Unmasking Crypto Spam
Updated
February 7, 2025
4
m
Crypto spam is on the rise, as gas costs drop and new low-cost chains emerge, it's more crucial than ever to detect and combat it. So let's dive into the different types of crypto spam and how to spot them!
The most straightforward spam involves receiving a spam token. This could be any standard token like ERC-20, ERC-1155, or ERC-721.
Using this transaction as example, If the token (highlighted in red) isn't recognized on the chain explorer, or has special warning labels when you click it, you're likely dealing with spam. However, not all examples will be this obvious!
The token names are usually something like ETH, USDC, or a well established token that the receiver would have received for the same amount recently. Or a token with the name of a legitimate company. If you’ve gotten Panasonic tokens, unfortunately you don’t get a free TV in exchange.
The goal is to trick the receiver to use the same sender address (yellow highlighted) to either send funds back in a future transaction (because maybe the receiver thinks they received funds twice by accident?). This works because the sender address is a “lookalike”. It is randomly generated but has the beginning 4 and ending 4 characters identical to an original sender address that the receiver may have interacted with. In this case, Etherscan has begun displaying more leading/trailing characters to reduce that risk since matching additional characters is exponentially more difficult, but not all wallets and UIs do this, so many still fall for this trick.
The other strategy is to use the token to advertise. A more overt method is to send tokens whose names have links in them. They’ve even gotten more sophisticated to avoid overtly using dots to get around simple detection methods.
The more insidious version of these use symbols with printable characters that look just like ASCII. I’ll trade you 1 million of my U\u0404DT for one of your USDTs!
Sometimes, it’s unclear you are being phished because the transaction looks like it's sending real tokens. In fact, in the below example, it is not even labeled as spam, largely because there’s only a handful of recipients. So it’s a real transaction?
Unfortunately, no. It is an artifact of how EVM works. You are allowed to send 0 units of any token, on behalf of anyone. So you can even spoof an outgoing transaction from anyone to make them believe they’ve previously interacted with a recipient before. In this case, the receiver (in black) would be the “lookalike” fake address.
From the sender’s perspective, they would see that they have a record of funds being sent to this address, so it must be the legitimate one.
In this case, it’s not the tokens themselves that are fake, but the contract that is generating these transactions.
The last case is essentially taking all of the above to the next level. Since there are no limitations on creating contracts, a spammer can generate tons of such spam with new contracts every time which will make auto detection of these transactions harder. There is some overhead to doing that instead of using the same contract, but it is slightly easier than managing multiple wallet addresses since each wallet needs to be funded to pay for gas. Etherscan is also now labeling wallets directly as spammers, which makes it more difficult for this strategy to work. The contract may be new, but the contract creator is not. Once a spammer, always a spammer?
Spammers create spam, and they aren’t subtle about it, so sometimes it's worthwhile flagging the address directly.
There are many tools out there that are able to automatically filter out most of the spam for you without much work on your part. One wallet that we like that does that is Rabby (no affiliation). It will gray out spam transactions so that you are less likely to fall prey to phishing. It also has a sophisticated engine that will simulate the transaction you are trying to run, so that you can see that the end result looks like what you would expect. If for some reason you are not able to use a web browser extension, there’s a Macgyver type trick you can use to check your addresses.
A very subtle but extremely useful feature about web3 addresses, is that they are checksummed. The letters look like they are randomly capitalized or lowercase for no reason. But in fact, the case of the letter provides a hint that makes it easy for a program to check if the address has been mistyped. So if you ever see an address that looks similar, but capitalized the wrong way. Beware! 0xBA6a… and 0xba6A… are NOT the same addresses regardless of what the rest of the characters say.
Lastly, this tip is the only one that isn’t free, but given it is much more convenient to do on-chain transfers, it's often worthwhile for a trace transaction to be sent. Need to send $100? Why not send 1 cent and see if it goes through as expected? While it may seem tedious, a minute’s delay could save your hair from turning gray.
Just as the dawn of the internet begat email spam, it is only natural that the blockchain financial superhighway will also bring about more on-chain spam. The issues that we face will not go away as the cat and mouse game of increasingly sophisticated detection tools battle the increasingly more financially motivated spammers. But at least you now know how to detect most of these tricks and have some up your sleeve to defend against them!
Subscribe to our newsletter to stay on top of the latest buzz.
