According to the Metamask team, this new cryptocurrency wallet scam is designed to affect careless users. What occurs is that the attackers ‘poison’ user’s transaction histories in their crypto wallet by sending bogus tokens worth $0 to said wallet. By using ‘vanity wallet generators’ to create wallet addresses which match the first and last characters of the victim’s wallet getting the careless user to send funds to the attacker’s ‘copycat’ address.
.png)
To be clear, the attacker uses an address with the identical first and last characters as a real transaction sent by the user. They do this to take advantage of the careless user who fails to check the full address and instead merely copies the attackers address in a future transaction.
It should be stressed that in no way does the attacker gain access to the user’s wallet. Instead they are taking advantage of those who have fallen into the routine of merely copying and pasting a wallet address for a transaction getting the user to send their funds to the attacker’s copied address.
To protect against this scam, Metamask suggests the common sense action of checking each and every character of the wallet address which is the intended recipient of the transaction. In the alternative, and if you must copy the address, copy it from the address book feature within Metamask in place of copying from the transaction history.
As well, if the option is available, users may avail themselves of utilizing an ENS domain to the user’s address. Utilization of a .eth domain renders it unnecessary to check every address hexadecimals. Metamask advises use of an ENS domain adds an excellent element of human readability to a wallet address thereby providing protection from this form of attack. Nonetheless, if the person to whom the transaction is directed does not use an ENS domain name, ENS is of no help.
Clearly, the most simple method of protection from this ‘address poisoning’ scam is for each user to self check every address funds are being sent to for insurance that the address intended is in fact being used. Basically, to be super-safe, do not computer copy crypto addresses, and check each address character to ensure funds are being sent to the proper and intended address.
