What is an Address Poisoning Attack?
An address poisoning attack is a deceptive tactic used by malicious actors to trick users into sending cryptocurrency to an incorrect address. Unlike phishing attacks, which often involve social engineering and malicious websites, address poisoning operates within the blockchain's infrastructure. The attacker aims to "poison" a user's address book by flooding it with addresses they control, hoping the user will mistakenly send funds to one of these fraudulent addresses in the future.
Why Address Poisoning Attacks are Effective?
Address poisoning attacks are particularly effective due to several factors:
1.User Behaviour:
Many users rely on their transaction history for convenience, especially when sending funds to frequent contacts. The attack leverages this behaviour, increasing the likelihood of a mistake.
2.Low Detection Rate:
These attacks can be subtle and difficult to detect, as they don't involve overtly malicious actions like phishing. The transactions are legitimate, making it harder for users to recognize the threat.
3.Cost-Effective for Attackers:
Since the attacker only needs to send small amounts of cryptocurrency to poison the address book, the cost of conducting such an attack is relatively low, and the potential returns are high.
For more info visit:
https://www.blockaid.io/blog/a-deep-dive-into-address-poisoning
One thing I do with my wallets is to "whitelist them" on the wallet app or cex, so that I have an extra layer of security for myself before I can sent any token.
In reality that do not help as anybody can track your address. I like to use many different addresses as you send just once or withdraw to another new address. This way is more effective for higher value amounts. For example if you use Bitcoin outside cexs you get always new address. As I know only Swissborg app uses this native Bitcoin feature. But most of the time hacks happening on EVM. The wallet management is off chain and very personal thing. We all have different needs and the management we need to create for personal needs. I usually do this, if I have other token then the main gas token I leave the wallet with 0 gas token, also I have dummy main seed in any web3 wallet and import addresses because always the impact will be on the main seed not to the imported address. Once I manage to trick the attached drainer on wallet and I manage to withdraw all funds. the trainer attaches to the wallet and as soon as you send funds will transfer. My friend was hacked or phished.
