Simply put
- Users of Monad began reporting spoofed token transfers soon after the mainnet and MON token were launched on Monday.
- As explained by Monad’s CTO and co-founder, attackers used deceptive ERC-20 events that were mistaken for legitimate transactions.
- This incident coincided with a spike in MON trading, drawing renewed interest in the blockchain.
Just under two days after Monad’s network and MON token officially launched, malicious actors started creating fake token transfers. This was less than a day after users had access to airdropped and publicly sold tokens during the initial liquidity phase.
The first reports of this spoofing came from Monad’s CTO, James Hunsaker, who pointed out that the transactions looked like standard transfers in the Explorer, despite the absence of actual fund transfers or signatures from the supposed wallet.
“Warning – There are fake ERC-20 transfers pretending to be from my wallet,” Hunsaker noted, a message revealed by a Monad user who flagged the transaction on Tuesday night.
Hunsaker went on to explain that ERC-20 serves merely as a token interface standard, making it possible to write contracts that could create the necessary functionality while incorporating invalid addresses.
This design lets a harmful contract produce events that simulate real activity without any wallet authorization taking place.
He clarified that this malicious behavior wasn’t a flaw in Monad’s blockchain, but rather “spoofing within smart contracts to deceive people.”
Decrypt has reached out to Mr. Hunsaker and Mr. Monad for further comments.
Xiang Zhang, CISO at blockchain security firm Slomist, mentioned that during the launch of a network like Monad, users are frequently creating new wallets and connecting funds, which leaves room for fraud. “Fraudsters understand that transaction histories may be disorganized or empty,” he said.
Zhang described how these bad actors create “vanity addresses” that resemble the first and last four characters of a legitimate exchange deposit address or cold wallet. They then spam transfers from these lookalike addresses, hoping users will mistakenly copy an address from their transaction history.
To differentiate between genuine and spoofed activity, Zhang advised users to verify who initiated the transactions and to examine the contract address of each token.
“If you don’t sign the transaction, the funds can’t leave your wallet unless your private key is compromised,” he stated. He also mentioned that if someone didn’t initiate a transaction, but the explorer claims tokens were sent from them, that is likely a spoof.
Most attempts also depend on “zero value transfers,” which are acceptable under the ERC-20 standard. “If a zero USDC transaction is sent to an address that’s similar to yours, it’s an attempt to clutter your transaction history,” Zhang warned.
A specific instance of these transfers, highlighted by Hunsaker, followed a typical pattern: in this chain, attackers deploy their contract and create events that reflect genuine token movement, though no signatures or token transfers occur.
The Explorer displays these events as regular activity, misguiding users who review their wallet histories.
In this scenario, the contract also generated counterfeit swap calls and other false signatures to further simulate a real transaction within the MON ecosystem.
The goal seems to be to create the illusion of legitimate transactions as users first interact with the network and transfer tokens.
The fake transfers emerged as activity surged around Monad after the launch and distribution of the MON token.
About 76,000 wallets claimed MON tokens over the past month but only received them on Monday, the day the network and tokens went live.
Following the release, MON’s value rose 19% to $0.042. As of the latest data, the token has increased 43% for the day and boasts a market cap nearing $500 million.
Monads have been positioned as competitors to Ethereum and Solana, establishing themselves as a high-performance, EVM-compatible network designed for parallel transactions and high-throughput applications.
