Hackers are always looking for new ways to exploit crypto. Custodians like ourselves secure private keys with better security and protection and that it has driven them to look for new ways to steal funds.
You will, of course, be aware of the various social engineering scams, the URL spoofing of well know protocols and other creative methods being utilized right now.
We have identified a new method that we want you to be aware of. There has been a recent spate of "spam" transactions that have been sent on the Ethereum blockchain. These appear to be focused on USDC and USDC contracts.
The on-chain contracts for USDC/USDT (which we don’t control) allow spammers to run ‘pull’ transfer requests. Should the spammer try to "pull" a non-zero amount of tokens, the transaction would (correctly) fail.
Instead, they are trying to pull zero tokens and this actually creates a transaction even though there is nothing actually being transferred.
The spammers are doing this are using wallet addresses that look similar to ones you have sent to in the past. We believe the reason for this is to hope you will send a real transfer of USDC/USDT to their address by mistake in the future.
How many times have you only ever checked the last four or five digits of an address before confirming a transaction? Best practices dictate you check the entire address. Sometimes a corner may be cut, and this is where an exploit like this could catch you out.
These transactions are initiated by a third party in an attempt to confuse the addresses that you send to. It’s important to note that your funds are safe, and this is not a direct security issue.
The only risk to your cryptoassets is if you were to use one of these spammers' addresses instead of the real one.
This is a valid transaction for 10,000 USDC to: 0xc0485e5d3fab6ca12ec55594cb8c0f1f9adaae0b
This is spam transaction for 0 USDC to: 0x46443c0bb379a20767168c02954eaadc1adaae0b
In this example, the spam address has no initial characters matching the "real" to address, but the last seven are the same. This could trick someone into believing its correct.
Both transactions appear to send tokens from address: 0x6be602bad7d5f7033b7d4a6040e5d67e458c4b4a
whereas in fact, only the first has sent tokens (10,000). The 2nd, although looking very similar, has sent 0 tokens.
To avoid this, please:
If you would like to enhance your crypto custody security with segregated wallets, custom rules, transaction thresholds and multisig, get in touch with us to learn more.
If you are an existing customer, contact us if you'd like to discuss further options or you are concerned about any transactions from your wallet by emailing us at help@bitpandacustody.com or learn more about this attack vector on our help page here.
Related readings
24 Questions Investors Must Ask Their Crypto Fund
Trustology Acquired By Bitpanda
Trustology Gets Full FCA Registration as Cryptoassets Firm
TrustVault. The Safest Crypto Account for Institutional Investors
High Yields Ahead - New Voyager DeFi Fund Backed By Trustology Custody
Stay up-to-date with the latest crypto news and events with Bitpanda Custody. Over 2000 subscribers receive our monthly roundup of what made the headlines, upcoming events that institutions need to know about and the latest developments in crypto custody and to our TrustVault platform. Be in the know, sign up today.