New safety recommendation ("recent addresses" and similar address scam)

TL;DR REC’S FOR MM USERS:

NEW HACK/SCAM EXPLOITS THE “RECENT ADDRESSES” BY SENDING A SMALL DEPOSIT FROM AN ADDRESS THAT STARTS/ENDS IN THE SAME CHARACTERS AS A REAL ADDRESS THAT YOU HAVE SENT TO BEFORE

  1. WHEN SENDING, DO NOT CLICK ON A “RECENT ADDRESS” IN MetaMask. USE YOUR ADDRESS BOOK OR COPY/PASTE THE ADDRESS DIRECTLY
  2. CHECK ALL ADDRESS CHARACTERS. SCAMMERS ARE FINDING ADDRESSES THAT LOOK VERY SIMILAR TO OTHER ADDRESSES

Hi. Informing the community of a new vulnerability. There is a new scam where an imposter address gets their own address into the “recent addresses” of the user’s MetaMask wallet by sending the user a small amount of funds. The address has the same last first and last letters/digits as one of the user’s real addresses.

I got hit this morning. I was lazy and instead of copy/paste, or using my address book, I clicked on a “recent address” with the same first/last letters/digits. I send to this address every single day so I did not think anything of it. My funds never arrived. I checked more carefully and noticed that the address in my “recent addresses” was NOT any of my addresses. The first and last parts of the address were the SAME as mine, but the rest was different. I had been scammed.

So I investigated further, wondering how the heck an imposter address made it into my “recent addresses” The imposter address had made only 1 transaction in its lifetime. 66 days ago, it sent 0.1 MATIC to one of my addresses.

So strangely and inexplicably, one deposit that was sent from an imposter address 66 days ago found its way into my “recent addresses”. Even though I make 2-3 transfers every single day.
I also do not understand why this address never showed up before - I have used “recent addresses” on many occasions before. If the deposit came to me 66 days ago, why did the imposter address only show up in my recent addresses this morning?

In any case, based upon this “education” that I received and lost $2,050 USDC because of, I have multiple recommendations for MetaMask developers

  1. Only addresses that a user has SENT to should be considered “recent addresses”. Addresses from which the user RECEIVED from should NOT be considered “recent addresses”
  2. In light of this “similar address” scam, consider removing “recent addresses” altogether from the address book
  3. If not 1 or 2, then add a feature inside settings to allow the user to disable “recent addresses”

Until then, MetaMask USERS → PLEASE CONSIDER NEVER CLICKING ON A “RECENT ADDRESS”. USE YOUR ADDRESS BOOK OR COPY/PASTE DIRECTLY FROM THE TARGET ADDRESS.

Stay safe, hope my loss of $2,050 can help at least one other user stay safer!!

5 Likes

Thanks for sharing your story to help raise awareness.

If you would like to read more about address poisoning, check these out below:

Tweet:

MetaMask Knowledge Base article:

4 Likes

Yes indeed. What is ironic is that I literally read an article about address poisoning earlier this week on Twitter. What I did not realize is that such “received from” addresses would be saved into MetaMask’s recent addresses list. I was never a fan of “recent addresses” - but if a “recent addresses” feature must be present, it should only save addresses to which a user has sent funds. Why would a user want an address saved from which they have RECEIVED funds? That is just asking for trouble to have those “received from” addresses be part of a user’s address book in the form of “recent addresses”.

Of note - I just sent a deposit to my crypto dot com (CDC) wallet and soon after that, I received small deposits back from a similar address - the deposits came 30 min and 5 min after my CDC deposit (see screenshot below). Now that I think about it, I noticed that every time I sent a deposit to CDC, a short while later, I received a small deposit back from what appeared to be the address that I sent to. I thought it was odd but ignored it. Now I am putting together that the scammers may be within CDC or monitor CDC deposits closely in order to mimic those addresses.

3 Likes

And further elaboration - in these most recent 2 deposits that they made 30 minutes after my deposit to CDC, they were able to mimic the first SEVEN characters and last FIVE characters of my real CDC address. So the way MetaMask shows addresses (first 5 characters…last 4 characters), these fake addresses would look exactly the same in MetaMask’s “recent addresses”. That’s why they should consider the changes that I recommended above regarding the “recent addresses” that show up in MetaMask after clicking “send”

1 Like

It looks like you opened a Feature Request for this (great move!). You can add details there too.