TL;DR REC’S FOR MM USERS:
NEW HACK/SCAM EXPLOITS THE “RECENT ADDRESSES” BY SENDING A SMALL DEPOSIT FROM AN ADDRESS THAT STARTS/ENDS IN THE SAME CHARACTERS AS A REAL ADDRESS THAT YOU HAVE SENT TO BEFORE
- WHEN SENDING, DO NOT CLICK ON A “RECENT ADDRESS” IN MetaMask. USE YOUR ADDRESS BOOK OR COPY/PASTE THE ADDRESS DIRECTLY
- CHECK ALL ADDRESS CHARACTERS. SCAMMERS ARE FINDING ADDRESSES THAT LOOK VERY SIMILAR TO OTHER ADDRESSES
Hi. Informing the community of a new vulnerability. There is a new scam where an imposter address gets their own address into the “recent addresses” of the user’s MetaMask wallet by sending the user a small amount of funds. The address has the same last first and last letters/digits as one of the user’s real addresses.
I got hit this morning. I was lazy and instead of copy/paste, or using my address book, I clicked on a “recent address” with the same first/last letters/digits. I send to this address every single day so I did not think anything of it. My funds never arrived. I checked more carefully and noticed that the address in my “recent addresses” was NOT any of my addresses. The first and last parts of the address were the SAME as mine, but the rest was different. I had been scammed.
So I investigated further, wondering how the heck an imposter address made it into my “recent addresses” The imposter address had made only 1 transaction in its lifetime. 66 days ago, it sent 0.1 MATIC to one of my addresses.
So strangely and inexplicably, one deposit that was sent from an imposter address 66 days ago found its way into my “recent addresses”. Even though I make 2-3 transfers every single day.
I also do not understand why this address never showed up before - I have used “recent addresses” on many occasions before. If the deposit came to me 66 days ago, why did the imposter address only show up in my recent addresses this morning?
In any case, based upon this “education” that I received and lost $2,050 USDC because of, I have multiple recommendations for MetaMask developers
- Only addresses that a user has SENT to should be considered “recent addresses”. Addresses from which the user RECEIVED from should NOT be considered “recent addresses”
- In light of this “similar address” scam, consider removing “recent addresses” altogether from the address book
- If not 1 or 2, then add a feature inside settings to allow the user to disable “recent addresses”
Until then, MetaMask USERS → PLEASE CONSIDER NEVER CLICKING ON A “RECENT ADDRESS”. USE YOUR ADDRESS BOOK OR COPY/PASTE DIRECTLY FROM THE TARGET ADDRESS.
Stay safe, hope my loss of $2,050 can help at least one other user stay safer!!