See More

MetaMask Addresses Latest Scam – Better Late Than Never

2 mins
Updated by Geraint Price
Join our Trading Community on Telegram

In Brief

  • MetaMask has warned its users against falling prey to ‘address poisoning,’ a crypto scam growing in popularity.
  • After monitoring a transaction, scammers create an address mimicking the receiving user’s, using the same first and last four digits.
  • By sending a $0 transaction from the faux address to the original sender’s, the scammer hopes their cached address will replace the original receivers.
  • promo

MetaMask is warning its users against a growing new crypto scam called “address poisoning,” however the news has come bit late for some.

Cryptocurrency wallets can include one or more accounts, each with its own cryptographically-generated address, MetaMask explains in a release. However, these long hexadecimal numbers are intentionally difficult to remember, requiring the frequent use of copy and paste. This is precisely what address poisoning attempts to take advantage of.

How Addresses Become “Poisoned”

Instead of a sophisticated hack that compromises a protocol’s infrastructure, address poisoning rather relies on human psychology and the mechanics of crypto transactions. The following scenario is a case in point.

In this case, User A makes regular transactions to User B, which Attacker C becomes aware of utilizing software that monitors transfers of certain tokens, typically stablecoins. The attacker will then use a “vanity” address generator to create a hacker address C that closely matches user address B.

Attacker C will then perform a transaction of $0 between user address A and hacker address C. This results in the ‘poisoning’ of the address, as hacker address C becomes cached over user address B for user address A. Since hacker address C shares the same first and last 4 digits as user address B, Attacker C hopes that User A inadvertently uses their address when trying to transact with User B. 

The scam can easily be avoided by thoroughly checking addresses before committing to transactions, however tedious.

MetaMask Mistakes

Some users are disappointed by the delay in announcing the news. “MetaMask finally documents the address poisoning attack after 2+ months,” tweeted Han Tuzun. His post provided a link to an article explaining the scam with thorough detail dated from the beginning of December.

Tuzun further warned users about vanity address generators that could generate near identical addresses in seconds. The Twitter user also tasked infrastructure builders with sufficiently warning users in UI against such attacks.

This latest setback for MetaMask comes after it faced strong public backlash following an update on its data retention policies. The firm updated its privacy policy late last year, leading to reports that it would result in the collection of users’ wallets and IP addresses.

This quickly led to a heated response from the crypto community, which prompted a post from developer ConsenSys on Dec. 6, to try and reassure its users.

Top crypto projects in the US | May 2024



In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

Nicholas Pongratz
Nick is a data scientist who teaches economics and communication in Budapest, Hungary, where he received a BA in Political Science and Economics and an MSc in Business Analytics from CEU. He has been writing about cryptocurrency and blockchain technology since 2018, and is intrigued by its potential economic and political usage.