In a startling revelation, blockchain security specialists from CertiK have reported a significant loss in the cryptocurrency realm. A crypto enthusiast was defrauded of approximately $69.3 million in wrapped Bitcoin (WBTC) due to a sophisticated address poisoning attack executed on May 3. Initially, the perpetrator mimicked a minor transaction of 0.05 Ethereum (ETH) to gain the victim’s trust, subsequently pilfering the WBTC in a subsequent transaction.
This deceptive technique involved the creation of a wallet address that closely resembles the victim’s, with only slight variations in the alpha-numeric characters at the beginning and end of the address, which often go unnoticed due to their length and complexity.
The severity of this incident was further underscored by on-chain investigator ZachXBT and crypto security firm Cyvers, with Cyvers’ CTO Meir Dolev highlighting the episode as “probably the highest value lost to an address poisoning scam on record.” Address poisoning scams exploit the difficulty users face in distinguishing between similar wallet addresses, a vulnerability exacerbated by the typically long strings of over 40 characters.
This recent exploit surpasses other recent cryptocurrency scams and hacks, which totaled approximately $25.7 million in digital assets last month. Moreover, despite April witnessing the lowest levels of decentralized finance (DeFi) scams since 2021, according to CertiK, this event underscores the persistent and evolving threats in the digital asset landscape.