Address Poisoning Attacks on ICP ledger

Hi everyone,

I’m writing on behalf of the DFINITY Product Security team to clarify a pattern of transactions observed on the ICP ledger.

These transactions try to trick users into sending their ICP to attacker addresses in what is called an address poisoning attack.

The attackers specifically target accounts that frequently exchange ICP with other accounts. The attack is carried out by sending harmless transactions of a very small ICP amount to your account. These transactions come from addresses that to have the same first and last characters of the expected destination address for your next transaction. The goal is to confuse you into copying and pasting the attacker’s address instead of your own one when making a transaction.

To protect yourself, always validate the entire destination address when sending transactions, not just the first and last few characters which are shown in the UI. One could also avoid copy pasting addresses from the transaction log entirely.

For more details on this type of attack, please refer to the following resources:

Stay vigilant

13 Likes

Take a Look at the Proposed Solution

2 Likes

Great advice, please take this thing seriously @vsekar many ppl never thought that address could be make this way, the first and the last few characters could be made the same, why??? that’s ridiculous, I have been in the crypto world for 8 years and never saw this before.

Thank you for the report, we are looking into it!

1 Like

Thank you for this update