As a safety measure, the blockchain explorer Etherscan will stop displaying near-zero-value token transfers by default, a step aimed at curbing a new wave of phishing attacks.
Update: Zero-value token transfers are now hidden by default
In recent times, ‘address poisoning’ attacks have phished unsuspecting users and spammed everybody else. With this update you won’t have to see these transfers anymore!
Before ➡️ After pic.twitter.com/F93pWDUJ7a
— Etherscan (@etherscan) April 10, 2023
For users who want to see such transactions, developers recommended turning off the corresponding option in the settings.
The Etherscan team urged the community to report new phishing attack types.
The reaction followed the disclosure by an expert going by the handle X-explore, together with journalist Colin Wu, of two new fraud schemes that led to total losses of $8 million.
1/? The zero-value transfer phishing attack has upgraded to small-value transfer and fake token transfer phishing, $8 million has been stolen. We give an overall analysis about these new attacks to warning all Web3 users.
Detail in our Mirror:https://t.co/eIAMrfmTl2— X-explore (@x_explore_eth) April 10, 2023
In the first scheme, the attacker reduces the initial amount by tens or hundreds of thousands of times. He then forwards the asset to the victim via a phishing wallet to bypass the traditional zero-value token phishing check on Etherscan. As a result, the actual transfers raise trust in the address.
The scammer initiated 30,000 calls to the smart contract to carry out the attacks, paying 404 ETH (~$727,000) in gas. The value of tokens across the transfers amounted to about $40,000, of which 71% was USDT.
The attack victims numbered 73,290 users. Twenty-three of them transferred a total of $1.2 million to the attackers’ wallet, roughly split between USDT and USDC.
Experts found that the attacker is linked to accounts on Binance, Coinbase, Kucoin and Kraken, which platform staff can monitor. To move funds, the attacker transferred 130 ETH to Avalanche and then back, converting to USDT and cashing out through MEXC.
In the second scheme, the attacker creates fake tokens with similar names and transfer records showing the user receiving the same amount. The phishing wallet and the origin address have exactly the same number of digits in the browser visualization, differing only in the case of one or two letters as a result of a checksum check.
Since March 18, the attacker spent 158 ETH to carry out 423,751 similar attacks on 102,553 addresses. The victims were 27 users who lost $6.75 million, roughly in a 60:40 split between USDT and USDC.
In this type of attack, the attacker used Tornado Cash as the source of funds and the conduit for withdrawal.
Along with the previous similarly themed method, the new phishing variants led to total losses of $32 million.
“Because it is hard to distinguish real transactions from counterfeit ones, we recommend not copying addresses from a blockchain explorer, but verifying them offline before making a transaction”, — advised by experts.
Experts recommended cross-checking the data on a dedicated dashboard. They also proposed creating a personal address book.
In February, the developers of the non-custodial crypto wallet MetaMask warned users about phishing attacks via a third-party email service.