In a not-so-safe turn of events, the supposedly secure Safe Wallet is feeling the heat.

Users of Safe Wallet are facing a major threat as a crypto hacker skilled in “address poisoning attacks” successfully pilfered over $2 million from 10 users between November 26 and December 3.

Safe Wallet Users Targetted in Address Poisoning Scam

The total victim count has now reached 21, with the same attacker allegedly stealing $5 million from these users in the last four months, according to Scam Sniffer’s report based on Dune Analytics data. A user with $10 million in crypto in a Safe Wallet lost $400,000 in the attack.

about ~10 Safe wallets have lost $2.05 million to “address poisoning” attacks in the past week.

the same attacker has stolen $5 million from ~21 victims in the past four months so far. pic.twitter.com/fu4kxaI3py

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 3, 2023

The latest address poisoning attack is speculated to have been orchestrated by the same perpetrator that targeted Florence Finance, a real-world asset lending protocol. The incident was first flagged by blockchain security firm PeckShield, which revealed that $1.45 million in USDC was drained from the protocol while adding that the transaction was directed to a phishing address rather than the intended one.

The deception involved crafting addresses with strikingly similar beginning and ending characters, leading the victim to unknowingly send funds to the fraudulent address without scrutinizing the complete address.

What is Address Poisoning?

Unliке common scams that employ tactics like unlimited token approvals or phishing for Secret Recovery Phrases, ‘address poisoning’ exploits user carelessness and haste. While it may seem less harmful than other scam methods, it still poses a significant risk to users’ funds, as explained by MataMask.

Blockchain addresses, typically complex alphanumeric strings, range from 25 to 40 characters, making memorization challenging. To enhance user experience, some crypto platforms display only the initial and final characters, omitting the middle ones.

This practice, known as address shortening, poses a security risk. Attackers can exploit the limited possibilities (36 per character) and create addresses with the same short form as a user’s, increasing the chances of a match. Since many blockchains are not case-sensitive, the attacker’s job is further simplified.

Address poisoning attacks leverage this vulnerability. Attackers send a low-value transaction from a similar-looking address to the victim. Users, accustomed to copying addresses from transaction histories, may inadvertently paste the attacker’s address when making subsequent transactions. The funds end up being sent to the attacker instead of the intended recipient.