This article tells you everything you need to know about a specific type of Bitcoin threat, called a “dusting attack”.
One of our previous articles went into detail about ‘Bitcoin dust’. Basically, it refers to the microscopic amount of Bitcoin that’s lower than the minimum limit of a valid transaction. For additional context, it is the smaller amounts of bitcoin within a particular wallet or address. The monetary value here is incredibly tiny. So much so that it is even lower than the amount of the network fee of the bitcoin.
Look at it this way: let’s imagine that you have a $50 bill in your pocket. From here, let’s also imagine that instead of a $50 bill, you actually have 50 pennies in your pocket. Not only is using fiat this way inconvenient, but it also diminishes the monetary value to something small.
Its primary function is to make a transaction next to impossible to process. Like actual dust, it is a nuisance and is unfavorable in the eyes of investors.
The reason this topic is being brought up is that there is another inconvenience in the world of cryptocurrency. This one goes by the similar-sounding name of ‘dusting attack’. In simple terms, it is another – and unfortunately popular – type of Bitcoin attack. With it, attackers have the ability to crack the victim’s anonymity. On the surface, it appears to be a small, unpredictable shower of money. What it actually is is a scam that sets out to undermine your anonymity. Doing so will allow the scammers to use your identity against you.
In recent months, there has been a substantial increase in incidents of these types of. This article will go more into detail about what it is and how you can prevent them in the future.
Anonymity & Bitcoin
In the beginning, there was a common belief that the Bitcoin network ensures users with complete anonymity. As time went on, however, it became evident that this is not exactly true.
Bitcoin is a system that is open and decentralized. Because of this, anyone can set up a wallet and join the network without needing to provide any personal information. All Bitcoin transactions are visible to the public, however, it’s tricky to find the identity behind each address or transaction. This is essentially what makes Bitcoin partially anonymous. The keyword here being “partially”; it is not completely anonymous.
Peer-to-peer transactions are far more likely to remain anonymous. The reason for this being that their execution is done without the involvement of any middlemen. There are a lot of cryptocurrency exchanges that collect personal data through KYC verification, though. This means that when users transport funds between their personal wallets and exchange accounts, they are taking a risk. Specifically, the risk of losing their anonymity.
From an idealistic perspective, there should be a creation of a Bitcoin address for every new receiving transaction. Alternatively, a new payment request. This could function as a way to maintain the privacy of users.
There is something important that one should remember. Contrary to popular belief, Bitcoin is not a 100% anonymous, privacy based cryptocurrency. Aside from the dusting attacks, there are many companies, research labs, and governmental agencies that are trying to de-anonymize blockchain networks. Some make the argument that they are already making significant progress.
What is it?
A ‘dusting attack’ is a new kind of malicious activity; one that is gradually gaining traction. It allows hackers and scammers to try and dismantle the privacy of Bitcoin and cryptocurrency users. To do this, they send out tiny amounts of coins to their personal wallets. The attackers will then track the activity of these wallets. They can then perform a collective analysis of multiple addresses, which allows them to identify wallet owners.
How is this possible, you may ask? If dust is a nuisance, how could scammers send them?
Well, scammers recently came to the realization that cryptocurrency users don’t pay much attention to dust that appears in their wallets. In other words, they often ignore tiny crypto amounts. With this in mind, they would begin to “dust” a large number of addresses. They do this by sending a handful of ‘satoshis’ to them. Following the dusting of numerous addresses, the next step will typically involve a thorough analysis of these addresses. If their efforts are successful, then they might be able to identify who the owners of these wallets are. These owners could either be individuals or even entire companies.
The objective here is to ultimately be able to link addresses who were victims of dusting and wallets to their owners. If these scammers get what they want, then they could use this knowledge against their targets. They can either apply them in various phishing attacks or even in cyber-extortion threats. For context, ‘phishing’ is when a malicious actor poses as a trustworthy entity. This allows them to trick people into collecting their sensitive information. Such information includes credit card details, usernames, and passwords.
Overall, a dusting attack is just as malicious as any other cyber-attack. It can affect your privacy, as well as your finances.
Who can experience them?
As a general rule, those who are victims of dusting attacks are typically cryptocurrency holders that are unaware. Conversely, other victims are prominent market players who hold a substantial amount of weight and clout in the crypto industry.
It is not uncommon for ordinary users to be wary of the possibility of hackers disclosing their personal information. In fact, it is the norm, regardless if you are a novice or a professional in this field. By disclosing personal information, the hackers will consequently deanonymize them.
Concerning the big market players, the knowledge of countless addresses belonging to a company can quite impactful. Not only will it affect the company itself but it can also affect the entire industry as a whole. This is vital information that can be useful for market speculation, deceitful predictions, insider trading, phishing attacks, and possibly extortion.
With this attack’s continuous growth among hackers, this means that the number of incidents is on the rise. Initially, dusting attacks were performed predominantly with Bitcoin. This is gradually changing, though with most of them occurring with other cryptocurrencies. Moreso, cryptocurrencies that are operating on top of a public and traceable blockchain.
In late October of 2018, developers behind Bitcoin’s Samourai Wallet made an announcement regarding some of their users experiencing dusting attacks. The company would go on to release a tweet warning other users about the attacks. They later explain the ways in which they can protect themselves. The team would promptly implement a real-time alert for dust tracking in addition to a “Do Not Spend” feature. This will allow users to mark suspicious funds so they do not include them in future transactions.
In order for a dusting attack to be successful, they have to rely on an analysis of multiple addresses. Should dust not be moved, then the attackers are unable to make the connections they need for removing wallet anonymity. Samourai Wallet is already capable of automatically reporting suspicious transactions to their users.
Regardless of the dust limit being 546 satoshis, a lot of dusting attacks nowadays greatly surpass it. Moreover, they usually range from 1000 to 5000 satoshis.
Binance & Litecoin
There was another notable dusting attack that took place earlier this year. This particular attack was targeting Binance and Litecoin. On August 10, the Binance and Litecoin community received news concerning a potential dusting attack. This information was released to the community through a tweet on the official Binance Twitter account.
The team explains in the tweet that around 50 Binance Litecoin addresses were on the receiving end of a fractional amount (0.00000546) of Litecoin. The exchange’s security team would go on to identify this amount as part of a large-scale dusting attack.
The first person to identify the attack was James Jager, the project lead at Binance Academy. He discusses the matter of the event with the following statement:
“It was network-wide, which meant it affected all users of Litecoin that had an active Litecoin address at the time. The address of the person responsible for the dusting attack can be found here: https://blockchair.com/litecoin/address/LeEMCDHmvDb2MjhVHGphYmoGeGFvdTuk2K
“We became aware of the dusting attack on Saturday morning when one of our Binance angels had received a small amount of LTC into their Litecoin wallet.”
The co-founder of Glassnode, Jan Happel, took a closer look into the dusting attack to confirm its magnitude. According to Binance, 50 users were affected. However, Happel is of the belief that the scale was much more widespread. He claims that almost 300,000 LTC addresses were showing signs of dusting. What’s more, the additional data shows an unreported dusting attack from April of this year.
To be exact, the number of addresses that the dusting affected was a staggering 294,582.
Mitigation in the case of dusting attacks
There are ways in which users can successfully avoid spending the dust. One of the most important and popular privacy tactics is using a different address for every transaction. Whenever someone looks at their balances on a mobile wallet, they may be oblivious to their wallet’s total being the sum of inputs and UTXOs. This means that incremental amounts could be representative of your 2 BCH. Their representation could come in the form of 1, 0.5, 0.25, and 0.25 to get the total sum.
If you are a person who doesn’t care that much about privacy, then you can simply forget about the dust. You can ignore the dust and move on. Alternatively, you can make the choice to never spend the dust and only spend funds that are untainted. What this means is you will have to do the following:
- Painstakingly scan for the dust transaction
- Figure out the address that the funds are sitting in
- Decide to leave it alone
It is with great fortune that there are some wallets that allow you to see addresses containing fractions of UTXOs in them. This way, you are able to dissect the funds.
There are several wallets out there that will also let you add a description (or ‘flag’) to the satoshis that were randomly sent. By doing this, you can easily identify the attack. Unfortunately, not all wallets allow you to select UTXOs in a manual fashion. Because of this, users who have these wallets need to import them to a client that does. It is through this that they can fight against the dust attack.
Moreover, there is no possible way people can stop dust attacks. This is primarily due to a good portion of blockchain networks being permissionless.
Prevention using Changelly
There is no reason for you to worry in case you only use your addresses for putting crypto into storage. So long as you store your assets in one place and not send it to untrustworthy crypto exchanges, there is nothing to track. Nevertheless, there is a dependable way in which you can remove the dust in your wallet.
Doing this will require you to exchange all the cryptocurrency in the affected address to another crypto asset. Changelly offers a service that will allow you to do this. By using this service, you will receive the new crypto that is completely free of dust. Then, you will be able to exchange it back by sending it to the new address that is unaffected. As a bonus, this process of exchange does not cost you much. This is because Changelly charges a small fee of only 0.25% for all crypto exchanges.
Dusting attacks take the already infuriating aspects of dust and amplify them to something malicious. The effect they have on privacy is astounding and should be taken seriously by all crypto users.
In the end, though, the best protection against any form of attack is knowledge. To fight against it, you first have to understand how it works. The sad reality is that there are very few people who know about such things. The best way to remedy this is to share this knowledge, thus spreading awareness. By better understanding the topic, they can have better protection against attackers.