ENS domains mimicking major exchanges’ wallets indicate a new type of scam

ENS domains mimicking major exchanges’ wallets indicate a new type of scam

Today crypto.news has been investigating the activity involving the wallets of defunct cryptocurrency exchange FTX. While examining the blockchain data, we found an apparent attempt at nefarious activity involving the Ethereum Name Service (ENS).

What is an ENS domain?

The ENS is a decentralized domain name service built on the ethereum blockchain. It provides a more human-readable format for ethereum addresses, allowing users to send and receive funds at addresses like “myname.eth” instead of the traditional long string of numbers and letters. ENS aims to make interacting with the ethereum network more accessible and more user-friendly by providing a mapping between names and ethereum addresses.

The service is decentralized and operates on a blockchain, making it resistant to censorship and control by a single entity. ENS is an important infrastructure component of the Ethereum ecosystem, facilitating the widespread adoption of decentralized applications and services built on the Ethereum network. The service does not only support ethereum addresses but also other blockchains and centralized services such as websites and instant messaging profiles.

How ENS addresses can impersonate wallets

A single address registered 50 different ENS domains — most of those, if not all, are the complete hexadecimal addresses of highly active addresses with the addition of “.eth” at the end. One example is FTX address 0x2FAF487A4414Fe77e2327F0bf4AE2a264a776AD2 which is present among this peculiar collection as “0x2FAF487A4414Fe77e2327F0bf4AE2a264a776AD2.eth.”

One likely reason why those ENS domains were registered is in the hope of intercepting payments meant for the addresses that those use as domain names. Many wallets support ENS domains as addresses to which users send assets. It implies that a user sending assets to one such address would only need to misclick once to transfer tokens to the ENS domain mimicking the wallet.

Alleged scammers create ENS domains mimicking crypto exchanges

A quick review of the addresses with the help of blockchain analysis service Arkham Intelligence reveals that they tend to be internal addresses of cryptocurrency exchanges. We can find a Coinbase address, an FTX address, a Binance address, and many other high-profile on-chain addresses — usually multiple per entity.

The mentioned address bought a total of 50 ENS domains in March 2022 for well over $3,000 — all in compliance with the scheme described above. However, the address failed to mislead any network participant into sending funds to the wrong recipient. It has been involved in 102 transactions in total: two for funding its ENS domain shopping and 100 for acquiring and receiving the domains in question.

ENS domains mimicking major exchanges' wallets indicate a new type of scam - 1
A visualization of the on-chain activity: funding address (top left), compulsive ENS shopper (bottom left), ENS smart contract (top right.)

There is one possible reason why no funds were mistakenly sent to the owner of those ENS domains. The addresses involved tended to be ones meant for internal use. Due to this choice, the transactions that could have been misled were sent by those working in the crypto industry. Most likely, they were using a very specific wallet infrastructure that only sent to whitelisted addresses and probably did not support ENS in the first place.

Despite this, there is still plenty of time for somebody to make a mistake considering that those ENS domains will only expire in about four years.

The findings follow a recent report that Reddit users on the r/CryptoCurrency subreddit raised alarm bells regarding a potential Shiba Inu (SHIB) airdrop scam.

Follow Us on Google News