Ethereum hacked to steal millions from users across the world

Almost 100,000 users were tricked into giving away $60 million of Ethereum

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have been observed abusing a feature in the Ethereum blockchain to trick victims into sending money.

In the last six months, the criminals were able to trick almost 100,000 people into giving away a total of $60 million, according to a new report from Scam Sniffer.

As per the report, the hackers used a function called Create2, an opcode that allows users to predict the address of a contract before it is deployed on the Ethereum network. In other words, hackers can create temporary addresses for each individual transaction - addresses that greatly resemble the ones where the victims intended to send the funds. The scheme is dubbed “address poisoning”.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Bypassing security

Most users, before sending any funds, do two things: 1) they double-check the recipient’s address to make sure they’re sending the money to the right place; 2) they send a small transaction first to make sure everything works, before sending the remaining funds. However, as the addresses are a long string of seemingly random characters, most users just cross-check the first and last few characters, instead of comparing the entire strings.

By creating an address that differs in just a few characters, the attackers can trick people into thinking the address is valid, before sending the funds. That, however, still leaves the second failsafe - the test transaction. Criminals are working around this by forwarding the test transaction to the actual address.

The lookalike addresses don’t belong directly to a wallet controlled by the attackers, but are rather a smart contract that then transfers the funds to the final destination. The researchers said they observed multiple cases of fraud leveraging Create2, with one victim losing up to $1.6 million.

Users are advised to thoroughly check the entire address before sending the funds, and not just first and last characters.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

I’ve been a Firefox power user since it launched 20 years ago – here’s why it still beats Chrome and Safari