Hackers have been exploiting a feature in the Ethereum blockchain to deceive individuals into sending money, as indicated by a report from Scam Sniffer. Over the past six months, nearly 100,000 people have been deceived into giving a total of $60 million to these criminals.
The hackers utilized a function called Create2, which is an opcode that enables users to predict the address of a contract before it is deployed on the Ethereum network. This allows the hackers to create temporary addresses for each transaction, resembling the intended recipient’s address. This tactic has been named “address poisoning.”
Most users typically double-check the recipient’s address before sending any funds, and also send a small test transaction before sending the full amount. However, as addresses are a long string of random characters, most users only compare the first and last few characters. By creating an address that differs by only a few characters, the hackers can deceive individuals into thinking the address is valid before sending funds. Additionally, criminals are bypassing the test transaction failsafe by forwarding it to the actual address.
The lookalike addresses are not directly controlled by the attackers, but rather are a smart contract that transfers the funds to the final destination. The researchers observed multiple cases of fraud using Create2, with one victim losing as much as $1.6 million.
The advice for users is to thoroughly check the entire address before sending funds, and not just the first and last characters. This caution can help protect against falling victim to this type of fraud. This information was reported by BleepingComputer.
