ICP Scam Alert: Fraudsters Exploit Similar Transaction Addresses, Mimicking Prefixes and Suffixes to Deceive Users

Hi ICP community,

I would like to warn everyone about a scam method that takes advantage of users’ carelessness when checking the accuracy of the ICP recipient address.

The scammer uses an address with a similar prefix (about 4 characters) and suffix (about 4 characters) to one that the victim’s account has previously made transactions to. Then, the scammer sends a small amount of ICP to the victim’s account. When the victim, in a hurry and not paying close attention, copies the address from their most recent transaction to send ICP, they unknowingly send it to the scammer’s address instead.

The scammer’s original account (successful scam transactions from the scammer’s sub-account are redirected to this main account):
https://dashboard.internetcomputer.org/account/147cf2b29a58be7dc00e034a76f8f23117506f562865472361a2005033daf3d7

Case 1 : Victim account address (scam 32 ICP)
22f2eaf55971173e071bf890c963216f6feb07c97d5385794bf66a7c83b1ea13
Fake account address with a similar prefix and suffix to the victim’s transaction history : a561…3061

Case 2 : Victim account address (scam 252 ICP)
f0ea205872c5fd6db50776161946d3bff32d205320b13783ea4da15fc96dbca4
Fake account address with a similar prefix and suffix to the victim’s transaction history: 376a…670d
Screenshot 2025-01-20 184628
Screenshot 2025-01-20 184537

And there are many other cases. You can observe and analyze through the transaction flow of the scammer’s account:
https://dashboard.internetcomputer.org/account/147cf2b29a58be7dc00e034a76f8f23117506f562865472361a2005033daf3d7/transaction_flow

It seems that they have developed a method to create a principal → account address, and a mechanism to analyze user transaction behavior.

Since the NNS wallet system does not yet allow users to save addresses they frequently transact with, scammers exploit this gap, taking advantage of users’ carelessness and causing them to make quick transactions for the scammer’s benefit.

5 Likes

w8, there are already people that fell for this trick ?!:slight_smile:

Seen Bjoern first mentioning about this adress poisoning few months back, but thx for reminding everyone !!

DO NOT ever COPY/PASTE your wallet addys from the transactions history !!

2 Likes

Thanks for caring and sharing! :raised_hands:

For traceability, I like to connect dots (:wink:), here are similar posts along with the related security post:

6 Likes

Thank you for sharing.
Initially, I intended to share my own mistake so that no one else would fall into the same trap. However, after analyzing the behavior and methods of the fraudster, I realized that many others have experienced the same issue. Personally, I’ve been used to storing ICP on NNS since 2021, and I know that NNS has not yet met the UI/UX needs for this, so I still tend to copy previously used addresses (such as exchange wallet addresses and other apps in the ecosystem).
From a user/personal perspective, I believe there is a genuine need to send ICP to familiar addresses (perhaps that’s why many wallet apps and cryptocurrency exchanges offer the feature to save addresses in the contact list).

3 Likes

Absolutely agree with you! Thanks again for sharing!

2 Likes