A seasoned crypto trader—someone who had made hundreds of successful transactions, lost over $68 million in a matter of seconds. It wasn’t a sophisticated hack or a breach of blockchain security. The scam was chillingly simple: the trader sent funds to an address that looked almost right. A few characters off, but enough to pass a quick visual glance. That small mistake cost them everything.
This is the story of address poisoning, a new kind of crypto scam that doesn’t break the blockchain—it exploits you.
What is address poisoning?
At its core, address poisoning is a social engineering scam that targets human error, not system vulnerabilities.
Cryptocurrency wallet addresses are long, complex alphanumeric strings—often 42 characters or more. Most people never memorise them. Instead, they rely on tools like copy-paste or transaction history logs in their wallet apps. Scammers are aware of this and take advantage of it.
By sending zero-value transactions from addresses that look similar to legitimate ones you’ve interacted with before, scammers insert (“poison”) those fake addresses into your wallet history. Then, when you want to send money later, you choose the incorrect address from your transaction history, even though it seems familiar. You’ve just sent crypto to a thief.
The anatomy of an address poisoning attack
Let’s walk through a real-world example.
On May 3rd, 2024, an Ethereum wallet belonging to a high-value user made two transactions. The first was a small “test” payment sent to address 0xd9A1b. Minutes later, the same wallet sent 1,155 Wrapped Bitcoin (WBTC)—worth $68 million—to 0xd9A1c.
Source: chainalysis
To a casual eye, those addresses appear nearly identical. But the second one belonged to a scammer. It had been carefully designed to resemble a trusted address the victim often used.
This technique, called vanity address generation, allows attackers to create thousands of addresses that mimic the prefix or suffix of a target address until they find one close enough to fool the user. These lookalike addresses are then seeded into the blockchain via small, harmless transactions. The result? The transaction history of wallets is compromised, making them ticking time bombs.
The business behind the scam
This isn’t just a handful of scammers testing their luck. Address poisoning has evolved into a structured criminal industry.
Toolkits designed specifically for address poisoning can be bought on darknet markets. These kits come with everything an attacker needs:
- Generators to create spoofed addresses.
- Scripts to send zero-value or fake-token transactions.
- Pre-built templates for phishing campaigns.
- Support channels on encrypted messaging platforms.
You don’t even need to be tech-savvy. Some kits include step-by-step video tutorials, turning complex fraud into a copy-paste affair.
One investigation found a single campaign using over 82,000 poisoned addresses on Ethereum. In total, these attacks cost victims more than $83 million, with over 270 million attempted poisoning transactions recorded in just two years.
Real-world damage: Not just the big whales
While high-profile losses like the $68M WBTC theft grab headlines, most victims are everyday users.
A study profiling address poisoning victims found that:
- The average wallet balance was $338,900.
- Victim wallets had, on average, 598 prior transactions.
- Most wallets had been active for over 500 days.
This data proves a critical point: experience is no guarantee of safety. More active users are often more at risk because they rely on transaction history, automation tools, or pre-filled fields.
And while some victims only lose small amounts in “test” transfers gone wrong, the cumulative impact is massive. Even a 0.03% success rate per address can yield millions in stolen funds.
The psychology of trust and familiarity
What makes address poisoning so dangerous is that it feels safe. There’s no shady email asking for private keys and no malware download. Just a familiar-looking address, sitting right there in your wallet’s recent history.
It exploits a powerful human trait: trust in patterns. We assume that if something worked before, it’s safe again. That’s how we operate when we drive the same road, log into the same app, or send crypto to the same contact.
Scammers are weaponising our habits—turning our convenience into their opportunity.
Why the blockchain can’t stop it
Here’s the twist: blockchains aren’t broken. They function precisely as intended.
On Ethereum or BNB Chain, anyone can send a transaction to any address. That’s how decentralisation works. But it also means there’s no way to stop someone from sending zero-value transactions to your wallet using a fake address.
Address poisoning is a manipulation of user behaviour rather than a protocol issue, which is why it is so difficult to prevent.
How to spot and prevent address poisoning
Thankfully, consumers can take the following precautions to keep themselves safe:
1. Double-check every address
Never put your trust in the first or last characters. Always verify the entire address, especially for high-value transfers.
2. Avoid copying from the transaction history
Never select addresses from recent transactions. Use verified, saved addresses or QR codes when available.
3. Use test transactions
Before sending large amounts, send a small test transfer. If it doesn’t land correctly, don’t proceed.
4. Whitelist trusted addresses
Some wallets and exchanges allow you to whitelist known addresses. Once whitelisted, you can restrict withdrawals to only those addresses.
5. Use hardware wallets
Hardware wallets like Trezor or Ledger isolate private keys from online threats and offer screen verification before transactions are signed.
6. Watch for zero-value transactions
If you receive strange 0-value transfers or odd tokens in your wallet, do not interact with them. These are often poisoning attempts.
7. Enable wallet filters
Trezor Suite and some other apps now blur or warn about suspicious transactions that could be poisoning attempts.
What happens in case of such a scam?
If you fall for an address poisoning scam:
- Contact your wallet provider immediately via official channels.
- Do not attempt to reverse the transaction. Blockchain transfers are final.
- Report the incident to platforms like Chainabuse or local cybercrime authorities.
- Warn others. Others may also be in danger if the scam was conducted using a repurposed address.
Staying safe in an ever-evolving landscape of threats
While phishing scams and rug pulls remain widespread, address poisoning is quickly becoming the scam of choice for patient attackers targeting serious money.
Its low cost, high ROI, and reliance on human error make it an appealing option for bad actors. And as crypto adoption grows, so does the pool of potential victims.
But here’s the good news: awareness is a powerful weapon. Unlike some exploits that require code fixes or protocol changes, address poisoning can be mitigated through education, better wallet design, and user vigilance.
Scams will keep evolving—but so will defences.
The key is to stay sceptical, verify everything, and remember: in crypto, what looks familiar can sometimes be fatal.
