Blockchain intelligence firm Arkham confirmed with Decrypt that they too have identified that the address “belongs to a hacker who is sweeping funds from Arbitrum users.”
A closer look at the specific address’s transactions reveals that it received 933,365 ARB tokens from a different Arbitrum address on March 24, a day after the layer-2 network’s highly-anticipated airdrop. ARB is the native governance token behind the layer-2 scaling solution for Ethereum called Arbitrum.
signaled the malicious contract created by “Fake_Phishing18” on March 24 as well. They said that interacting with the contract creates an additional transaction request that appears as if it’s from the sender’s wallet but instead is a phishing attack.smart contract developer Brainsy
Watch out for this fake Arbitrum contract out there.
When I make a send the fake contract also makes a “transaction” that appears like its from my wallet. I assume to get me to interact with the contract. Stay safe out there. pic.twitter.com/ygGOddlTGU
— Brainsy (@BrainsyEth) March 24, 2023
MetaMask has warned against this sort of attack and termed it “address poisoning.”
It is an attempt where attackers poison the address list of users’ wallets by sending arbitrary transactions from addresses that closely resemble those with which the user has already interacted.
In this case, the attacker appears to have used both a phishing attack through a malicious smart contract and address poisoning, with Brainsy indicating that it makes the transaction look “like it’s from [the users’] wallet.”
The image below shows that the “Fake_Phishing18” tagged account created the contract for the fake ARB tokens and then transferred ownership to “Fake_Phishing47.”
The same entity may have created a fake Aribtrum claiming site that if users interacted with the website, it would give the hacker control over the user’s wallets.
For instance, there was at least one identical webpage to the Arbitrum Foundation’s claim website circulating in some social media groups on the day of the airdrop.
The fake website claimed ARB tokens on the user’s behalf and transferred them to their wallets. The only subtle difference between them is that the original website has a countdown for when the claiming process will end.