I’m writing on behalf of the DFINITY Product Security team to clarify a pattern of transactions observed on the ICP ledger.
These transactions try to trick users into sending their ICP to attacker addresses in what is called an address poisoning attack.
The attackers specifically target accounts that frequently exchange ICP with other accounts. The attack is carried out by sending harmless transactions of a very small ICP amount to your account. These transactions come from addresses that to have the same first and last characters of the expected destination address for your next transaction. The goal is to confuse you into copying and pasting the attacker’s address instead of your own one when making a transaction.
To protect yourself, always validate the entire destination address when sending transactions, not just the first and last few characters which are shown in the UI. One could also avoid copy pasting addresses from the transaction log entirely.
For more details on this type of attack, please refer to the following resources:
Great advice, please take this thing seriously @vsekar many ppl never thought that address could be make this way, the first and the last few characters could be made the same, why??? that’s ridiculous, I have been in the crypto world for 8 years and never saw this before.
When manually sending ICP to addresses that I do not own (i.e. payments), I commonly send a small amount to the address first as a test, and then use the ICP dashboard to verify before sending the rest, so being able to toggle that on-off would be great.