Dissecting Payload-based Transaction Phishing on Ethereum

TL;DR

This paper conducts a long-term data collection and puts considerable effort into establishing the first ground-truth PTXPHISH dataset, consisting of 5,000 phishing transactions, and proposes a rule-based multi-dimensional detection approach to identify PTXPHISH.

Abstract

In recent years, a more advanced form of phishing has arisen on Ethereum, surpassing early-stage, simple transaction phishing. This new form, which we refer to as payload-based transaction phishing (PTXPHISH), manipulates smart contract interactions through the execution of malicious payloads to deceive users. PTXPHISH has rapidly emerged as a significant threat, leading to incidents that caused losses exceeding \$70 million in 2023 reports. Despite its substantial impact, no previous studies have systematically explored PTXPHISH In this paper, we present the first comprehensive study of the PTXPHISH on Ethereum. Firstly, we conduct a long-term data collection and put considerable effort into establishing the first ground-truth PTXPHISH dataset, consisting of 5,000 phishing transactions. Based on the dataset, we dissect PTXPHISH, categorizing phishing tactics into four primary categories and eleven sub-categories. Secondly, we propose a rule-based multi-dimensional detection approach to identify PTXPHISH, achieving over 99% accuracy in the ground-truth dataset. Finally, we conducted a large-scale detection spanning 300 days and discovered a total of 130,637 phishing transactions on Ethereum, resulting in losses exceeding $341.9 million. Our in-depth analysis of these phishing transactions yielded valuable and insightful findings. Furthermore, our work has made significant contributions to mitigating real-world threats. We have reported 1,726 phishing addresses to the community, accounting for 42.7% of total community contributions during the same period. Additionally, we have sent 2,539 on-chain alert messages, assisting 1,980 victims. This research serves as a valuable reference in combating the emerging PTXPHISH and safeguarding users' assets.

Figures (11)

• Figure 1: A PTXPhish example that leverages Blur order transaction semantics. From the perspective of the NFT seller, it seems as if a regular buyer is purchasing the NFT for 5 ETH. However, the scammer cleverly sets the fees parameter to 100% and designates himself as the recipient. In reality, the seller sends the NFT to the scammer ❶, and the scammer sends 5 ETH to Blur first ❷. But due to the 100% fees, Blur redirects the 5 ETH (calculated as price * fees) back to the scammer, who is the designated fee recipient, and sends the remaining 0 ETH (calculated as price * (1-fees)) to the seller ❸. As a result, the scammers appropriate the victims’ NFT without making any payment.
• Figure 2: Anatomy of PTXPhish. According to the strategies, PTXPhish is divided into two types: (i) Abusing legitimate contracts. (ii) Exploiting phishing contracts.
• Figure 3: Simplified transferFrom function of the USDT token. Any zero value transfer between two addresses is permitted.
• Figure 4: An example of a malicious SecurityUpdate function. This fraudulent implementation has the payable modifier to receive the victim's native tokens. When victims attempt to withdraw their funds, the scammer will mock them.
• Figure 5: Variation of PTXPhish losses over time.