On Aug. 10, the Binance and Litecoin (LTC) community came to life as news of a potential “dusting attack” was announced through the official Binance Twitter account. In the tweet, the team explained that around 50 Binance Litecoin addresses received a fractional amount (0.00000546) of Litecoin, which the exchange’s security team identified as a part of large-scale dusting attack.
James Jager, project lead at Binance Academy and the person who first identified the attack, discussed the event with Cointelegraph:
“It was network-wide, which meant it affected all users of litecoin that had an active litecoin address at the time. The address of the person responsible for the dusting attack can be found here: https://blockchair.com/litecoin/address/LeEMCDHmvDb2MjhVHGphYmoGeGFvdTuk2K
“We became aware of the dusting attack on Saturday morning when one of our binance angels had received a small amount of LTC into their litecoin wallet.”
Jan Happel, co-founder of blockchain data provider Glassnode, looked into the dusting attack to confirm the extent of it. Although Binance reported that 50 users had been affected, Happel believes that the scale was much more widespread, with almost 300,000 LTC addresses showing signs of dusting. Possibly even more interesting was the extra data that came up, showing a previously unreported dusting attack that occurred earlier this year in April. Happel told Cointelegraph:
“We have done a quick query into the LTC blockchain and analyzed the number of utxo's that carry a smaller value than the mean tx fee that day. If a UTXO contains less balance than the minimum amount required to spend it (fee) that day, it becomes stuck/unspendable — this is what we technically define as dust.”
The graph below shows the reported volume of dusting attacks that affected LTC wallets.
The key to a dusting attack is the unspent transaction output (UTXO). This is like a signature assigned to any unspent value, and when a transaction is completed, many of these UTXOs are merged to make up the transaction amount. By tracking these UTXOs, someone can track different wallet addresses to one specific user. The concept of dusting attacks became prominent in 2018, when Samourai Wallet warned its users regarding a dusting attack targeting a large number of Bitcoin (BTC) wallets. The digital wallet provider tweeted:
This was the first time a large-scale attack of this kind had occurred. Dusting attacks are not only limited to Bitcoin or Litecoin but can be done on any public blockchain. It is also important to note that dusting can be used for different motives, as explained by Jager: “The term 'dusting attack' is a fairly broad statement and the actual intent behind the attacks don't necessarily always align to be the same.” After making the announcement, the attack took an interesting twist when the offender contacted Binance in response to the public warning. Jager explained:
“The person behind the dusting attack owns a mining pool based out of Russia, EMCD[dot]io. They reached out to express that their intent was to advertise their mining pool to the users of Litecoin, however, it's unclear from our perspective or anyone else's as to whether there were alternative motives. The owner of the pool was not aware that he was subjecting all these users to a dusting attack and spreading fear among the Litecoin community.
“It's interesting to note, that even if this was not the intent of the mining pool owner, he provided a base for malicious actors to analyze. You see, the person responsible for conducting the dusting attack doesn't necessarily have to be the one collecting the data, they can just merely be providing a service so that someone else can collect all the information and analyze it at a later date.”
What initially seems like a small, unharmful activity can be very dangerous, which can undermine user anonymity and be used against you to steal your precious digital assets. Although the danger of this attack is apparent, it appeared to have little effect on the sentiment of the Litecoin community. Indeed, the 24 hours after the attack saw the price rise approximately 5%.
How do dusting attacks work?
To begin with, hackers send a tiny fraction of any given cryptocurrency (BTC, LTC, etc.) to a large group of addresses. These small fractions are referred to as dust, and the amount could be as small as 1 Satoshi, which most users don’t even notice or may think of as harmless. As defined by Binance Academy, a dusting attack refers to a relatively new kind of malicious activity in which hackers and scammers send tiny amounts of crypto to wallets in an attempt to deanonymize their owners. The danger comes in what this opens the victim up to, as Jager explained:
“Dusting attacks generally involve a combined analysis of the dust sent to many users, allowing people to break the privacy of bitcoin or litecoin and potentially launch phishing campaigns or cyber-extortion threats.”
The attacker then waits for the user to spend the dust along with the UTXO. Once the wallet of a user mixes this dust with the main holdings and subsequently spends it, the attacker will be able to deanonymize the user and will track all their wallet addresses, which includes automatically regenerated addresses in the future as well.
At any given time, all the crypto in a wallet is an unspent transaction output. It's in a wallet because it hasn't been spent yet — hence the name. When added up, every UTXO in existence is the same as adding up all the wallet balances in existence.
The UTXOs and the wallet balance will always be the same amount, but they aren't the same thing, due to most wallets allowing a user to generate an almost limitless amount of new addresses for each transaction. The Bitcoin white paper suggested this as a security aspect, saying, "as an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner."
This is what a "hierarchical deterministic wallet" is, a wallet that generates new addresses for each transaction to better protect the privacy of its owner. The dust helps this because wallets will automatically sweep together different UTXOs from different addresses. Essentially, an attacker will sprinkle that dust over many different wallets and then watch that dust to see how much of it might get swept up into the same transaction. If some amount is included, the attacker can conclude that the same person owns all of those addresses. The attacker can use this knowledge to target his victim via phishing attacks or even blackmail them if they are operating from a high-risk country.
Dusting as a tool
Sometimes, dusting can also be used as a marketing tool to advertise a service or raise awareness of a product. For example, on the blockchain social media platform Steemit, users receive small amounts of Steem in their wallets along with a message regarding the services offered.
Another instance was when BestMixer.io, a cryptocurrency mixing service that anonymizes cryptocurrencies, used dusting as a promotional tool. In October 2018, hundreds of Bitcoin users began receiving small amounts of BTC from BestMixer.io. Along with this dust, there was a promotional message that described its service. The platform used this method to effectively target potential users at a marginal cost.
Also, dusting attacks can reportedly be used to defeat Anti-Money Laundering strategies employed by law enforcement and regulators. A portion of the dirty money is used for dusting thousands of wallets. By doing this, criminals can provide a smokescreen for illegal transactions, thereby sending regulatory algorithms into a wild goose chase.
How to protect yourself?
The best way to protect against such activity is to use the strategy advised by Samurai Wallet, which provided the users with a “do not spend” feature. This allows the user to mark small, unknown deposits in their wallet in order to never use this UTXO for further transactions.
Dusting attacks are mainly targeted at private wallet holders. Therefore, it’s essential to keep track of incoming funds, and it’s always a good idea to use a wallet address only once, which provides further protection. Other security measures may include installing a virtual private network, or VPN, along with a trustworthy antivirus on all of the devices that are used to access crypto, as well as encrypting wallets and storing keys inside encrypted folders.