Back to all stories
Blogs
Educational
Vanity Address and Address Poisoning
7/29/2024
Vanity Address and Address Poisoning

Introduction

Vanity addresses are custom wallet addresses created using specific algorithms. These addresses can incorporate a chosen sequence of characters, making them more easily identifiable. Most often, when vanity addresses are mentioned, it refers to the Bitcoin and Ethereum blockchains.

As we will see, vanity addresses are sometimes used in address poisoning attacks, but it is important to mention that this is not the only method and were not created for this purpose.

What is a vanity address ?

When you generate a cryptocurrency wallet, it produces an address composed of a random string of characters. These default addresses lack any personal significance. However, you can create a vanity address, which is a custom address generated using specific algorithms. To create a vanity address, you choose a desired sequence of characters that the algorithm then incorporates into the wallet address. This process ensures that the resulting wallet address includes your chosen characters, giving it a personalized touch.

But creating vanity addresses can be time-consuming. In fact, the algorithm needs to try many combinations before finding an address that includes the chosen string of characters. Additionally, creating these addresses can be expensive as it requires significant computational resources. Therefore, the higher the number of prefixes and suffixes, the more time the algorithm will take to find an address that matches the request.

vanity2

Vanity addresses are often used by companies to facilitate the recognition of their wallet addresses. For example, 1inch is recognizable by its seven 1 at the begining of the wallet address: 0x1111111254fb6c44bAC0beD2854e76F90643097d.

How to create a Vanity Address ?

The only truly reliable method to obtain a vanity address is to generate it by yourself. This ensures that no one else has access to the private and public keys that will be created. Here's how to create an address using a generator like Vanitygen:

  1. Download and Install Vanitygen from their Github.
  2. Open the command line and generate an address with the command line 'vanitygen [options] <pattern>'
  3. Save your key.

vanity3

To go further, you can refer to BitcoinTalk.

What is address poisoning ?

The aim is to create a vanity address that resembles a legitimate wallet that the target often interacts with. They’ll then transfer the target wallet a scam tokens that mimic legitimate ones, or low / no value coin transfers. Their hope is that these transactions will “poison” the targets wallet with the scam wallet in the targets transaction history, and the user will then use that address instead of the legitimate one to send funds.

Most of the time, in the case of address poisoning attacks, it is the first 4 to 6 characters and the last 4 to 6 characters that resemble the address to be copied. For example:

  • this is a legitimate address: 0x676Aecc97bF721C3cb3329A22D49C0ea0ED375F7
  • this is an attacker address: 0x67694AF0ee15792a89573c72cDd21e4560d375f7

Address Poisoning Attempts

Fake token

In the below example we can see that EOA 0x01BEF99743A3b7FD9C41E9c9D737DDd97cf83Ec0 on the Ethereum network sends and receives a large amount of USDT to various addresses. The blockchain explorer shows that the target address sent fake USDT tokens to wallets with a similar address to the ones that received legitimate USDT tokens.

vanity4

This is called transaction spoofing. In this particular example, the contract for the fake USDT transfer is unverified, but it’s likely that in order to transfer the fake tokens, wallets do not need to own the token. Or that token balance stored in the contracts storage (because their is no mint transaction). Opening one of the transactions we can see that the address initialising the txn is a wallet labelled “fake_phishing”.

vanity5

Good to know: Addresses are labeled as fake_phishing when they have been reported by multiple individuals or entities. Before that, the standard wallet address appears.

Zero Value Spam

With tokens such as USDT, you are able to transfer 0 amount to another address which will then be recorded on the ledger. In this technique, the scammer will spoof a transaction to make it look like the target is sending the zero value. We can see an example of what this looks like below.

vanity6

A warning can be seen next to zero value transactions. You can see that the scammers have created vanity addresses mimicking the legitimate recipient. Below 0x04956725a7A04Baa29Fa26ED2F572b54B5593744 has the same front few and last few characters.

vanity7

Sometimes, to avoid getting flagged, exploiters will send a small amount of USDC, rarely more than $10.

CertiK's Final Thoughts

Although increasingly difficult to generate and requiring a lot of computing power, vanity addresses are a great way to personalize a wallet address. They can be very useful for businesses, advertisers, etc. Unfortunately, they are also misused in address poisoning attacks.

One of the biggest victims of this type of attack occurred on May 3, 2024, where the victim lost 1155 WBTC (~$72M at the time) by copying the wrong address. By chance, the initially stolen funds were fully returned to the victim.

vanity8

Address poisoning attacks are becoming more frequent and causing increasingly significant losses. Take the time to always double-check the addresses to which you are sending funds. To go further, you can refer to this article on our website.