New Tactics and Trends about Transfer Phising Attacks, $8 Million has been stolen

This article is jointly published by X-explore and WuBlockchain.

Ⅰ. Introduction

The zero-value transfer phishing attack, which has been ongoing for nearly half a year, has recently undergone a technological upgrade. On-chain monitoring has revealed that it has now evolved into small-value transfer phishing and fake token transfer phishing. The new attack methods have already generated profits of up to $8 million, and combined with our previous report on zero-value transfer phishing (Address Poisoning Attack, A continuing Threat), the total loss on the chain has reached $32 million.

We urge users to triple-check the correctness of the address when making transactions. Wallet APP and blockchain browser teams should promptly improve product security features.

In addition, X-explore can provide real-time address labels for this attack.

Ⅱ. (Old) Overview of Zero-Value Transfer Fishing Attacks

Since November 2022, a new phishing method has emerged on the chain. Attackers construct addresses that are similar to the intended recipients of normal transactions, and then send large amounts of false token transfer data with a value of zero to on-chain users. This allows them to profit from mistaken transactions.

Zero Value Token Transfer Phishing with same characters as victim's
Zero Value Token Transfer Phishing with same characters as victim's

This type of attack has the following characteristics:

  • The attack is covert and pervasive. Attackers construct addresses that have only one character difference or no difference at all from legitimate addresses. Blockchain browsers automatically omit the middle characters of an address. Therefore, attackers only need to focus on creating addresses that appear identical to the original ones. Additionally, as mainstream token logic does not verify zero-value transfers, anyone can initiate such transfers, which means any transactions can be inserted into anyone's transaction list.
Phishing address
Phishing address
  • The cost is low, and the return is high. The gas cost of Zero Value Phishing on the ETH chain alone is around 2,000 ETH (about $4M), and the accumulated funds obtained through this scam amount up to $21M.
Costs and Stolen Funds of Zero Value Phishing Attacks on the Ethereum Blockchain
Costs and Stolen Funds of Zero Value Phishing Attacks on the Ethereum Blockchain

Ⅲ. (Latest) Small-Amount Transfer Fishing Attacks

1. Introduction to the Principle

After monitoring normal token transfers, the attacker narrows the original token amount by tens or hundreds of thousands of times, and then forwards it to the victim through the phishing wallet in order to skip the monitoring of traditional zero value token phishing, including bypassing Etherscan's zero-value transfer phishing attack warning. By increasing the credibility of the address through actual transfers, more victims are deceived.

Small value token phishing attack
Small value token phishing attack

2. Attack Situation

The small-value transfer phishing attack first occurred on February 19, 2023 and lasted until March 26, with a total of 250,000 phishing attacks inserted into users' transaction lists. Currently, there is only one small-value transfer phishing attacker on the Ethereum network.

The attacker launched 30,000 contract calls for the attacks, with a total gas fee cost of 404 ETH (about $727k), and the cost for the small-value tokens was approximately $40k. Among them, the cost of phishing tokens for USDT accounted for 71% of all phishing tokens.

There were a total of 73,000 victims of the poisoning attacks, and a total of 23 unfortunate users transferred to the wrong address, totaling $1.2 million. Among the stolen funds, USDC and USDT accounted for 51% and 49%, respectively.

3. Attack Tracing

The attacker's direct source of funds comes from other phishing addresses. Tracing back to the earliest address, the source of funds is FixedFloat. The attacker's real address is User1:0xe153605BA5bDAa492246603982AbfCcb297c72e9, and two other commonly used addresses are also associated with this address: User2:0x0a153cd1b0f36447e4d541e08fabd45f7a302817 and User3:0x5b8544e1e7958715ededa0e843561ebbf0c728a8. The attacker's address is also associated with deposit addresses from Binance, Coinbase, Kucoin, and Kraken exchanges, which can be further investigated through the exchange's KYC information.

fund flow tool: MetaSleuth.io
fund flow tool: MetaSleuth.io

The attacker's fund flow mainly consists of three parts:

Ⅰ. Transferring funds is the cost of other attacks, such as gas fees for zero-value transfer phishing.

Ⅱ. Keeping the funds in the current address, or participating in staking to earn profits.

Ⅲ. Laundering the funds. For example, the attacker transferred 130 ETH to Avalanche, then through multiple hops, transferred them back to ETH, and finally converted them into USDT, which was laundered into MEXC for withdrawal. The MEXC user deposit address is 0xDa818c1174105a49C8B3Fe43a96039024244df6B.

Ⅳ. (Latest) Fake Token Transfer Fishing Attacks

1. Introduction to the Principle

After monitoring token transfers, the attacker creates fake tokens with the same name and constructs transfer records of the same quantity to the user. The phishing wallet and the original address have exactly the same number of digits in the visualization on the browser, with only one or two letters' case differences in the checksum result.

Fake token phishing attack
Fake token phishing attack

2. Attack Situation

The fake token transfer attack has been ongoing since March 18, 2023, and is expected to continue as a long-term phishing attack, similar to zero-value token transfer phishing.

Since March 18th, within 19 days, the gas cost for the fake token poisoning phishing attack has spent 158 ETH, completing 423,000 address poisonings and accumulating 102,000 addresses that have been subjected to fake token poisoning phishing attacks.

In the past 19 days, a total of 27 victims suffered losses, with a stolen amount of $6.75 million, of which 60% was USDT and 40% was USDC.

The worst victim mistakenly transferred a total of $4 million worth of USDC in two consecutive transactions (0x02f35f520e12c9383f8e014fbe03ad73524be95d).

3. Attack Tracing

The source and flow of funds for the attacker are both related to Tornado.cash. Just from the address 0x6AA7BA04DD9F3a09a02941901af10d12C8D1C245, there has been an inflow of 1500 ETH into Tornado.cash.

V. Conclusion

  • This article provides data visualization and continuous tracking of the two upgraded methods of Transfer Phising Attacks, revealing the latest trends and techniques of on-chain phishing attacks by hackers.

  • Due to these malicious attacks, the user experience on Etherscan browser has dramatically decreased. It takes several seconds to distinguish whether a transaction is real or fake, and a large amount of fake data occupies the space on the blockchain, making it difficult to distinguish between real and fake.

  • We propose all on-chain users stop copying addresses from the blockchain for transactions and not trust the identification and prevention methods of blockchain browsers and wallets. Hackers always stay ahead of any defense techniques, and the addresses they construct are always hard to defend against. We recommend that all on-chain users obtain addresses offline and confirm them again before conducting transactions and building their own address books.

Dune Dashboard: https://dune.com/opang/zero-value-token-transfer-phishing-scam

The x-explore platform is capable of providing real-time monitoring of phishing attacks on the blockchain. We welcome all blockchain browsers and wallet teams to consult with us.

For more, please follow x-explore.

Mirror: https://mirror.xyz/x-explore.eth

Twitter: https://twitter.com/x_explore_eth

Subscribe to X-explore
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.