Whenever a cryptocurrency is sold on an exchange, there’s a chance that a tiny amount of it will get left behind, which can be annoying. This “crypto dust” often costs more to move than it is worth, so there’s no point trying to get rid of it. Outside of an exchange, however, crypto dust can be used as a tool for wallet tracking, a technique for advertising, or as preparation for a phishing attack.

Cryptocurrencies can be subdivided into very tiny pieces. Ethereum’s ether (commonly called “ETH“) has the “wei” as its smallest unit, coming in at 18 decimal points of an ether. This is because Ethereum’s smart contract code cannot divide units into pieces smaller than 1, so developers chose to make every number 18 digits long to avoid (significant) rounding errors during math operations, with the decimal being mostly cosmetic. At the same time, blockchains are totally transparent, providing anyone with access to a block explorer the ability to spy on each other’s transactions and crypto holdings, no matter how small.

Sometimes, crypto holders will send tiny amounts of tokens to “dust” one (or thousands) of other users’ wallets in what is called a “dusting attack“, an example of which was recently reported by Blockworks. Malicious dusting attacks can include phishing tokens designed to clean out their victim’s wallet if they try to remove them, while other times they include a message attached to the transaction promising a fake “token giveaway” scam that steals their victim’s crypto if they fall for it. This technique actually started off as a form of advertising on Bitcoin and Litecoin, where mining pools would send crypto dust to thousands of wallets with a message in the transaction’s data advertising their services, but this technique was soon appropriated to create malicious phishing attack links, and now nobody trusts crypto dust advertisements.

Dusting Attacks Were Recently Used For Denial-Of-Service

Airplane crop duster spraying fields with tiny ETH symbols

Recently, the Tornado Cash crypto mixer service was sanctioned. While it probably sounded like the right idea at the time, the government intervention backfired onto innocents due to the inability to refuse incoming cryptocurrency transfers. As Blockworks expalined at the time, some anonymous trolls used Tornado Cash to perform a dusting attack on hundreds of victims, including high-profile celebrities, blockchain developers, and politicians, resulting in their wallets being automatically blacklisted by several important Decentralized Finance (DeFi) apps, such as the front-end of the Aave lending/borrowing app and the Uniswap decentralized exchange app. This was the first and only time when a dusting attack has successfully been used to offensively disrupt service for other users, and the victims accounts were soon un-banned by the DeFi developers.

Aside from the Tornado Cash incident, dusting attacks don’t have any obvious effects, but they are still sinister. They are mainly used to learn which wallets are owned by the same person for the purpose of targeting them with phishing attacks, or even blackmail. Crypto wallets are “pseudonymous“, so it is possible to use a dusting attack combined with blockchain analysis and social engineering to figure out who owns a set of crypto wallets, especially if they own an NFT domain name. Hackers, scammers, and government agents alike will dust thousands of wallets, and then observe where the dust goes in the hopes of finding out which wallets are associated with each other. Fortunately, the best way to not fall victim to a dusting attack is to simply never spend the dust, which many personal wallets have as a safety feature that should always be enabled. Of course, this precaution can be rendered moot if a user shares NFTs on their social media accounts, which outs them as the owner of the wallet(s) that owns the NFTs.

When the subject of wallet dusting or dusting attacks comes up it is usually as a surveillance technique to “de-anonymize” someone’s wallet, often to prepare to launch a phishing attack, but sometimes to discern a real-world identity and do much worse. While not directly harmless, dusting today is almost always done with sinister intent, and most users will never know they were dusted at all, so it helps to always leave cryptocurrency dust behind after every transfer.

Sources: Blockworks