Threat actors have introduced a new tactic known as “transaction simulation spoofing” to steal cryptocurrency. This method targets transaction simulation features in Web3 wallets, which are meant to allow users to preview blockchain transactions before executing them. In one notable case, attackers stole 143.45 Ethereum, worth around $460,000, by exploiting this flaw. The attack manipulates the transaction simulation process to deceive users into approving fraudulent transactions, leading to significant financial loss.
The attack unfolds when victims are lured to a malicious website that mimics a legitimate platform. This site triggers a simulation that appears to show a small ETH transfer to the user, convincing them that the transaction is legitimate. However, a time delay between the simulation and the actual execution of the transaction enables the attackers to alter the on-chain contract, changing the transaction’s outcome without the user’s knowledge. By the time the victim signs the transaction, their crypto has already been redirected to the attacker’s wallet.
ScamSniffer, the platform that uncovered this new form of attack, notes that it represents a significant evolution in phishing techniques. Unlike traditional phishing, where attackers rely on direct deception, this method exploits trusted wallet features that users believe are secure. The time gap between the simulation and execution complicates detection, making it a sophisticated and dangerous attack vector. As a result, this attack type presents a challenge for both users and security systems to identify and prevent.
In response to the growing threat, ScamSniffer recommends that Web3 wallets reduce simulation refresh rates to match blockchain block times and ensure that simulations are refreshed before critical operations. Additionally, they suggest adding expiration warnings to alert users about the potential risks of manipulated transactions. Cryptocurrency holders are advised to be cautious when interacting with unfamiliar websites, especially those offering “free claims,” and to only trust verified decentralized applications (dApps) to avoid falling victim to this advanced form of phishing.
