Blockchain security firm SlowMist has flagged a new means of stealing user funds through a unique type of airdrop scam.
SlowMist found a new type of airdrop scam. Victims' addresses were constantly airdropped with tiny amounts of tokens (0.01 USDT, etc.), the last few digits of attacker's address are nearly identical to the user's address to deceive them into copying the wrong address.— Wu Blockchain (@WuBlockchain) November 19, 2022
According to a blog post, multiple users had reported their assets stolen but were unsure at first of how they disappeared. This was because this type of scam is not glaringly visible. Upon closer inspection, it was found that the assets had vanished as a result of this new kind of airdrop fraud.
The way it works goes thus: several victims had their addresses repeatedly airdropped with insignificant token amounts (0.01 USDT, 0.001 USDT, etc.), and they were most likely targeted because their addresses were frequently involved in high-value transactions and trade volume.
In this case, the last few digits of the attacker's address and those of the user's address are almost identical. This is done to trick the user into mistakenly copying the incorrect address from the transaction history, and the funds would be sent instead to the wrong address and, in this case, the scammer.
Need to double-check addresses arises
In the wake of this, crypto users are urged to double-check the address before proceeding. Users are also encouraged to use the address book feature in their wallets to avoid copying addresses each time.
Numerous wrong transfers resulting from copy-paste errors have been reported in recent times. Three million JUNO tokens were revoked months ago because they were sent to an incorrect address to which no one had access.
Developers had mistakenly copied the transaction hash — which was similar to the wallet address — rather than the address itself. Ethereum scaling tool Optimism also reported a theft of $15 million in OP governance tokens in June, as funds fell into the wrong hands when Wintermute provided Optimism's team with the wrong blockchain address.
Due to the immutability of blockchain technology and the irreversibility of on-chain operations, transactions cannot be canceled or reversed once initiated, so users should take precautions about sending funds to the wrong address.