrops and address poisoning
Some attacks target traders of non-fungible tokens (NFT). For example, scammers have developed techniques that takes advantage of quirks in NFT infrastructure, like the Seaport protocol introduced by OpenSea and used across many NFT marketplaces. To sell NFTs on Seaport, users create sell orders by signing a transaction that is broadcasted locally on the platform – rather than the wider Ethereum network, to save money on transaction fees.
Attackers sniff around for users with valuable NFTs and try trick them into approving transactions that would sell their valuable holdings at a fraction of the market price.
NFT traders today are often aware of the many ways they can be exploited. Some of the highest-profile crypto heists in recent years have targeted influential NFT figures. This has led to evermore targeted and sophisticated phishing attacks.
For the “address poisoning” attack, attackers study the transaction history of their victims’ wallets and look for addresses they interact with the most. They then create a blockchain address that would look familiar to their target and send the victim a transaction with little-to-no value. This transaction is meant to “poison” an intended victim's transaction history by putting the malicious address in a place where they may mistakenly copy and paste it when they make their next transaction.
But often, the simplest exploits remain effective. For instance, Seifert said attackers often use recognizable brands when designing social engineering exploits that earn victims’ trust or attention. That was the case with the fraudulent tLINK token that Chainlink (LINK) holders received in early June, when an attacker airdropped a supposedly new token to the LINK holders.
The scammers included an offer for users to exchange tLINK for actual LINK tokens on a phishing website in the description field of the airdropped token, Seifert said. And if they took that offer, they would have gotten burned.
What makes such attacks trickier is that attackers can allocate fraudulent ERC-20 tokens to a legitimate smart contract and then execute a function that transfers those fake tokens to anyone that holds a targeted token, according to Forta. This makes it look like users got an airdrop from the legitimate contract, while it’s nothing but scam.
Attacks like that do not even require much reconnaissance work from attackers: all they need to know about victims is their wallets addresses.
With hackers and scammers getting ever more industrious, it’s important to always pay attention to the addresses your wallet interacts with, Seifert said. Ideally, wallets need to have security features built in, he said, adding that at the moment, Forta provides its database of fraudulent addresses to the ZenGo wallet.
Forta assigns blockchain wallets different risk scores referring to their involvement in potential scammy behavior, Seifert said.
“We have a set of detection bots, machine learning models that monitor transactions in real time and look for specific conditions and behavior, for example, for contracts with lines like “security update” in their code,” he said.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.