Ethereum User Loses $71M in Wrapped BTC to Address Poisoning Scam

In a bizarre turn of events, on-chain data shows that an Ethereum user lost around 1,155 WBTC (approximately $71 million) to an address poisoning scheme. While the transaction is an apparent mistake, the lesson from the incident is one that every crypto user must learn to avoid facing similar losses.

Ethereum Address Poisoning Scheme Nets $71M

The eye-catching transaction targeted an Ethereum user who had transferred 0.05 ETH ($20) to another wallet address (0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91), perhaps to cover transaction fees. After the original transfer, however, a scammer created a similar address to the one that made the transfer and used it to send a dust amount to the victim, a 0 ETH transaction.

As is typically the case with such schemes, the scammer’s address had the same initials and endings as the original one that the victim used to make the first transfer. Note the differences between the initials and endings of the first highlighted address above and the scammer’s address (0xd9A1C3788D81257612E2581A6ea0aDa244853a91)

Evidently, the unsuspecting victim scrolled through their transaction history and, without paying attention, copied the scammer’s ETH address as it showed as the last transaction. When making the next transfer, the victim unknowingly transferred 1,155 WBTC ($71 million) to the scammer’s address.

At the time of writing, the scammer has already transferred the funds to different wallet addresses and swapped portions on Uniswap. Meanwhile, the victim’s address still holds over $1.6 million in DAI tokens, suggesting they are a high-profile investor in the crypto space.

How to Avoid Address Poisoning Scams

Given the large amount involved, many crypto users wonder how they can avoid a similar experience. A straightforward answer would be to never copy blockchain addresses from blockchain explorers and, instead, directly from the address option on the receiving wallet. Scanning QR codes is a better way to avoid mistakenly copying the wrong address.

Another option is to use a multi-sig wallet, which requires multiple entities to sign a transaction before it is sent. Given the amount involved, the user/entity behind the transaction may have averted the loss if multiple people needed to review and sign the transaction. In the least case, a 2-of-3 multi-sig wallet, where two people must review and sign transactions before approval.

Lastly, large amounts may be best sent in small chunks, or at least a test transaction completed, before transferring the full amount.