Try Quests to earn cryptoEthereum and the Address Poisoning Incident
Today we'll dig deeper onto Ethereum to find more data relevant to Metamask Article about this new Scam trend, in this dashboard i'll explain the methodology used to try and find these Poison Wallets.
First Method to Find Poisoning Wallets
Using ethereum.core.ez_token_transfers i’ll find the Wallets using the following rules:
amount_usd < 0.1Because Poisoning Transactions are transfers with zero tokens and in Ethereum regular people doesn’t make these kind of transactions because of Transaction Feessubstr(from_address,0,5) = substr(to_address,0,5)To find addresses with similar initial 5 characterssubstr(from_address,-5,5) = substr(to_address,-5,5)To find addresses with similar final 5 charactersfrom_address != to_addressTo discard transactions made to themselvesfrom_address not in (select address from ethereum.core.dim_labels)To discard labeled (known) address.
Main Problems of the First Method
- Every Account share the same first initial 2 characters (0x), so I'm actually looking at addresses that share the initial 3 characters.
- I’m not considering Poisoning Transactions with $ETH transfers.
- I’m only looking at Poisoning Transactions involving one party only, that means addresses sharing similar characters, and others wallets (Third Party) interacting with the affected wallet may receive these type of poisoning with the intention of disguise as the affected wallet.
Because is the first experiment, I decided to run this anyway for investigative reasons.
The Wallets found in the first Method May be Poison wallets, or Unlucky Wallets which made a transfer to a similar account.
🔎First Method #2 Analysis🔍
- We can see already that all the transactions found by this method are transfers with ZERO tokens.
- There are at least 19 tokens involved.
- Most of the days the ratio of affected wallets is the same as the poison wallets,
- December 10 was the day with most Poisoning Transactions, with 112 Transactions and 95 Wallets Affected.
- After the Spike, the poisoning activity moves between the 10-20 transactions but in Christmas, the activity dropped below the 10 transactions.
- Since New year the poisoning trend became more active again reaching a significant spike in January 8
🔎First Method #3 Analysis🔍
It’s seems that Stablecoins transfers are the most used by scammers to poison wallets, MATIC is the main altcoin used.
- In the Beginning USDT was the token most used, but since December 8 USDC started to being used too and more tokens were used regularly.
- USDT is present in more than 60% Transactions affecting 60% of the wallets involved.
- It’s seems that there are a lot of tokens being used a single time, so they may or no be involved in poisoning.
🔎First Method Conclusion🔍
In the table above we can see all the token and ethereum transfers received by the Poison Wallets (ALL transactions), since the beginning of the Poisoning trend (November 27, 2022), the table is ordered by total $USD Winnings so let’s look at the Top Wallets.
- 🥇0x6dfc34609a05bc22319fa4cce1d1e2929548c0d7 This wallet presents the most $USD Volume since the poisoning trend, at the moment of writing the stats from Etherscan are:
- 2,479,778 Transactions.
- 262,835 ERC-20 Token Transactions.
- Activity from this wallet is really high and it has some ERC-721 Tokens from 2021, also it has 2 ENS (vinilens7.eth & jackie012.eth).
- By the amount of information i got from Etherscan, ==it’s possible that this isn’t a poison wallet,== and is one of the unlucky wallets which made a Zero Token Transfer to a similar address.
- 🥈0x292f04a44506c2fd49bac032e1ca148c35a478c8 This wallet presents a similar volume as the first wallet their stats are:
- 871,569 Transactions, 188,135 ERC-20 Token Transactions.
- Activity from this wallet is also high, it has some ERC-1155 Tokens from July 2022.
- By the amount of information i got from Etherscan, ==it’s possible that this isn’t a poison wallet==, and is one of the unlucky wallets which made a Zero Token Transfer to a similar address.
By far i didn’t found anything suspicious so i started looking for fresh accounts without a high transaction history and the first wallets i found were
- 0xfc4dc095a01c00a3c6404c4d3424aa4c360cecd2 This wallet is at #6 Place at the time of writing and it presents:
- 297 Transactions and 586 ERC-20 Token Transactions
- A lot of ERC-20 Zero Token Transfers made to a differents accounts with similar address.
- Because the fewer amount of transactions in comparison to the ERC-20 Token transactions, and a high number of Zero Token Transactions this is a Poison Account.
- 0x588bb4f4ea34b6b7db9b4bb572982e2aae901dd1 This wallet is at #8 Place at the time of writing and it has:
- 9 Transactions and less than 25 ERC-20 Token Transactions.
- Their Transaction History starts during the Poisoning Trend, and it has a significant amount of Zero Token Transfers.
- This is a Poison Account.
First Method Results
My first Filter to get Poison accounts provides me 3 differents type of Wallets:
- High Trading Wallet: The first 2 accounts by $USD Winnings have a lot of transactions, and is most likely that they’re trading wallets , so in the best case scenario they made a zero token transfer by accident to a similar wallet.
- Poison Wallet: These wallet presents few transactions, they were recently made (or not), and presents a high number of ERC-20 Zero token Transaction.
- Other Wallet: It can be other wallet catched by accident here too.
Second Method to Find Poisoning Wallets
Using ethereum.core.ez_token_transfers i’ll polish my first method with the same rules and this time i’ll change:
substr(from_address,0,6) = substr(to_address,0,6)To find addresses with similar initial 6 characters
How this Second method will solve the Main Problems of the First Method
- Every Account share the same first initial 2 characters (0x), so now i’m looking at the first initial 6 characters and final 5 characters.
- I’m not considering Poisoning Transactions with $ETH transfers, it’s seems that Poison trend uses ERC-20 Zero Token Transfers of Stablecoins (USDT)
- I’m only looking at Poisoning Transactions involving one party only, But after found the main Poison wallets i can track all of their Zero token transfers to show the real amount of wallets affected
So my best shot is to try to find wallets making zero tokens transfers again but this time changing my rules, and then looking how much the amount of wallets change after this.
Third Method is the Charm
So now i’ll use the same rules as the first method, that means using initial 5 characters and not 6, and then after getting all the wallets involving in zero-value token transfers to similar address i’ll record every zero-value token transfer made at the start of the poisoning trend.
I tried to get all the $USD winnings made by affected wallets, but in the end i didn’t get useful information so to prevent more misleading with $USD Values, i’ll focus only in the amount of Zero-value transfers adding a new metric called:
- Poison Wallet Affected Ratio = Affected Wallets by that Poison Wallet / All Zero-value Transfer made by that Poison Wallet.
🔎Third Method Conclusion🔍
So again we see similar wallets at the top, are they Poisoners? or are unlucky Traders which their activity was captured by my Methodology?. The main problem is that these wallets with high amount of zero-value token transactions started their activity at the same moment the Poisoning scam became a thing so it may be not a coincidence.
- Again the USDT is the favorite token to be in these kind of transaction.
- There isn’t a single Poison Wallet with an affected ratio of 50% or less.
Still there isn’t enough evidence to claim that all these wallets are Poison Wallets, but the fact that they made significant Poison transactions remains still.
🔎Second Method Analysis and Conclusion🔍
The amount of potential poison Wallets presents a significant drop after a single change of comparing an extra single initial character from 596 wallets to 77.
- Now the poisoning trend spikes in January.
- USDT is still the favorite Token to Poison.
- All the days the amount of poison and affected wallets it’s the same.
- The reason of 77 vs 78 wallets== is because the numeric metrics included the Isolated cases before the Poisoning trend at November 27.
- Looking at the first accounts i still get some traders or important accounts such as:
- 0x9c5083dd4838E120Dbeac44C052179692Aa5dAC5 a DAO Voter.
- 0x0554e2a3fb70754c7bf012598c2a723c0e0feff3 a Trader Wallet.
It’s seems that the second method only reduced the range of wallets involved, losing potential Poison Wallets.
What is an Address Poisoning Scam?
In January 12, Metamask published an article regarding the new trend of scam called Address Poisoning, warning users to avoid copying addresses from their transaction history and to always double-check addresses before sent a transaction.
How it Works? - by Metamask Article
- Address poisoning involves scammers sending transactions of no value to your account from an address that's very similar to your own.
- Their hope is that you will then absent-mindedly copy this address from your transaction history in future. You or whoever you're passing your address onto will then send tokens directly to them, and not to the correct address.
This is going to be the topic of today Analysis
I’ll show relevant data from this new scam trend, trying differents Methods, and at the end explaining my results keep in mind that this is a new trend, so most of the charts will have daily refresh.
> Metamask Image from news.coincu.com
🔎Third Method #1 Analysis🔍
After Including all zero-value token transactions made by wallets that tried to poison a similar wallet, the number of of transactions increases significantly, some key insights:
- These kinds of transactions really started to appear recently, prior to November 27, 2022 the amount of Zero-value token transactions wasn’t a thing to see daily.
- In the First Method, December 10 was the Spike in Poisoning Transactions, but this time it was December 11 with 478 transactions.
- During Christmas the amount of transactions take a rest with a downtrend on that weekend, but after that the daily activity starts to increase.
Summary
First the $USD Winnings from the First and Second Method are from all received transfers since the poisoning trend, and not from affected wallets.
I tried in the third method to get an $USD Volume coming exclusive for affected wallets but most of the wallets presented a value of 0 so i decided to focus more in the Poisoning trend.
The Poisoning Trend Started In November 27, 2022
There is a lot of activity regarding these type of transactions, and is really strange that prior to that date, these type of transactions didn’t occur everyday, or at least for the wallets tagged as potential Poisoners.
Zero-value Token transactions involving USDT are the most common
Stablecoins USDC/USDT are at the top in these kind of transactions, MATIC comes at third place and then BUSD/DAI.
The wallets owners Are Traders or Scammers?
Is difficult to know exactly if the wallets with high amount of Poison transactions are traders or not, because they may present only a Poisoning transfers between 100 or more consecutive regular transfers, and at first i was hoping that i messed up with the methodology and they’re only traders that unfortunately made a Poison transactions to one or more similar address. But is really only a coincidence?.
How to Improve the Search for Poison Wallets?
In fact my search could involved more things, and some new ideas to expand this investigation could be:
- Include token transfers with usd_amount = NULL: This can be difficult considering the amount of new tokens are created and airdropped everyday, but is possible that they’re poisoning using these kind of tokens too.
- Include Ethereum transfers with usd_amount < 0.1: Is really hard to think the scammers will send money to their victims, and they’re exploiting this zero-value transfers token with stablecoins, but still is possible to found data of interest.
- Look for Poisoning transactions involving not exactly but similar addresses in the initial/final characters: This means addresses having at least the same letters but differents numbers or otherwise example:
- 0xAf2d1 = 0xAf3d7 or 0xA2b4 = 0xA2d4
It’s seems that the Poisoning trend is affecting more wallets everyday, and is only a matter of time for the affected wallets to misstype and fall for this Scam.
Methodology
Using Flipside Crypto tables:
ethereum.core.ez_token_transfers:To get the Zero Value token transfers.(from/to)_address:To get the Wallets.count(*):To get the Poison Transactions.Symbol:To get the Token Used.amount:To get the token amount.amount_usd:To get the $USD amount
ethereum.core.ez_eth_transfers:To get $USD transfers with $ETH.eth_(from/to)_address:To get the Wallets.amoun_usd:To get the $USD amount