The zero-value token transfer attack is a fraudulent technique that can occur on various networks, including Ethereum, in which an attacker impersonates an address by using the same first and last few characters as the victim's address. This phishing attempt can deceive the target into believing that they are interacting with a familiar address and instead send funds to the attacker's wallet. The following example is specific to the Ethereum network.
How does it work?
A successful zero transfer phishing attack happens in five stages:
-
The attacker monitors on-chain token transfers and selects a victim.
-
The attacker analyzes a victim’s token transfers and selects a recipient address from them.
-
The attacker generates a spoofed address that looks similar to the recipient of a transaction that the victim previously sent.
-
The attacker broadcasts a specially crafted transaction on behalf of the victim to that spoofed address.
-
The victim picks up a spoofed recipient address from a blockchain explorer or through their wallet
What should I do as a user?
-
Be cautious when interacting with addresses that are involved in a zero-value token transfer.
-
On Etherscan, these transfers are muted and marked with a gray warning icon.
-
On wallet apps, make sure to double-check that the addresses displayed exactly match the one you intend to interact with.
-
-
Check the addresses above and below the one you are interacting with in the Token Transfers tab, as scam addresses may impersonate the victim's address before or after it.
Finally, always be vigilant in verifying any address that you interact with on Ethereum and other blockchains!