New Attacks Hackers Are Using To Steal Your Crypto
GM. Welcome to Lootbox, the newsletter that gets loot safely to you before hackers get them.
Let's get to helping you stay one step ahead of hackers.
- Hackers want your crypto and they have new moves
- The Sneakies
Hackers Are Getting Creative To Get Your Crypto
Remember the feeling when you were making your first crypto transaction?
Yeah, the one where you thought to yourself, "I might lose my funds." So you checked every single character in your wallet address 5 times to confirm it is correct.
Well, that is what Metamask is warning wallet users to do, keep your paranoia.
There is a new attack in town. It is called address poisoning, and it is on the rise.
What is that you may ask?
First, let's break down the behavioural mechanism (cue in Mr. Robot)
After several transactions on the blockchain, you are confident in what you are doing. Slowly you get to the point where you only look at the first few characters of your wallet or the last few to verify the address. If you are somewhat paranoid, maybe the first 5 and the last 5 as you skip the middle.
At some point, you get to the stage where you copy the address from the previous transaction you made to save you some time.
This is where the attacker finds the vulnerability.
Address poisoning is a sneaky way hackers prey on complacency by sending a $0 value token to a wallet after you complete a typical send transaction. They make sure to use a wallet address with a similar first and last few characters as the one funds were sent to.
The goal is to have the wallet owner copy the address from the transaction history and send funds to it without verifying the address first.
Here is an example shared by @sowzeli.
@MetaMaskSupport here's what happened after i sent a transaction on trx
— sowzeli (@sowzeli)
Jan 12, 2023
A few ways you can save yourself from this attack.
- Keep your paranoia and check every character of the wallet address you are sending to.
- If you want to copy, copy directly from your wallet, not your transaction history.
- Put an ENS domain to your wallet address to make it human-readable.
Malware through Google Ads
Another attack on the rise is malware through Google ads. I know, shocking 😱.
In Google's defence, this behaviour is against their terms of service, so they ban the ad accounts involved. But sometimes, the attackers are ahead.
Here is how it works.
An ad is placed on search terms for popular software which you see at the top of a search page on Google. When you click the link, you will see a site that looks legit. Sometimes, it would be a replica of the actual site but with a different domain. You download the software from the website only to learn you downloaded malware.
This is what happened to @NFT_GOD, a crypto influencer. They downloaded what was considered the popular streaming software, OBS, through a search ad, but it turned out to be malware.
Last night my entire digital livelihood was violated.
Every account connected to me both personally and professionally was hacked and used to hurt others.
Less importantly, I lost a life changing amount of my net worth
— NFT God (@NFT_GOD)
Jan 15, 2023
What can happen?
This is what happened to @NFT_GOD in their own words.
Every channel I have with my community, friends, and family was compromised over the last 24 hours
My Twitter, Substack, Gmail, Discord, and wallets were all invaded and taken over by bad actors
Significantly less important than all of that I lost all of my digital assets
— NFT God (@NFT_GOD)
Jan 15, 2023
Yes, you saw that right. Online accounts and wallets.
Not only the hot wallets, the hardware wallet too. Apparently, they had used the private keys of the hardware wallet on a software, making the wallet not so cold anymore.
How can you secure yourself from this kind of attack?
- If you know what software you are looking for, skip the ads and click on the search links instead. It is more difficult to rank top on search than running ads.
- Double check the website link. Sometimes it is obvious.
- Keep your hardware wallet's private keys off devices connected to the internet at any point.
- Yuga Labs reveals plans for a new game, Dookey Dash, causing sales of Bored Ape Yacht Club NFTs to spike. Dookey Dash is an endless runner game (ala Temple Run) and is scheduled to be released on January 18th. To play the game, you have to get your sewer pass.
- Gameflip is allowing anyone to invest in the company. The in-game asset marketplace is opening itself to investment from the public following a $10 million round from VCs.
Love what you just read?
Forward to a friend or share it on social media using the social media buttons at the top of this email.
What do you think of today's edition?