# Address Poisoning Attack By [Officer's Blog](https://paragraph.com/@officercia) · 2022-12-10 --- I — New Scam Going On TRX/USDT/BSC/ETH/Polygon Users! ----------------------------------------------------- This malicious contract involved: * **0x732e9b5f59c9a442db18f7d57dd2bbfc804281cb** * [Decompiled](https://gist.github.com/pcaversaccio/f97e0c972adb1ff3fc1596433a647dc1) Basically the attacker creates a vanity address very similar to your own, and send you very small amounts of USDT or something in the hope that you’ll check balance on BlockScan, and one day copy and paste their address and send to it by mistake! > _The next time Victim A carelessly copies the address of the historical transaction, it is easy to copy it to the address C prepared by the hacker by mistake, thus transferring the funds to the wrong account._ ### Check Out: [ SlowMist: Another Airdrop Scam, but with a twist ------------------------------------------------ SlowMist: Another Airdrop Scam, but with a twist Recently, several users reported that their assets had been stolen. At first, they were unsure how their funds had been stolen, but upon closer ... https://slowmist.medium.com ![](https://storage.googleapis.com/papyrus_images/89304cac43b3233536ea5f2b30d6ef2c7ffd7edf0cdd1a8f544b56edc4d0c78d.png) ](https://slowmist.medium.com/slowmist-another-airdrop-scam-but-with-a-twist-1666e01b6a6c) [http://mirror.xyz/x-explore.eth/cL3d\_CyNujXq8XY7ueP4omNXx\_IY1EG5Dz0FD0vJ90M](http://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M) [ 'Spoof' Tokens on Ethereum -------------------------- 'Spoof' Tokens on Ethereum Fake or 'spoof' ERC-20 token transfers are not a new occurrence in Ethereum. However, wider adoption of the blockchain in the last year has caused a sharp uptick in ... https://medium.com ![](https://storage.googleapis.com/papyrus_images/e3f1362c71387e0774825f68cb75954b7231ba9c8b584ecb8123850098457f02.jpg) ](https://medium.com/etherscan-blog/spoof-tokens-on-ethereum-c2ad882d9cf6) * [SlowMist: Another Airdrop Scam, but with a twist](http://slowmist.medium.com/slowmist-another-airdrop-scam-but-with-a-twist-1666e01b6a6c) * [Address Poisoning Attack, A continuing Threat](http://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M) * [‘Spoof’ Tokens on Ethereum](http://medium.com/etherscan-blog/spoof-tokens-on-ethereum-c2ad882d9cf6) Sleepy people sometimes do illogical things 🤷‍♂️ one of the chat users got attacked for 10k$: * **a8ae672bb0e6afaf3cd34b4d33de82d65714682d1c64c6ea1e03313bc5ad529b** While seemingly simple and similar to the [Dusting Attack](https://www.cnbctv18.com/cryptocurrency/crypto-dusting-attacks-how-to-avoid-them-explained-14445672.htm), this is a completely new thing closer to [social engineering](https://officercia.mirror.xyz/qfhQ_ocTPKnO5EqMlZ2ixIX7oBIfz5Tznid82EucbYk)/[vanity](https://medium.com/@officercia/profanity-clarifications-df3972c8c006) attacks/phishing! **TLDR: always double-check any address letter by letter, digit by digit! Whitelist your working addresses!** * * * II — Attack Variations ---------------------- Questions began to be raised over the discovery of mysterious outgoing zero transactions with supposed approve signatures… **Check out this example, seen both at Tron and Ethereum Main-net:** > This address (**Attacker**): [etherscan.io/address/0xfe3c53086f256219b81a6afbf614cd839c1c5982](https://etherscan.io/address/0xfe3c53086f256219b81a6afbf614cd839c1c5982) > > Is interacting with this smart contract (and other similar ones): [etherscan.io/address/0x23dd013da6d35b3271c9199e38d659e763e38463](https://etherscan.io/address/0x23dd013da6d35b3271c9199e38d659e763e38463) > > Creating transactions like these:  [etherscan.io/tx/0x7da7966512de60eef5c494407782bddf569d1cfb42793f0afe77ee9e2edc16bf](https://etherscan.io/tx/0x7da7966512de60eef5c494407782bddf569d1cfb42793f0afe77ee9e2edc16bf) **Another example (Tron):** * [etherscan.io/tx/0x76aca85852108175a6411331de8bcd7007a849857180c533e16b733911980a64](https://etherscan.io/tx/0x76aca85852108175a6411331de8bcd7007a849857180c533e16b733911980a64) At the same time, all of the customers reported that no one had signed such approves! In a nutshell, it’s the identical spam attack as in the [previous](https://t.me/officer_cia/694) example! * My colleagues explained it in greater detail: [t.me/gfischannel/505](http://t.me/gfischannel/505) [The **transferFrom** function was called, not **transfer**,](https://t.me/s/officer_cia/718) which means that the **From** address was supposed to give that address who signed the transaction, but since the sum is zero and all new contract memory cells are initialized with zeros, everything runs smoothly (since there is a 0 for any address) ([deepl.com](http://deepl.com/)) 🤔 **TLDR: You must just ignore these transactions!** > Here, an attacker is sending 0 transactions in hope someone will copy last receiver address and send crypto by mistake - [like in a clipboard (clipper malware)](https://officercia.mirror.xyz/_nD1Rtxe1PplK-NQzIq9sl-KNtajQG0aKqYsV36RTjA) attack! > Unlike the first attack the attackers may also first wait for you to ask about strange transactions somewhere on Twitter and then finish scam with using social engineering in DMs! Once again, ignore them, if you are worried about stolen seed - migrate funds via: * [disperse.app](https://disperse.app) * [multisender.app](https://multisender.app) * [sweeposaurus.com](https://sweeposaurus.com) …or manually. If you still have to revoke approvals at Tron — you may use [cointool.app](http://cointool.app/) with caution! [![User Avatar](https://storage.googleapis.com/papyrus_images/c55dba358b77a720a420b562de0ec8973e54f0262fc31425086217ada4c6968a.jpg)](https://twitter.com/h3idilao) [h3idi](https://twitter.com/h3idilao) [@h3idilao](https://twitter.com/h3idilao) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/h3idilao/status/1625609188230729728) Ever checked your wallet or a block explorer and saw that you mysteriously sent a 0 value of a token to an address? Or received one? By now, most of us have. But what exactly are these transactions? And are they malicious? A thread 1/7 ![](https://storage.googleapis.com/papyrus_images/a57b485db8ee6e119c660337f55c3193a4fb8ac806a0fe2ed0eb49b86ba1942a.jpg) [![Like Icon](https://paragraph.com/editor/twitter/heart.png) 26](https://twitter.com/h3idilao/status/1625609188230729728)[ 3:33 PM • Feb 14, 2023 ](https://twitter.com/h3idilao/status/1625609188230729728) [ Profanity: Clarifications ------------------------- Profanity: Clarifications Hi all! I have been asked several times about how Authors derived private key from public and started searching for information on this attack and found a very interesting ... https://coinsbench.com ![](https://storage.googleapis.com/papyrus_images/1da707ea8d3f26066b0d442d627a86ba9f86f890e4ccd5c669c5427537dbaeb6.png) ](https://officercia.medium.com/profanity-clarifications-df3972c8c006) [ Vladimir S. | Officer's Channel ------------------------------- Questions began to be raised over the discovery of mysterious outgoing zero transactions with supposed approve signatures... Check out paragraph II: \* officercia.mirror.xyz/n-sXszeDoNU3wtUUxRQEYvxQlZ6loaFElILzm2gnMzw TLDR: In real its a basic social engineering attack with a little vanity trick! More links: \* mobile.twitter.com/tayvano\_/status/1605801004141727745 \* nitter.net/blocksecteam/status/1603414336239677440 The same transfer\_from function is used in this scam. https://t.me ](https://t.me/officer_cia/769) [![User Avatar](https://storage.googleapis.com/papyrus_images/df5ea48f588e641a659cab5d27462fe90cd0810e57853501fbcff7bc3f18125a.jpg)](https://twitter.com/officer_cia) [Vladimir S. | Officer's Notes](https://twitter.com/officer_cia) [@officer\_cia](https://twitter.com/officer_cia) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/officer_cia/status/1609690743828013056) A third variation of the "address poisoning" attack has been spotted! In short, you receive tokens which price is displayed in your UI. You then try to exchange them, but the transaction fails, and the gas goes to the scammer’s wallet. A thread ![👇](https://abs-0.twimg.com/emoji/v2/72x72/1f447.png) [![Like Icon](https://paragraph.com/editor/twitter/heart.png) 127](https://twitter.com/officer_cia/status/1609690743828013056)[ 5:19 PM • Jan 1, 2023 ](https://twitter.com/officer_cia/status/1609690743828013056) * * * Support is **very** important to me, with it I can spend less time at work and do what I love — educating DeFi & Crypto users! I don’t have as much money as the fictional character in our essay, but your support helps me to exist 🙂 * [Check out my GitHub](https://github.com/OffcierCia/) * [Follow my Twitter](https://twitter.com/officer_cia) * [Track all my activities](https://start.me/p/QRg5ad/officercia) * [All my Socials](https://linktr.ee/officercia) * [Join my TG channel](https://t.me/officer_cia) If you want to support my work, you can send me a donation to the address: * [**0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A**](https://etherscan.io/address/0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A) or [officercia.eth](https://etherscan.io/enslookup-search?search=officercia.eth) — ETH, BSC, Polygon, Optimism, Zk, Fantom, etc * [**17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU**](https://blockchair.com/bitcoin/address/17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU) — BTC * **4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero XMR** --- *Originally published on [Officer's Blog](https://paragraph.com/@officercia/address-poisoning-attack)*