ICP Scam Alert: Fraudsters Exploit Similar Transaction Addresses, Mimicking Prefixes and Suffixes to Deceive Users

Hi ICP community,

I would like to warn everyone about a scam method that takes advantage of users’ carelessness when checking the accuracy of the ICP recipient address.

The scammer uses an address with a similar prefix (about 4 characters) and suffix (about 4 characters) to one that the victim’s account has previously made transactions to. Then, the scammer sends a small amount of ICP to the victim’s account. When the victim, in a hurry and not paying close attention, copies the address from their most recent transaction to send ICP, they unknowingly send it to the scammer’s address instead.

The scammer’s original account (successful scam transactions from the scammer’s sub-account are redirected to this main account):
https://dashboard.internetcomputer.org/account/147cf2b29a58be7dc00e034a76f8f23117506f562865472361a2005033daf3d7

Case 1 : Victim account address (scam 32 ICP)
22f2eaf55971173e071bf890c963216f6feb07c97d5385794bf66a7c83b1ea13
Fake account address with a similar prefix and suffix to the victim’s transaction history : a561…3061

Screenshot 2025-01-20 1849091688×187 13.8 KB

Case 2 : Victim account address (scam 252 ICP)
f0ea205872c5fd6db50776161946d3bff32d205320b13783ea4da15fc96dbca4
Fake account address with a similar prefix and suffix to the victim’s transaction history: 376a…670d

And there are many other cases. You can observe and analyze through the transaction flow of the scammer’s account:
https://dashboard.internetcomputer.org/account/147cf2b29a58be7dc00e034a76f8f23117506f562865472361a2005033daf3d7/transaction_flow

It seems that they have developed a method to create a principal → account address, and a mechanism to analyze user transaction behavior.

Since the NNS wallet system does not yet allow users to save addresses they frequently transact with, scammers exploit this gap, taking advantage of users’ carelessness and causing them to make quick transactions for the scammer’s benefit.

w8, there are already people that fell for this trick ?!

Seen Bjoern first mentioning about this adress poisoning few months back, but thx for reminding everyone !!

DO NOT ever COPY/PASTE your wallet addys from the transactions history !!

Thanks for caring and sharing!

For traceability, I like to connect dots (), here are similar posts along with the related security post:

• An Important Security Proposal for NNS
• Address Poisoning Attacks on ICP ledger
• Don’t make the same mistake I did

Thank you for sharing.
Initially, I intended to share my own mistake so that no one else would fall into the same trap. However, after analyzing the behavior and methods of the fraudster, I realized that many others have experienced the same issue. Personally, I’ve been used to storing ICP on NNS since 2021, and I know that NNS has not yet met the UI/UX needs for this, so I still tend to copy previously used addresses (such as exchange wallet addresses and other apps in the ecosystem).
From a user/personal perspective, I believe there is a genuine need to send ICP to familiar addresses (perhaps that’s why many wallet apps and cryptocurrency exchanges offer the feature to save addresses in the contact list).

Absolutely agree with you! Thanks again for sharing!

I’ve just fallen for this, I send my maturity to my Kraken address ending 584e weekly/fortightly.

Just copied my previous transaction and sent it to Kraken, but it wasn’t showing in Kraken.

I checked my transaction history and I’d received two deposits for 0.0002 ICP ending in 584e seconds after I sent to Kraken 2 weeks ago.

So I’ve just sent 43 ICP to a scammer.

Can someone in dfinity sort the NNS out so we save addresses or label them with a name at least?

Perhaps a quickfix solution wallet dapps / nns dapp could implement is, they could “hide” the copy adress button in transaction history for transactions whose value is under a certain threshold. (maybe 1 ICP?) This could make it too expensive for a poisoner to attempt these attacks.