red 
A new scam – or more accurately, an attempted scam – is making the rounds across a number of blockchains, leaving very visible stains on some of the most popular block explorers. Etherscan and others have attempted to black out these fraudulent transactions in an attempt to stop the victimization. In this blog, we dissect this new typology to assess its success and discuss how you can avoid this latest crime.
The scam involves trying to trick cryptocurrency users dealing with stablecoins into sending them to the scammer’s addresses unwittingly. These addresses are intentionally generated to mimic those used by legitimate users.
How it works
If you’re someone who interacts with stablecoins, you might find that your Etherscan address transactions look something like this:
These records purportedly show a wallet making several legitimate stablecoin transactions, but then several zero-value stablecoin transactions that were (helpfully) grayed out by Etherscan.
Looking further into some of these transactions, it becomes apparent that the zero-value transactions appear to have been sent to wallet addresses that are very similar to the recipients of legitimate stablecoin transactions. Addresses share the first few characters:
When analyzed in detail, these zero-value transactions show that hundreds of them are initiated by a single perpetrator and malicious contract, impersonating legitimate addresses.
The behind-the-scenes analysis of this transaction is as follows: the scammer (in this case “0x84eb…”) identifies a number of potential victims who have regularly sent stablecoins to other wallets in the past. In this particular transaction, a long list of potential victims can be seen at the bottom left (“0xb39…”, “0xdc6…”, “0xbc7…” and so on).
The attacker uses a malicious contract (“0x732…”) to fake zero-value transactions from these potential victims to a series of impersonator addresses. These addresses are generated to look very similar to typical recipients of stablecoins sent by potential victims.
There are numerous services that allow users to generate dummy addresses, which are mostly legitimately used to generate custom personal addresses.
Profanity wallet address generator tool.
The scammer’s goal is to trick potential victims into accidentally making a stablecoin transaction to an impersonator’s address rather than the recipient’s. Usually when making a transaction, users will find the recipient’s wallet address in the block browser and copy-paste. Not realizing that they’ve inadvertently copied and pasted a similar-looking address instead, victims accidentally sign the transaction to the fraudster.
Etherscan’s obfuscation of these zero-value transactions is likely to make users pay more attention when copying and pasting addresses from past transactions. However, here is an example of a victim who inadvertently lost USDC 30,000 ($30,000) by accidentally sending it to an impersonator’s address instead of the recipient they previously sent USDC 10,000 ($10,000).
Deception success
Although this scam generates a lot of “noise” given the sheer number of zero-value transactions that appear in the blockchain browser logs of potential victims, most of them do not lead to victimization.
Elliptic’s analysis found this scam to be prevalent on blockchains such as Ethereum, BSC and Tron as of late November 2022. Despite over 176,000 zero-value transactions initiated by fraudsters across Ethereum and BSC, around 150 fraudsters committed them.
Together, the wallets of these scammers have revenue of over $1.5 million. While this revenue could theoretically originate from somewhere, it is unlikely to be used to process anything other than fraud revenue.
Of course, though, running 176,000 transactions – even ones of zero value – consumes a lot of transaction fees (or “gas”). Elliptic’s internal analysis determined that these approximately 150 fraudsters collectively spent over $710,000 in gas fees to initiate these transactions. Therefore, their total profit is just under $800,000 – or $5,500 per scammer.
Elliptic takes steps to systematically identify and flag these fraud addresses in its tools. Virtual asset services and criminal investigators will be able to review and track them using our solutions.
You can get more intelligence and investigative insights here, or schedule a demo to see for yourself how our block analysis platform makes crypto crime research faster and easier.
