Cybersecurity researchers at Stony Brook University have identified a new cryptocurrency scam that exploits human error to siphon funds from the digital wallet of unsuspecting users.
Detailed in a paper posted to the arXiv preprint server, the scam—dubbed “typosquatting”—involves scammers setting up deceptive Blockchain Naming System (BNS) domain names to divert cryptocurrency payments into their own wallets. While the paper is still under peer review, the findings highlight the importance of vigilance in the rapidly growing digital currency space.
Cryptocurrency and Blockchain
The backbone of most cryptocurrencies is blockchain, a decentralized digital ledger technology that securely records transactions across a network of computers. It operates without the need for a central authority, relying on cryptographic methods to ensure transparency, security, and immutability. Each transaction is grouped into a block and linked to the previous one, forming a chain. Blockchain is the foundation of cryptocurrencies like Bitcoin and Ethereum, but its applications extend to supply chain management, healthcare, and finance.
Blockchain Name Service (BNS) is a system that simplifies interactions on blockchain networks by replacing lengthy, complex wallet addresses with easily recognizable, human-readable names. Like the Domain Name System (DNS) which translates web addresses into IP addresses, BNS maps user-friendly names to blockchain wallet addresses or other decentralized resources.
This innovation improves the accessibility and usability of blockchain technology, making it easier for users to send and receive cryptocurrency or interact with decentralized applications.
Cryptocurrency, a digital currency stored in crypto wallets and managed on secure online platforms, uses word-based addresses as an alternative to complex alphanumeric wallet codes. Platforms like Coinbase rely on these user-friendly addresses to simplify transactions.
However, this convenience creates an opportunity for exploitation. If a user misspells a recipient’s word-based address, and the misspelling corresponds to a domain created by a scammer, the funds are irretrievably redirected to the scammer’s wallet.
“Unsuspecting users may accidentally mistype or misinterpret the intended name, resulting in an irreversible transfer of funds to an attacker’s address instead of the intended recipient,” the researchers write in their paper.
How Common are Cryptocurrency Scams?
Cryptocurrency scams have become increasingly prevalent as the adoption of digital currencies grows. According to recent reports, billions of dollars are lost annually to fraudulent schemes targeting cryptocurrency users, with scams accounting for a significant percentage of overall crypto-related crime. The decentralized and pseudonymous nature of blockchain technology, while providing robust security for legitimate transactions, also creates opportunities for bad actors to exploit vulnerabilities.
Common scams include phishing attacks, Ponzi schemes, fake investment platforms, and wallet-related fraud such as typosquatting. The rapid evolution of the cryptocurrency market, combined with limited regulatory oversight in many regions, has allowed scammers to develop new techniques to deceive users, emphasizing the need for heightened vigilance and education among crypto investors.
The Devil is in the Typos in Your Digital Wallet
To see how prevalent typosquatting, one type of scam method, is, the Stony Brook researchers conducted a comprehensive analysis of more than 5 million BNS domain names.
“To understand the prevalence of typosquatting within BNSs, we study three different services (Ethereum Name Service, Unstoppable Domains, and ADAHandles) spanning three blockchains (Ethereum, Polygon, and Cardano), collecting a total of 4.9M BNS names and 200M transactions-the largest dataset for BNSs to date,” the team wrote in their paper.
They identified approximately 25,000 squatting domains targeting around 37% of legitimate names. These scams often focus on well-known figures in the cryptocurrency community, such as Ethereum co-founder Vitalik Buterin, whose name is particularly prone to typos.
One troubling scenario outlined in the study involves charitable donations. In these cases, both the donor and the intended recipient may remain unaware that a scammer has intercepted the funds, as the transaction appears legitimate on the surface.
To combat this type of fraud, the researchers emphasize the importance of double-checking addresses before sending cryptocurrency. While the decentralized nature of cryptocurrency offers unparalleled security for legitimate transactions, it also means that errors cannot be reversed once a payment is sent to the wrong wallet.
The findings underscore the need for increased user awareness and caution as cryptocurrency adoption grows.
Kenna Hughes-Castleberry is the Science Communicator at JILA (a world-leading physics research institute) and a science writer at The Debrief. Follow and connect with her on BlueSky or contact her via email at kenna@thedebrief.org