Ethereum hacked to steal millions from users across the world

ethereum on a chipset
(Image credit: Pexels)

Hackers have been observed abusing a feature in the Ethereum blockchain to trick victims into sending money. 

In the last six months, the criminals were able to trick almost 100,000 people into giving away a total of $60 million, according to a new report from Scam Sniffer. 

As per the report, the hackers used a function called Create2, an opcode that allows users to predict the address of a contract before it is deployed on the Ethereum network. In other words, hackers can create temporary addresses for each individual transaction - addresses that greatly resemble the ones where the victims intended to send the funds. The scheme is dubbed “address poisoning”.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Bypassing security

Most users, before sending any funds, do two things: 1) they double-check the recipient’s address to make sure they’re sending the money to the right place; 2) they send a small transaction first to make sure everything works, before sending the remaining funds. However, as the addresses are a long string of seemingly random characters, most users just cross-check the first and last few characters, instead of comparing the entire strings. 

By creating an address that differs in just a few characters, the attackers can trick people into thinking the address is valid, before sending the funds. That, however, still leaves the second failsafe - the test transaction. Criminals are working around this by forwarding the test transaction to the actual address. 

The lookalike addresses don’t belong directly to a wallet controlled by the attackers, but are rather a smart contract that then transfers the funds to the final destination. The researchers said they observed multiple cases of fraud leveraging Create2, with one victim losing up to $1.6 million.

Users are advised to thoroughly check the entire address before sending the funds, and not just first and last characters.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.