BleepingComputer reports that cryptocurrency assets worth $60 million have been stolen from 99,000 individuals in attacks leveraging Ethereum's Create2 opcode, which enables smart contract creation on the blockchain, over a six-month period.
Threat actors have exploited Create2 to establish new contract addresses meant to evade wallet security alerts and store stolen cryptocurrency assets, with one of the victims losing $927,000 worth of GMX after signing a contract that facilitated asset transfers to a pre-calculated address, according to a report from Scam Sniffer. Meanwhile, other intrusions involved the exploitation of Create2 to enable address poisoning, or the creation of malicious addresses resembling those that are owned by the recipient.
Address poisoning involving Create2 has resulted in the theft of almost $3 million from 11 victims since August, noted researchers.
The findings come after the accidental delivery of $20 million by a Binance operator to scammers using address poisoning tactics in August, which was eventually averted.
