Monad Hit With Spoofed Token Transfers Days After Mainnet Launch

Bad actors began spoofing token transfers on Monad less than two days after the network and its MON token officially went live on Monday, and within a day of airdropped and publicly sold tokens becoming accessible to users during the chain’s first period of liquidity and onboarding.

The spoofing was first reported by Monad CTO and co-founder James Hunsaker, who noted that the transactions appeared as standard token transfers on explorers, despite no movement of funds or signatures from the wallets being impersonated.

“Warning—there are fake ERC-20 transfers pretending to be from my wallet,” Hunsaker disclosed Tuesday evening on X, citing a Monad user who alerted him of the transactions.

Hunsaker added that ERC-20 is “just a token interface standard,” and that it is easy for someone to write a contract that meets the required functions while inserting unauthorized address entries.

Such a structure allows malicious contracts to create events to make activity appear legitimate, even when no actual wallet approval occurred.

Hunsaker added that the malicious activity is not a bug on Monad’s blockchain, and is instead “spoofing within their smart contract to try to trick people.”

Decrypt has reached out to Hunsaker and Monad for additional comment.

“During a chain’s launch, like Monad’s, users are constantly setting up new wallets, bridging funds, and adding token contracts. Scammers know your transaction history is empty or chaotic,” Shān Zhang, chief information security officer at blockchain security firm Slowmist, told Decrypt.

Those bad actors generate so-called “vanity addresses” that “match the first and last 4 characters of your real exchange deposit address or your cold wallet,” Zhang explained.

“They then spam you with a spoofed transfer from this lookalike address, hoping that when you go to bridge or transfer, you will lazily copy the ‘most recent’ address from your history.”

Asked how to tell real activity from fake, Zhang said users should check who started the transaction and confirm the token’s contract address.

“If you didn’t sign the transaction, it is impossible for funds to leave your wallet unless your private key is compromised,” he said. If the user didn’t send the transaction, but the explorer claims the tokens came from them, the transfer is “almost certainly a spoof,” he added.

Most attempts also rely on “Zero-Value Transfers,” which the ERC-20 standard allows, Zhang warned. “If you see a transaction of 0 USDC sent to an address that looks almost like yours (or your friend’s), it is an attempt to poison your history,” Zhang added.

In one sample transaction provided by Hunsaker, the set of transfers followed a pattern common among EVM-based chains in which attackers deploy their own contracts and emit events that look like real token transfers, even though no wallets signed anything and no tokens moved.

Explorers display those events as regular activity, which can mislead users who might be checking wallet history.

In this case, the contracts also generated fake swap calls and other artificial signatures to appear as actual trading around the MON ecosystem. 

The idea, ostensibly, is to create the appearance of legitimate activity on a new network as users open wallets and move tokens for the first time.

The fake transfers come amid intensified activity around Monad following the network’s launch and the release of its MON token.

Roughly 76,000 wallets claimed MON over the past month but did not receive their tokens until Monday, when the network and its token went live.

A day after its launch, MON rose 19% to $0.042. At the time of writing, the token is up 43% on the day, with its market cap reaching roughly $500 million, per CoinGecko data.

Monad has been touted as a competitor to Ethereum and Solana, positioning itself as a high-performance, EVM-compatible network designed to process transactions in parallel and support throughput-intensive applications.