A new form of scam has emerged in recent months, tricking users into using scammers’ addresses when sending tokens. The most recent incident occurred on June 7, 2023, in block 17426333 on the Ethereum network.

In this article, we hope to shed some light on how this happens and provide insights to help other web3 participants so they can protect themselves against such attacks.

How it starts

The attacker employs a systematic approach to carry out this scam. First, they scan recent ERC-20 token transfers, specifically looking for large amounts of ETH, USDT, or USDC transfers. Once the attacker identifies a compatible transaction, they create a fraudulent transfer that closely resembles the preceding transaction. This fake transfer appears legitimate in the owner’s wallet. The transfer address used appears to be identical to the address used by the legitimate transaction, although it isn’t. If a user copies the last-used recipient address without double-checking to send a token, the scammer will receive it instead of the intended receipient.

The fraudulent transfer mimics the original transfer in two ways.

• An attacker-owned recipient address, which is designed to resemble the same address from the sender, with the same starting and ending. That’s what most wallets show for the shortened version of the address. Even EtherSscan showed only the starting of the address till an update around Q1 2023. The attacker makes use of this common UI design to make the owner believe that the legitimate and illegitimate addresses are the same.
• A fake token that mirrors the name of the same token used in the initial transaction.

As these scams become more common, it is crucial to verify the accuracy of the recipient's address before proceeding with any transfer.

How the scam works

The attacker likely used an address calculator tool, which allows them to quickly compute similar addresses with matching starting and ending sequences, along with their corresponding private keys.

To gain a deeper understanding of the attack, one on-chain record of the incident can be seen here:

https://etherscan.io/address/0x80de381c38f96a97813a08a2c841168d472bf65f#tokentxns

Identifying the Scammers

We’ve gathered information regarding some fake token addresses associated with this attack. These addresses include:

Fake ETH: 0x2e60f55e05320f16a06198eb7e27ad31ab57cf5e

Fake USDT: 0x599826f808af6c44cc65820c413aa32210246e21

These should be blacklisted.

We’ve also obtained details regarding the individual behind these attacks, known as the "phisher," and their associated smart contract:

Phisher: 0x7B321d35F7D8732DEA643Bc2d727BE53c9912050

Phisher’s smart contract: 0x38e74D71Bce2e3eb50B22D74dC2D6E308e657d6D

Final words

As DeFi progresses onwards, new threats will continue to emerge. This recent copycat phishing scam serves as a reminder of the importance of being cautious when making transactions. To safeguard your funds, it is crucial to verify recipient addresses as scammers will continue to find ways to game the system. By staying informed and following best practices, users can more safely navigate the industry.

About Credmark

Credmark runs a financial modeling platform powered by reliable on-chain data. We curate and manages DeFi data making it available via API and the Snowflake Marketplace around the globe and across industries.

Our community of quants, developers, and modelers actively build models for the DeFi community by leveraging our data API and tools. Join the growing community and together we will advance the next-generation financial system.