From record highs to harrowing crashes, cryptocurrencies have had an interesting start to the month, to put it mildly. Whether crypto markets continue to flourish or not, now is as good a time as any to remind our readers of some basic OPSEC regarding self-custody of crypto assets.
For many people, keeping crypto assets on Coinbase, Binance or any other centralised platform is good enough. For those in this camp, the following article is of no practical use. However, for those electing self-custody, the following may serve as a crucial reminder of what to avoid.
Being in full control of one’s assets certainly has its advantages, but it comes with a much greater degree of responsibility. The burden of understanding concepts such as network congestion, the hassle of private key storage, and how to use swaps and bridges is substantial enough, but self-custody presents the additional problem of so-called “dust attacks”.
Those who have been in the crypto game long enough may have noticed a few odd tokens sitting in their wallets of which they have absolutely no recollection. Tokens with strange names, or indeed tokens with eerily similar names to legitimate cryptocurrencies. Typically, these tokens are present in extremely small quantities and are worth next to nothing – hence the “dust” description. How did it get there? How strange.
Dust attacks are the new email spam, and they present some very similar characteristics. Firstly, just as with email spam, most dust attacks are a numbers game. They are very cheap to carry out. The scammer has nothing to lose by casting a wide net and trying to ensnare as many victims as possible. It does not matter if 99.99% of their targets escape unscathed; the 0.01% makes the attack worth it.
Dust attacks can be broadly grouped into three different categories: wallet de-anonymising, phishing scams and address poisoning.
1. Wallet de-anonymising
This type of attack only works on Bitcoin, Cardano, Dogecoin and other UTXO-based blockchains. UTXO (unspent transaction output) chains differ from account-based chains such as Ethereum in that transactions can combine inputs from different sources, grouping them together into a single operation. This means a user can sweep up a bunch of small sums from different addresses and collectively send them to a new wallet. This is where the danger of a dust attack comes in. If a user accidentally combines the balance from a dusted address with the balance from another address under their control, the user is essentially proving that they own both, thereby linking the addresses together and potentially de-anonymising them. In extreme cases, addresses may be linked to someone’s real-world identity, opening the door to coercion, extortion and worse. The best cryptographic security in the world counts for very little when faced with a knife-wielding psychopath.
2. Phishing scams
Dust attacks have largely moved away from the case described above in favour of more aggressive tactics. This second type of attack works on Ethereum, Solana and other smart contract-based blockchains. As opposed to linking different addresses together to find patterns, the goal here is much more direct, aiming to drain a user’s wallet by getting them to interact with malicious smart contracts. The process typically works along the following lines:
1. The attacker airdrops a junk token or NFT that looks like a legitimate project or collectible
2. Months may go by before the user even notices the strange token in their wallet
3. Eventually the user notices the token and gets curious enough to investigate
4. A quick search points to a cool-sounding crypto project with a shiny new DEX
5. Once on the website, the user is given the chance to sell or swap their airdrop
6. The DEX prompts the user’s wallet for an approval or signature to initiate the exchange
7. If signed, the attacker gains permission to transfer and spend other tokens from that wallet
8. The user’s wallet is now compromised
The attack vector centres on getting the user to grant permissions far beyond those necessary for a simple transaction. The case above is one example, but some dust attacks do not involve other websites or DEXs at all, remaining confined to the user’s wallet. If the attacker really knows what they are doing, they may craft truly devilish contracts that exploit some of the more esoteric smart contract functions.
On the Ethereum network, a simple ERC-20 token with no privileges will typically only affect the transfer and holding of that particular token. However, even here we advise caution, particularly if the contract in question has not been thoroughly audited. The real danger lies in other token standards, such as ERC-777 and ERC-1363. These tokens have more advanced capabilities; therefore, with the right permissions, they can do far more damage. A greater arsenal of weapons to choose from, so to speak.
Depending on the complexity of the smart contract in question, merely trying to sell or swap the token from a user’s own wallet may prove problematic. The user may have to approve the token for trading and, by doing so, inadvertently grant other, unrelated permissions to the malicious smart contract. Even technical users can be caught out in this way because it is sometimes possible to disguise the true purpose of an operation. At first glance, a contract may look like it performs a certain mundane task, while in fact it does something else entirely. Wallet UIs and dApps can easily be exploited to hide the real intent behind such smart contracts, with disastrous consequences. Even people smart enough to use a hardware wallet can be caught out if they approve the transaction without thoroughly examining the required permissions beforehand.
Rather than cover every dangerous function likely to appear in a malicious smart contract, we simply advise against interacting with such contracts altogether. As complicated and technical as this topic can get, the answer is extremely simple:
Do not touch the dust in your wallet. Do not touch any token that you do not recognise. Do not interact with them under any circumstance. Do not try to get rid of them. Do not try to send them to a burn address. It is a trap. Walk away.
3. Address poisoning
Address poisoning is a very different beast from the attacks discussed above. Firstly, because such attacks work on both UTXO and account-based chains, and secondly, because address poisoning targets singular, unique wallets. Poisoning scams involve real, legitimate cryptocurrencies and require a certain level of finesse to pull off successfully. The attack works as follows:
1. The attacker identifies a high-net-worth target (a whale)
2. The whale must actively move around their assets between different wallets
3. The attacker creates new wallets with addresses similar to the whale’s
4. The attacker sends a small amount of dust from the new wallet to the whale
5. The whale, mistaking the attacker’s wallet for their own, sends a transaction to the wrong address
For example, the whale may regularly send tokens to the following address:
0x32Be343B94f860124dC4fEe278FDCBD38C102D88
Because of the way blockchain technology works, with specialised tools, it is possible to find an address that matches the beginning and end characters, for example:
0x32Be3477e6c13b6A6B25aBcAA29B393777102D88
When people check addresses, this is often how they do it. Check the start. Check the end. Looks good. Send. Wait a minute… Oh ####!
The whale is speared.
An interesting example of such an attack happened in May 2024, and unfolded exactly along the lines described above. The whale in question sent $68 million worth of wrapped Bitcoin to the wrong address. Over the next few days, the whale sent a number of messages to the scammer, embedded in smaller transactions, in an attempt to negotiate. The first message read as follows:
“You won bro. Keep 10% to yourself and get 90% back. Then we'll forget about that. We both know that 7m will definetely make your life better, but 70m won't let you sleep well.”
Swiftly followed by:
“We both know there's no way to clean this funds. You will be traced. We also both understand the "sleep well" phrase wasn't about your moral and ethical qualities.”
Astonishingly, the scammer sent everything back to the whale, even foregoing their 10%. Although the attacker did make a tidy $3 million profit from the token appreciation over the course the event.
Address poisoning is typically reserved for high-net-worth crypto holders, but for wallets great and small, the advice remains the same: double-check that address.
When dealing with matters relating to cryptocurrencies, the conclusion is usually the same. The entire point of crypto, from day one, was to offer people an alternative form of money that was not beholden to other actors. The direct result of this mind-set is that the user assumes full responsibility for their assets. Some people accept the burden; some people do not. Those who do face a far less forgiving path.
