Large-Scale Dust Attack on Blockchain: 10,000 BTC and the Role of Isomorphism Confirmation

13.05.2025

 ATTACKER  

In this article, we will look at what a “dust attack” is (also known as a Dusting Attack or Crypto Dust). Many cryptocurrency users, especially those who hold significant amounts of BTC or ETH, may have noticed tiny amounts of satoshis being sent to their wallets, often disguised as “donations.” In reality, these transfers may be part of a scheme aimed at gaining access to all the funds in a wallet.

Large-Scale Dust Attack on Blockchain: 10,000 BTC and the Role of Isomorphism Confirmation

What is a Dust Attack and Why is it Used

A dust attack is a method where an attacker sends minuscule amounts of cryptocurrency to users’ addresses. The attacker then tracks the movement of these funds through the blockchain. If the user combines this “dust” with other funds and transfers them to another wallet, the attacker can link different addresses together and attempt to deanonymize the owner. This is especially relevant for centralized exchanges that require KYC procedures.

Example of a Major Dust Attack

In January 2024, CoinDesk published an article about a large-scale dust attack in which a significant amount of BTC was stolen using isomorphism confirmation in the blockchain. For example, in July-August 2022, two Bitcoin addresses successfully carried out attacks totaling 10,000 BTC.

How to Create a Dust Transaction Yourself

Recently, creating dust transactions on one’s own cold wallet has become popular. For instance, you can use Python and the appropriate libraries. First, install Python and the required packages, then generate a cold wallet and fund its balance. After that, create a transaction in which part of the funds (for example, 555 satoshis) is sent to a selected attack address, and the remaining amount is returned to the cold wallet. It is important to account for the miner fee.

Step-by-Step Guide to Creating a Dust Transaction (Example 1)

  • Install Python and the necessary libraries.
  • Generate a cold wallet and fund its balance.
  • Save the transaction hash of the deposit to build the Merkle tree.
  • In the script’s source code, specify the required values: transaction hash, private key, balance amount, attack address, and dust amount (555 satoshis).
  • Take into account the miner fee (for example, 226 satoshis) and calculate the remainder that will return to your wallet.
  • Run the script and obtain the raw transaction (RawTX), which can be checked and broadcast to the network.

Transforming the Transaction into an Isomorphism

To maximize profit, a so-called ScriptSig isomorphism is used: the first transaction sends the dust, and the second returns the funds from the victim’s balance. The resulting data can be published in a repository, and for correct operation, all txid values need to be updated and the public key in the transaction file must be replaced.

Example 2

Similarly to the first example, a new dust transaction is created, but with a different attack address and a different balance amount. The process fully repeats the previous one: funding the balance, creating and sending the transaction, calculating the fee and return, forming the isomorphism, and publishing the result.

Conclusion

A dust attack is not just about sending tiny amounts, but a complex scheme aimed at analyzing and linking addresses, as well as potentially stealing funds. Protecting against such attacks requires vigilance, understanding of how the blockchain works, and the use of modern security methods.