Beware of Address Spoofing!

dYdX Ops
Sep 3, 2024

Beware of Address Spoofing

Never use addresses from your transaction history, get them directly from the desired recipient and store them in your wallets address book, ideally confirming them via two separate communication channels.

What is address spoofing?

A special kind of phishing attack. An unknown address that is very similar to a known address of a vendor sends a small amount of crypto to your wallet usually in response to a test transaction*, with the goal that you will then use this new unknown address for the transaction originally intended for the vendor.

We have observed this** when sending test transactions, in some cases recently we received the same amount of the test transaction from a phishing address that is very similar to the one we actually sent the test transaction to. This is one instance: 

  1. Our legitimate test transaction was to: 0x1Ded1038D899762c59D502a1fD6d6520f3704A3E
  2. The phishing transaction received seconds after was from: 0x1DeDfe6186860fAAE8EB1707CC82f06189744A3E 

The first four characters of the phishing address match the legitimate address, the difference could easily be missed, if not checked thoroughly. 

Exercise extreme caution when setting up and sending transactions on-chain. Never use addresses from your transaction history, get it directly from the desired recipient and store them in your wallets address book. 

Not falling for such or similar attacks!

We at the dYdX Operations subDAO are following a strict protocol for setting up and confirming MultiSig transactions, as well as recipient address confirmation and management. But we wanted to highlight this and share our experience to make sure people are aware and stay vigilant. 

General best practices to prevent falling for this or similar attacks are: 

  1. Confirming recipient address of transaction through more than one communication channel 
  2. Agreeing on test transaction process with the recipient
  3. Storing addresses in address book

The attackers get more sophisticated every day, we are vigilant and double check our actions and adapt our security protocols on an ongoing basis. 


*For any new wallet address that we need to send funds to, it is protocol that we send a small transaction first, requiring the recipient to confirm the receipt of this small amount. This makes sure that the address provided by the recipient is the correct one and they can access the sent funds. 

**USDC received in response to test transactions: 

  1. https://etherscan.io/tx/0x29919fa8a60ff1b21c4f4369d417f06f199f4295d2e93627687ee659d9e75564
  2. https://etherscan.io/tx/0x4a55176ae34184856af077bdebd918483e584fd65ae696df6790a5e823975455
  3. https://etherscan.io/tx/0xf0b4b788bdded81a822e0a9d7890d96faffff4c04d5d9c34fb5b344b5b7f42f9
  4. https://etherscan.io/tx/0xce188a91db3fceff2806e7fd37b0eee1338e8bc23c0b404cfe291b58de6431bc
  5. https://etherscan.io/tx/0x25aa4100635c46e8f9437672d20506c4c62d70b955314a5b62444a1154f38fe7
  6. https://etherscan.io/tx/0xe4b2a93872b84a3996f306ac226e4a75c06ef9c7148d0edef02bf52c88d4de07
  7. https://etherscan.io/tx/0xb878c49fa61bafa0719b4d09055f31a8b39fec67297a2409d32aaea5952720dd

Connect with Us

Dive deeper into the dYdX Operations subDAO community. Engage in discussions, stay updated with announcements, and be part of the dYdX Chain.