As we move into the smart contract-enabled Web3 era, we’d like to believe dusting attacks are a thing of the past.
Unfortunately, the AnChain.AI investigation team has noticed a rising tide of targeted attacks in the crypto and NFT space instead. Scammers have upgraded their tactics in what we are calling a “Crypto Dusting Attack 2.0”. On a high level, attackers are draining crypto and token holders of their wallets by leveraging the irreversible nature of smart contracts in combination with traditional phishing and dusting tactics.
Dusting attacks were popularized in Blockchain 1.0 (as in the UTXO modeled Bitcoin network). They are a series of malicious activities where hackers attempt to deanonymize cryptocurrency holders by sending “dust”, or tiny amounts of cryptocurrency, to the wallets of target holders. The transactional activity of these wallets is then tracked by the attackers, who would perform a combined analysis of different addresses to deanonymize the holder behind each wallet.
If successful, the attackers used this knowledge against their targets through elaborate phishing attacks, cyber-extortion threats, blackmail, identity theft, or other attacks to make a profit.
With time and experience, the blockchain community has learned to live with such attacks. Measures such as increased due diligence, dust conversion services, and simple community education have long been considered a sufficient response to these attacks.
So what has changed? How did this “solved” attack tactic evolve into an investment-liquidating monster?
The first major evolution in methodology revolves around the type of tokens the attackers transfer to a prospective victim’s wallet. In the past, attackers would dust a large number of addresses with Bitcoin or other recognizable cryptocurrencies. With the rise of the meme coin frenzy last year (i.e. DOGE), an influx of individuals poured into the crypto space in fear of missing out on get-rich-quick opportunities. Attackers preyed on this mentality by sending an astronomical amount of seemingly legitimate smart contract-based tokens to their targets. To maximize their visibility, credibility, and ultimately, chances of success, attackers are also dusting and airdropping their tokens to smart contracts and virtual currency exchanges.
Imagine you’re the victim. At first glance, you’re surprised by the sheer amount of unknown tokens that randomly showed up in your wallet. You begin to wonder what it is and how much they’re worth. You google it, check Etherscan, and start seeing it everywhere – in virtual currency exchanges and smart contracts, and even find the project website. If the token is in legitimate exchange wallets, it must be credible, right? All of the information you see builds up the token’s credibility. But perhaps you see through its tactics and choose not to engage with the unknown token in your wallet.
So, here comes the latest and most devious approach – airdropping.
More participants in the cryptocurrency space are becoming vigilant of unknown tokens that appear in their wallets out of nowhere. But what if the victim knew it was coming? What if they had, in fact, asked for it?
Attackers have been dressing the scam tokens up as airdrops of free tokens to claim from popular NFT projects on seemingly legitimate phishing sites they created by leveraging assets from the legitimate project sites, which make it difficult for the average crypto enthusiast to tell them apart.
These phishing sites do not rely on stealing users’ traditional usernames and passwords. Rather, the hackers seek to convince users to connect their crypto wallets, typically browser-based wallets to phishing sites. Why? Increasingly more users are using browser-based crypto wallets, such as Metamask, as a gateway to connect to the decentralized applications ecosystem and Web 3 services due to their ease of use.
Once the unsuspecting users grant these phishing sites permission to access their wallets, hackers are able to then transfer out the digital currencies as well as any NFTs being held in these wallets.
Hackers have hidden dangerous lines of code within the smart contracts that enable them to access and drain the unsuspecting users’ wallets.
The creation and deployment of these seemingly legitimate tokens have become a typical strategy of modern crypto scammers. The process can be repeated ad nauseam via the creation of new websites and new tokens.
This represents not just one crypto-scam/phishing but rather a paradigm shift, a new and more sophisticated approach to exploiting newcomers to the digital asset ecosystem. While existing infrastructure does its best to clamp down on these exploits, it is impossible to wholly eradicate them.
By the time the scam token is identified and flagged, the scammer has already moved on to the next project.
The good news is that there are simple ways you can protect yourself from these types of attacks:
In the meantime, the AnChain.AI team is hard at work developing faster, smarter, deeper, and more responsive smart contract intelligence, cutting detection time for newly-deployed attacks from weeks down to mere hours and securing Web 3 infrastructure against the ever-adapting threats of blockchain bad actors. While the emergence of this new threat certainly is alarming, criminals aren’t the only ones who are constantly evolving.