• 270M phishing attempts on Ethereum and BSC, 17M victims, $83.8M lost. • Attack exploits wallet address usability; attackers craft lookalike 40‑char hex addresses. • Scammers send tiny or zero‑value transactions to poison victim history. • Victims copy/paste from history, mistaking lookalike for legitimate recipient. • CMU’s Toxin Tagger tool detected a $50M successful attack on Dec 19, 2025. • Findings highlight need for better wallet UX and address verification mechanisms.
Article Summaries:
- Carnegie Mellon’s CyLab team published a study at the 34th USENIX Security Symposium showing that “blockchain address poisoning” has become a major phishing vector. Analyzing Ethereum and Binance Smart Chain data from 2022‑2024, researchers identified roughly 270 million attack attempts targeting 17 million users, with confirmed losses of at least $83.8 million. The scam exploits the difficulty of distinguishing long hexadecimal wallet addresses; attackers send a small or zero‑value transaction from a lookalike address to “poison” a victim’s history, leading to accidental transfers. Though only about one in 10,000 attempts succeed, the volume allows organized groups-some using GPU‑based address generators-to earn 10‑20× their transaction costs. The study also notes a recent $50 million successful attack detected by CyLab’s “Toxin Tagger” tool.
Sources: