At the beginning of the summer of 2023, many users of the Tron blockchain began to receive insignificant receipts from unknown addresses, and the share of such transactions in the network began to make a tangible value. TRX and USDT assets were the most common for such mailings. This type of attack did not have its own name but was called "dust attacks" because of the similarity with a similar type of "dust attack" in the BTC network in terms of external factors. At the moment, the working name of this attack in our team is "dandruff attack", and the minor payments are called "dandruff".

The attacker sends multiple transactions to addresses that have recently made or received transactions. Then, he waits for the case when the recipient of "dandruff" mistakenly copies the attacker's address instead of his target recipient and sends him the assets.
We have identified 6 generations of such an attack. The effectiveness of the most advanced attacking networks exceeded 3800%.
The total number of addresses sending the TRX token as part of such an attack was > 683 434 052 transactions, and the USDT token  > 85 304 707 transactions.
Fighting this kind of attack is possible! Specific methods and techniques are described in the research section.

During the short phase of active development of this type of attack (starting in the summer of 2023), it has come a long way from a primitive mailing list to a well-thought-out system with very interesting methods of goal analytics. To date, several generations of "dandruff attacks" can be distinguished.

During the short phase of active development of this type of attack (starting in the summer of 2023), it has come a long way from a primitive mailing list to a well-thought-out system with very interesting methods of goal analytics. To date, several generations of "dandruff attacks" can be distinguished.The first generation

The mailing list goes chaotically to all addresses that have made transactions recently using TRX tokens.

The mailing list goes chaotically to all addresses that have made transactions recently. TRX is used for mailing (due to the possibility of sending it without spending Energy, solely at the expense of Bandwidth (profitability will be discussed in more detail in the corresponding section)).

Low efficiency of the scheme.
Example of one of the attacker's addresses: TGuuuq9asKwhGR2Zq21vQ1Nk4yFiTc8G3J

The mailing going on in a chaotic way using USDT tokens.

The mailing is still going on in a chaotic way, but using USDT tokens. There is only a small difference in the value of the transferred assets (it still remains 0.01$ or less) the cost of such a mailing increases due to the Energy consumed to make a transaction with any tokens (transactions with TRX use only daily renewable Bandwidth, and the transfer of any tokens will consume Bandwidth and Energy at the same time. The latter is obtained either by stacking TRX or by burning it).
Example of one of the attacker's addresses: TEdi3CGdKewc1ZRen3SWkGf3YecoVT457j

The mailing going on in a chaotic way, using USDT tokens and filtering attack targets have been added.

It is a development of the second generation, but some ways of filtering attack targets have been added.
Such filters include:
The balance on the address;
Frequency of target transactions,
Transaction time, etc.
Each developer of the attacking network forms such restrictions at his/her discretion. At this stage, there is a complication of the scheme of work by introducing analytics algorithms and it will require making more requests to the nodes of the network, which, in turn, can give technical capabilities for analyzing attackers.

Selects addresses with an ending similar to the counterparty of the attacked address.

This algorithm of the attacker's network operation already significantly increases the effectiveness of the attack, but requires a higher level of execution of the attacking network modules. This attack generation selects addresses with an ending similar to the counterparty of the attacked address.
Using the mechanism of matching the end of the crypto address, it generates an address that has the maximum similarity in the last characters. This significantly increases the chance of a successful attack. This attack can combine various analytics methods available in the third generation.
At the same time, the choice of the attacked address and the generation of the attacker's address, similar to the address of the target's counterparty, makes it necessary to promptly replenish the attacker's addresses with assets and resources to complete the transaction. It makes the mechanism of supplying the attacking Energy network from staking little applicable. Most of the networks attacking this generation pay commissions for making transactions by burning TRX.

Goal selection analysis; Generating addresses similar to the counterparty; Transfer of the number of assets similar to the one sent by the counterparty.

It is the most effective due to a combination of several mechanisms:
Goal selection analysis;
Generating addresses similar to the counterparty
Transfer of the number of assets similar to the one sent by the counterparty as a test payment.
This generation is characterized by the most selective attacks with an attempt to duplicate a test payment between addresses. During the analysis, we identified cases of sending duplicate amounts up to 2 USDT, subject to a number of conditions, such as: the absence of transactions previously conducted between the parties + the presence of a significant amount on the target's balance + sending a test payment of no more than 2 USDT.
Advantages:
Extremely high effectiveness of the attack.

Adding the attacker's address to the list of persons to whom the victim "sent" assets earlier.

Since mid-November 2023, there have been attacks when 0 USDT is sent from the victim's address to the attacker's address. This type of attack is possible due to the absence of any restrictions on sending 0 assets from any address on the Tron network, even in the absence of private keys from the sending address.
The logic of this attack differs in the fact that the attacker inserts his address, not into the list of senders to the victim's address but into the list of persons to whom the victim sent assets earlier. This feature of the attack makes it less noticeable and more effective for attackers. It can be combined with mechanisms for generating cryptocurrency addresses similar to counterparties under attack, which significantly increases the effectiveness of the attack.

The profitability of an attack is defined as the difference between the costs of network operation and the proceeds to the attacking addresses of assets from victims.

The costs of network operation consist of the following components:

• Development of attacking network modules;
• Activation of each address of the attacking network;
• Transaction costs for transferring assets to attacking addresses for attacks and sending "dandruff";
• The associated costs of obtaining data on the activity of the Tron network (external data providers or launching and maintaining your own node).

The analysis of the effectiveness of the attack will be considered on the attacking network, where the supply of assets was carried out from the address TTFGc88GU8LXrXNnSPZFeeivSwaBZoJGk1.

The TTFGc88GU8LXrXNnSPZFeeivSwaBZoJGk1 address sent 721,054 TRX and 1,750 USDT to more than 60,000 addresses of the attacking network, while a commission of 90,443 TRX was paid. The total costs of crypto assets used in the framework of this network of addresses amounted to approximately $ 46,000. Combined with the costs listed below, the approximate amount of funds spent on launching the network was 50 000 - 55 000 $.
As a result of the functioning of the network under study, 153 receipts were established to the addresses of the attacking network after the transaction was made in the direction of the attacked one from such an address. The total amount of funds received in this way amounted to at least 1,941,484 USDT.
The profitability of the studied network was over 3800%.

As a result of the analysis of "dandruff attacks", we consider it possible to reduce the risk of such an attack in the following ways:

1. The application developers of cryptocurrency wallets may introduce the ability to hide transactions of less than $ 1 by default, it will reduce the effectiveness of attacks of the first, fourth and sixth generations to almost zero.
   
2. In-depth analysis and de-anonymization of managers of staking addresses supplying
   Energy to attacking networks will make this type of attack (for the second and third generations) more difficult and economically unprofitable.
   
3. Analysis of the sources of TRX receipt on the networks of attacking addresses will allow putting additional pressure on the administrators of the attacking networks of the first, fourth, and sixth generations.
   
4. Automatic blocking of Tether It. USDT assets at attacking addresses when amounts over a certain value are received on them after sending "dandruff" based on an automatic activity analysis algorithm (such an algorithm was implemented by our technical specialists in a few hours) will lead to the loss of the economic feasibility of this type of attack.
   
5. Studying the logs of requests to key services for providing information about transactions on the Tron network will allow you (if the attacker does not use his node) to identify possible administrators of attacking networks of all generations.
   
6. Identification of the authors of attacking algorithms is conducted at the debugging stage by searching for similar attacks in the test network. Many attacking networks are being tested on Tron test nets for debugging and tuning. Getting tokens in the Tron test net is possible only through the official community in Discord. An example of such an attack can be this transaction.
   

https://tronscan.org/
https://developers.tron.network/docs/resource-model
https://tronstation.io/calculator