Address Poisoning

What Is Address Poisoning?

Address poisoning is a social engineering scam that targets how people copy and paste cryptocurrency addresses. An attacker generates a wallet address that visually resembles one the victim frequently transacts with, matching the first and last several characters. The attacker then sends a small or zero-value transaction from this look-alike address to the victim, planting it in their transaction history.

The next time the victim needs to send funds to their usual recipient, they open their transaction history and copy what appears to be the correct address. Because most wallets truncate addresses in list views (showing only the first four to six and last four characters), the attacker's address looks identical to the legitimate one. The victim pastes the poisoned address and unknowingly sends funds directly to the attacker.

Unlike clipboard hijacking, which requires malware on the victim's device, address poisoning works entirely on-chain. The attacker never needs access to the victim's system. The only "exploit" is human behavior: the tendency to verify addresses by glancing at the first and last few characters rather than checking the full string.

How It Works

An address poisoning attack follows a predictable sequence that relies on low cost and high volume:

1. The attacker monitors the blockchain for active wallets that regularly send to the same destination addresses, identifying high-value targets through chain analysis tools
2. The attacker uses a GPU-accelerated vanity address generator to brute-force a new address that matches the first four to six and last four characters of the target's frequently used destination address
3. The attacker sends a zero-value token transfer or a tiny dust transaction from the look-alike address to the victim's wallet
4. This transaction appears in the victim's wallet history, looking nearly identical to their legitimate transaction partner
5. When the victim later copies an address from their history, they grab the poisoned address instead of the real one

Generating Look-Alike Addresses

The computational cost of generating a matching address depends on how many characters the attacker needs to match. Cryptocurrency addresses use hexadecimal (Ethereum) or Base58/Bech32 (Bitcoin) encoding, so each additional matching character multiplies the required brute-force attempts.

For Ethereum's 40-character hex addresses, matching four characters at the start and four at the end requires roughly 4.3 billion attempts: feasible in minutes on modern GPUs. Matching six characters at each end pushes the difficulty to trillions of iterations but remains practical with GPU clusters. Attackers typically match enough characters to fool the truncation window of popular wallets.

# Simplified example: how address matching works
# Legitimate address:  0x1a2B...9f4E
# Poisoned address:    0x1a2B...9f4E  (middle characters differ)

# What the wallet shows (truncated):
# Legitimate: 0x1a2B...9f4E  ✓
# Poisoned:   0x1a2B...9f4E  ✓  (looks identical)

# Full comparison reveals the difference:
# 0x1a2B3c4D5e6F7a8B9c0D1e2F3a4B5c6D7e8f9f4E  (legitimate)
# 0x1a2Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9f4E  (poisoned)

Zero-Value Transfers

On account-model chains like Ethereum, attackers commonly use zero-value ERC-20 token transfers to poison transaction histories. Some token contracts allow anyone to call the transferFrom function with zero value without needing approval, which means the attacker can create transactions that appear to originate from the victim's own wallet. This makes the poisoned entry look even more convincing in wallet interfaces because it mimics a legitimate outgoing transfer.

On chains with low transaction fees, attackers can send thousands of poisoning transactions per day for minimal cost. After Ethereum's fee reductions in 2025, the cost of a poisoning transaction dropped to tens of cents, enabling mass-scale campaigns previously limited to cheaper chains like Tron and BNB Chain.

UTXO Model vs. Account Model

The blockchain's data model significantly affects susceptibility to address poisoning. Account-model chains like Ethereum are the primary target, while UTXO-based chains like Bitcoin have structural resistance to this attack.

Bitcoin's address reuse best practices naturally defend against poisoning. When a wallet generates a fresh receiving address for each transaction, there is no single "usual" address for an attacker to impersonate. However, users who reuse Bitcoin addresses (particularly for exchange deposits) remain vulnerable to a similar pattern. The UTXO model also enforces a dust threshold that makes zero-value transactions impossible, adding a small cost barrier for attackers.

Real-World Incidents

Address poisoning has caused some of the largest individual losses in cryptocurrency history, with several high-profile incidents demonstrating the scale of the threat:

• In May 2024, a victim nearly lost $68 million in wrapped Bitcoin after copying a poisoned address. The attacker later returned the funds (minus approximately $3 million from token price changes) following public pressure and on-chain negotiation.
• In December 2025, a trader lost $50 million in USDT after the attacker detected a $50 test transaction, planted a spoofed address, and the victim transferred 49,999,950 USDT to the poisoned address just 26 minutes later.
• In January 2026, a cryptocurrency holder lost 4,556 ETH (approximately $12.4 million) in what appeared to be a routine transfer to their OTC deposit address.

A comprehensive USENIX Security study scanning Ethereum and BNB Smart Chain from July 2022 through June 2024 detected roughly 270 million poisoning attempts targeting approximately 17 million wallets, with at least 6,633 confirmed successful attacks totaling over $83.8 million in losses. The true figure is likely higher since many victims do not report incidents.

Why It Matters

Address poisoning is uniquely dangerous because it circumvents every technical security measure a user might have in place. Hardware wallets, multisignature setups, and encrypted key storage all protect against unauthorized access, but none of them can prevent a user from voluntarily sending funds to the wrong address. The attack exploits the gap between cryptographic security and user interface design.

For anyone managing cryptocurrency, understanding address poisoning is essential to maintaining self-custody safely. As stablecoins and on-chain payments grow, particularly through platforms like Spark, users need to develop verification habits that match the irreversibility of blockchain transactions. Unlike traditional payment systems, there is no chargeback mechanism to recover funds sent to the wrong address.

How to Protect Yourself

Preventing address poisoning requires changing how you handle addresses rather than relying on any single tool or feature:

Verify the Full Address

Never rely on matching just the first and last characters. Before confirming any transaction, compare the entire address character by character against your known-good source. This is the single most effective defense.

Use Address Books and Contacts

Most wallets support saving addresses as named contacts. Once you verify an address the first time, save it in your wallet's address book and send exclusively from the saved entry. This eliminates the need to copy from transaction history entirely.

Enable Address Whitelisting

Some wallets and exchanges offer whitelisting features that restrict outgoing transactions to pre-approved addresses only. Adding a new address typically requires an additional confirmation step (such as email or two-factor authentication), which creates a natural checkpoint for verification.

Send Test Transactions

For large transfers, send a small test amount first and verify receipt with the intended recipient through a separate communication channel. Note that attackers specifically monitor for test transactions: the $50 million USDT loss in December 2025 began with a $50 test transaction that the attacker detected and responded to within minutes.

Use QR Codes and Payment Protocols

QR codes encode the full address without relying on visual comparison. Payment protocols like BOLT12 offers on Lightning and ENS names on Ethereum replace raw addresses with human-readable identifiers, reducing the surface area for poisoning entirely.

Wallet-Level Protections

As of 2026, major wallet providers are implementing automatic detection. Trust Wallet offers address poisoning protection across 32 EVM chains. Binance introduced automatic checks in late 2025. Ledger Live provides clear signing to display full transaction details. However, a 2025 study found that the majority of wallets (42 out of 53 tested) still do not warn users when sending to a known poisoned address.

Related Attack Vectors

Address poisoning belongs to a family of attacks that exploit how users handle cryptocurrency addresses:

• Clipboard hijacking uses malware to replace copied addresses with the attacker's address at the operating system level, while address poisoning works entirely on-chain
• Phishing attacks trick users into entering credentials or approving malicious transactions through fake websites, whereas address poisoning does not require any interaction beyond copying an address
• Dust attacks send tiny amounts to wallets for tracking and deanonymization purposes, and address poisoning often uses dust transactions as the delivery mechanism for planting look-alike addresses

For a broader view of cryptocurrency security threats and privacy techniques, see the research article on the Bitcoin privacy landscape.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.