What address poisoning actually is
An address poisoning attack is a low-cost trick that targets a person, not a protocol. The attacker watches public blockchains, finds an address that has funds, and then sends a tiny amount of a token from a new wallet they control. The new wallet is engineered to look almost identical to the victim's real address: the first four to six characters match, and so do the last four to six. Everything in the middle is different.
That dust transaction now sits in the victim's transaction history. Most wallets display a recent list of "sent to" or "interacted with" addresses, often truncated. When the user later needs to send funds to that same counterparty, they search, glance, and copy. They copy the poisoned entry. The actual transfer goes to the attacker, not the merchant, friend, or exchange they thought they were paying.
It is worth being clear about what is and isn't happening. The blockchain is not being hacked. The wallet software is not compromised. The private key is not leaked. No signature is being phished at the moment of the dust send. The attacker is essentially leaving a visually convincing business card in your history, then waiting for a moment of inattention. The cost to the attacker is fractions of a cent. The cost to the victim, if they fall for it, can be everything they own.
The real cost of a "free" transaction
Because the on-chain fee for a simple token transfer is low (and on some networks subsidized), an attacker can blanket thousands of addresses with dust in a single afternoon. Most of those poisoned addresses will never be tapped. The attacker only needs one victim in a thousand to send a large payment to the wrong place.
The financial damage adds up. SlowMist and other on-chain investigators have tracked individual victims losing anywhere from a few thousand to over a million dollars in a single mistaken transfer. In one widely reported 2023 case, a trader lost roughly $68 million in a single address-poisoning-style mistake. The technique has been used to steal from individuals, from employees at crypto companies, and from treasury operations at smaller protocols. Chainalysis and similar firms have repeatedly categorized address poisoning as one of the most financially damaging non-protocol exploits in crypto, in the same general tier as phishing and approval scams.
The asymmetry is what makes it attractive to criminals. Spending $5 of gas to potentially steal $50,000 is an excellent bet. Spending $50 of gas across ten thousand addresses to potentially steal $500,000 is even better. This is not sophisticated hacking; it is direct-response marketing aimed at the part of your brain that pattern-matches on the first and last characters of a string.
How a vanity poisoning address is funded
Creating an address that begins and ends with the same characters as a target address is a brute-force problem. Modern wallet addresses are not short; an Ethereum address is 42 hexadecimal characters, and a Bitcoin address can be 26 to 62 alphanumeric characters depending on the format. Matching four characters at the front and four at the back is statistically easy. Matching six at the front and six at the back, on Ethereum, can still be generated in minutes on a modern consumer GPU.
Attackers automate this. A script generates private keys, derives the public address, and checks whether the address starts with the chosen prefix and suffix. When it finds a match, the script funds the new address with a small balance of ETH (to pay gas) and a tiny balance of a popular token, often USDT or USDC. The dust transfer is then sent to the victim. From the victim's perspective, the poisoned address now shows up in their history with a legitimate-looking $0.00 token receive.
The funding step itself is worth understanding. Some attackers use mixers, some use freshly funded wallets from centralized exchanges with weak KYC, and some use stolen funds. On-chain analytics firms have traced batches of poisoning transactions to the same funding sources, suggesting a small number of organized operators rather than millions of independent scammers. That doesn't make the attacks easier to defend against; if anything, it means a handful of skilled, well-capitalized teams are running this play at scale across chains.
Why the wallet history makes the trick work
The failure point is not the technology. It's the interface. After months or years of using a wallet, almost every user has a long history of transactions. Wallets are designed to make frequent recipients easy to find: you search, you scroll, you click. Many wallets truncate addresses in the history list, showing only the first six and last four characters by default. The middle is hidden behind an ellipsis, a "show full address" toggle, or simply not displayed at all.
That truncation is sensible from a design standpoint. Hexadecimal strings are unreadable, and showing the full 42-character address for every transaction would make the history list a wall of indistinguishable noise. But the same feature that improves legibility is the feature the attacker exploits. When a user sees two addresses that both start with 0xAbCd and both end with ...1234, they assume they are the same address. They are not. There are roughly 2^32 (about 4 billion) different Ethereum addresses that share any given six-character prefix and four-character suffix. Collisions are common enough that attackers find matches deliberately.
The moment of copy-paste is the moment of failure. The user is in a hurry, paying an invoice, racing a market move, or paying an over-the-counter trading counterparty. They open the wallet, find the familiar-looking address in history, click it, confirm the transaction on a small screen, and send. On a hardware wallet, they may glance at the device screen, see a string that begins and ends the way they expect, and approve. The full address never enters conscious attention. This is the entire attack: it works because humans cannot reliably read long alphanumeric strings, and wallets are not designed to force them to.
What a poisoned transaction looks like on Etherscan
On a block explorer like Etherscan or Solscan, a poisoning transaction is visually unremarkable. It is a normal ERC-20 (or SPL, on Solana) token transfer. The from address is a fresh wallet with no prior history. The to address is the victim. The token is usually USDT, USDC, or a low-liquidity token chosen because its decimals make a 0.00 amount look plausible. The value is typically the minimum unit, such as 0.000001 of the token, displayed as "0.00" in the wallet UI.
The victim's reaction is the danger. Many users notice a $0.00 receive and think nothing of it. Some wallets label it as "airdrop" or "incoming," which sounds free and harmless. The transaction confirms, the poisoned address is now in the user's history, and the trap is set. The next time the user needs to pay the real counterparty, the poisoned entry is right there, one click away.
On Etherscan, you can also see the attacker's next step. After the dust send, the attacker's wallet sits idle, sometimes for days, weeks, or months. It is not connected to any known exchange, mixer withdrawal, or other service. It is just a holding wallet. Then, if a victim ever does send funds to it, the attacker sweeps the balance to a new address within minutes, often breaking it up across several wallets to complicate tracing. This is the same playbook used in classic address-spoofing scams, just adapted for the speed of crypto.
What you should do the moment you notice dust
Spotting a small token transfer you don't recognize is, ironically, a useful early warning. Treat any unexpected $0.00 receive as a potential attack in progress, not free money.
The right response, in order:
- Do not interact with the token. Don't try to swap it, send it, or "clean it up." Some attackers use malicious contract tokens that trigger a hidden approval when interacted with, layering a second scam on top of the first.
- Find the source address on a block explorer and confirm that you have not previously sent funds to it. If you have not, treat it as malicious.
- Hide or label the address in your wallet. Most major wallets now let you right-click or long-press a transaction and add a note. Label the poisoned entry clearly ("DO NOT SEND, ATTACKER") so the next time you search, the visual cue is unambiguous.
- Optionally, hide the small UTXO so it does not appear in your selectable transaction list at all. The exact steps depend on the wallet. In Phantom (Solana) you can mark a token as hidden. In MetaMask you can manually add the attacker's address to a local address-book entry marked as "do not use." In Sparrow, Electrum, and other Bitcoin wallets, you can freeze or coin-control a UTXO so it is never selected for spending. Bitcoin users in particular should learn to use coin control; sending the dust to a separate address and labeling it is the cleanest fix.
- Be alert for a follow-up. Some attackers send dust, then wait weeks before sending a second, slightly larger transaction designed to "confirm" the address in your memory. If you see two suspicious receives with similar patterns, assume the attack is active.
The single most important habit, though, is the one that is hardest to build: verify the full destination address on every transaction, every time, on a trusted screen.
How to verify the full address on a hardware wallet
Software wallets can lie to you. Not deliberately, but through malware, browser extensions, or clipboard-hijacking software that swaps the address the moment you paste it. Hardware wallets are the strongest defense precisely because they display the address on a small, dedicated screen that the computer cannot modify. That screen is your last line of defense.
The discipline is to never trust the computer's display. The process:
- Initiate the transaction in your software wallet (browser extension, desktop app, or mobile app).
- On the hardware wallet's screen, the device will display the destination address. Read the full string, not the first and last few characters.
- Compare it character by character against a known-good source. For payments to a known counterparty, this means the address they sent you out-of-band (email, signed PDF, voice call) before the payment, not the address shown in the previous transaction history.
- For Ethereum specifically, confirm the checksummed address. A real Ethereum address has mixed-case letters that act as a built-in checksum. If the case pattern suddenly looks different (for example, all lowercase, or capitalization in the wrong place), that is a strong red flag.
- For Bitcoin, confirm the address format. SegWit addresses (bc1...) behave differently from legacy (1...) and P2SH (3...) addresses, and converting between them can mask an attacker's switch.
Yes, this is tedious. Yes, you will get bored and want to skip it for the fifth small payment of the day. That boredom is the attacker's business model. The same way a seatbelt is uncomfortable and slow but saves your life, address verification is a small tax on every transaction that prevents a catastrophic one.
What wallet and exchange teams are doing about it
The good news is that the industry is no longer ignoring the problem. The bad news is that the defenses are uneven across wallets.
Some wallet providers now detect known poisoning patterns and warn users before signing. MetaMask, for example, has shipped warnings when a user is about to send funds to an address that has sent them dust in the past. Phantom has added similar alerts on Solana. Trezor and Ledger have improved address verification UX on their devices, including the option to confirm only on the hardware screen. Etherscan and BscScan display "Phishing" or "Reported" labels on addresses that have been flagged by the community.
None of these are perfect. Attackers rotate addresses, so blocklists lag. Warnings can be ignored. Hardware verification can be skipped. The fundamental fix is cultural: the average user has to internalize that addresses are long, look-alike collisions are common, and the only way to be sure is to read the whole string. Until that becomes a default habit, address poisoning will continue to be one of the cheapest and most effective scams in crypto.
How to follow address poisoning news the smart way
Address poisoning tactics evolve quickly, and the patterns that worked in 2023 already look different in 2025. Attackers test new chains (Base, Arbitrum, and TON have all seen recent waves), new token standards, and new tricks like address-matching in ENS names and in URL-style wallet handles. Tracking the threat landscape manually is a losing game for any individual user. Zippfeed surfaces security headlines and on-chain incident reports with sentiment scoring (bullish, neutral, or bearish) and an importance rating, so you can spot the latest poisoning campaigns, freeze suspicious UTXOs, and verify the next address you actually intend to send to.
