Characterizing Ethereum Address Poisoning Attack

This paper presents the first comprehensive analysis of the address poisoning attack surged on the Ethereum blockchain. This phishing attack typically exploits the address shortening feature of Ethereum explorers and digital wallets (e.g., Etherscan and MetaMask) by crafting token transfer events with a seemingly correct address to poison victims’ transfer history, waiting for them to mistakenly transfer assets to the attacker’s address. To systematically detect and characterize the address poisoning attack, we developed a detection system named Poison-Hunter, which can recognize the attacker’s crafted transfers and detect the phishing addresses controlled by the attacker. By applying Poison-Hunter to Ethereum blocks produced from Nov. 2022 to Feb. 2024, we have detected millions of phishing transfers and phishing addresses. Our analysis shows that the attacker has predominantly targeted USDC and USDT token holders and used a phishing address that looks highly similar to a benign one. We also find that the sender of legitimate transfers was the primary target of this attack. Furthermore, by tracing the transaction history of the detected phishing addresses, we reveal that over 1,800 victim addresses have lost crypto assets, with a potential financial loss of up to $144 million US dollars. Among them, about $90 million of loss are confirmed by this work. Finally, our analysis suggests that 98% of phishing addresses are controlled by four entities, which collected nearly 92% of the total profits. Overall, this paper sheds light on the tactics utilized in the address poisoning attack and its scale and impact on the Ethereum blockchain, emphasizing the urgent need for an effective detection and prevention mechanism against such a phishing activity.