Phishing for Zeroes pt.2 – Evolution of the attack


Part 1, published on December 28 2022, described the ‘zero’ attack: “phishing for zeroes”. In summary, a bad agent would execute the ‘transfer’ function to transfer ‘zero’ USDT (or also BUSD/USDC) from the victim to their vanity wallet. The wallet LOOKS similar to the original transfer address, with the FIRST TWO and LAST SIX alphanumerics being the same, potentially leading to a victim to send real funds to the bad agent’s vanity address if they are not careful. The token smart contracts allow this ‘zero’ transfer because, from the pure token perspective, no harm was done. No assets were moved. Unfortunately, this opens the door to tricking unsuspecting users into making operational errors. 

Example where the bad agent generated a wallet with the first two and last six alphanumeric digits matching the victim’s wallet

Most recent attack 

A more sophisticated attack has recently been observed on the Ethereum blockchain. Below are the relevant transactions from a victim’s address found on the Ethereum blockchain. 100,000 USDT was lost by the victim due to this phishing attack (transactions sorted by most recent). 

Look at the outbound addresses. Do these look the same? 

No! Victim sent 100,000 USDT to real address ‘…4288f4F9’. 

Bad agent creates vanity address of ‘…4288F4F9’, mints and transfers 100,000 FAKE USDT to ‘…4288F4F9’. 

Victim, while not 100% focused, copied, and pasted the latest address (bad agent’s) and sent 100,000 REAL USDT to the bad agent. Such phishing attacks have already stolen several millions from victims.  

The main differences are: 

  1. The vanity address looks even more like the victim’s address; now it is FIRST EIGHT and LAST EIGHT alphanumeric digits, but the letters may not be the same upper or lower case. Another set of examples: 

While in the cases presented here there were deviations in casing within these first and last eight characters, with enough computing power even getting the first and last eight characters perfect, including casing, is no real challenge. 

  1. The ‘Zero’ transfer from the official USDT smart contract is no longer used, but a new FAKE smart contract named USDT was used with a custom function to ‘mint and transfer’ (‘0xd3a86ca0’) to the vanity address. Tokens cannot normally be transferred without your permission, however the bad agent hardcoded their address to be allowed to spend the tokens.  
  2. The fake vanity address is created much faster, in about 90 seconds. We speculate that the addresses were already pre-generated. Since our first detection of this attack in December 2022, the bad agents have had at least 6 months to continuously generate addresses. More than trillions-per-second for 6 months.  

Looking ahead: 

  1. Bad agents are creating vanity addresses that look more and more like the native address. Now it is the first eight and last eight. Verifying the correct address is becoming increasingly difficult. 
  2. The fake transaction is now LABELLED as USDT (ERC-20: USDT) and is also sending the same amount. 
  3. The fake transaction is already being made within 90 seconds of the legitimate transaction, which makes it dangerous for victims who create transactions in quick succession. 
  4. The bad agent uses an unidentified function call ‘0xd3a86ca0’ and not ‘Transfer’. To make this more effective, the bad agent will need to create a byte signature that matches the ‘Transfer’ function, which is ‘0xa9059cbb’. 


Our solution from our first report on this attack remains unchanged;  

  1. Use of a ‘phonebook’ so that your address is abstracted into a human-readable address i.e. 0xc9D69A…B65fbf59 is displayed as [Alice’s Wallet], then any vanity address created by a bad actor would be displayed in its raw address format [0xc9d69A…B65fBF59]. 
  2. As you know, it is better never to copy and paste from Etherscan or other public forums to prevent such attacks.

About Crypto Finance Group 

Crypto Finance Group – a prudentially FINMA-supervised financial institution and part of Deutsche Börse Group – offers professional digital asset solutions. This includes one of the first FINMA-approved securities firms with 24/7 brokerage services, custody, infrastructure, and tokenisation solutions for financial institutions. It also comprises the first FINMA-approved manager of collective assets for crypto assets, with a selection of crypto investment solutions, including the first FINMA-regulated crypto fund. With a team of over 120 employees, Crypto Finance Group is headquartered in Switzerland.

Copyright © 2023 | Crypto Finance AG  | All rights reserved.

All information in this communication is provided for general information purposes. No information provided in this communication constitutes or is intended as investment advice. This communication is not, and is not intended as, an offer, recommendation, or solicitation to invest in financial instruments including crypto assets. Investments in crypto assets are high-risk investments with the risk of total loss of the investment. You should not invest in crypto assets unless you understand and can bear the risks involved.
Crypto Finance is a financial group supervised by the Swiss Financial Market Supervisory Authority FINMA on a consolidated basis with Crypto Finance AG as securities firm and Crypto Finance (Asset Management) AG as asset manager for collective investments with the corresponding FINMA licences.
This communication and its content including any brand names, logos, designs, and trademarks and all related rights are the property of the Crypto Finance Group with Crypto Finance AG and its subsidiaries or third parties. They may not be reproduced or reused without their prior consent.

Do you want to unleash the full potential of digital assets?