πͺ€ Address Poisoning Address Poisoning
A scam where an attacker drops a fake wallet address that looks almost identical to one you use regularly into your transaction history, betting that you'll copy it later and send your crypto straight to them.
π The simple version β a swapped business card
Imagine a scammer slips a card into your wallet that looks almost exactly like your friend's: same logo, almost the same phone number. Weeks later you grab "the" card without reading every digit and mail your check to a stranger. Address poisoning is the on-chain version. The attacker creates a wallet address whose first and last characters match someone you pay often, then makes sure it shows up in your transaction history. Later, if you copy it from there instead of from a trusted source, your funds go to them.
π Why the trick works β we read the ends, not the middle
Wallets and block explorers don't show the full address. They shorten it, displaying only the first few and last few characters with dots in between. So we get used to recognizing an address by its ends. The scammer exploits exactly that: they generate a "vanity" lookalike whose start and end match your counterparty, while the middle is completely different β the part nobody checks.
π§ͺ The zero-value transfer variant
One common technical version is the zero-value transfer. The attacker abuses an ERC-20 token function (transferFrom) to emit a transfer event without actually moving any tokens. Your wallet and block explorer read that event and display it as an ordinary incoming transfer β so the fake address looks like a real account you've already dealt with. Nothing left your wallet, but the bait now sits convincingly in your history.
π How big is the problem?
| Signal | What's been observed |
|---|---|
| π Attempts | Over 270M zero-value transfer attempts seen across Ethereum and BNB Chain (figure approximate) |
| πΈ Confirmed losses | Roughly $83M tied to these scams (approximate) |
| π Growth | Chainalysis reported crypto sent to address-poisoning scams grew over 15,000% in 2024 |
| π Targets | Scammers tend to aim at wallets holding higher-than-average balances |
π A real case: in May 2024 a holder sent about $68M in wrapped bitcoin to a poisoned lookalike address. The attacker later returned the funds but still walked away with around $1.49M from the episode.
π¨ How to protect yourself
- π€ Check every character β Verify the whole address, not just the first and last few
- π« Never copy from history β Don't reuse an address pulled from your transaction list; that's where the bait lives
- π Keep an address book β Save the addresses you trust and send only to saved entries
- π§ͺ Send a test first β A small test transaction confirms the destination before you move a large amount
- π Confirm on your device β A hardware wallet shows the real destination on its own screen for you to verify
β FAQ
- I got a tiny mystery transaction I didn't make β was my wallet hacked?
- Almost certainly not. The poisoning transaction by itself does no damage and never touches your private key. It's just bait sitting in your history. The scam only works if you later copy that fake address and send funds to it yourself.
- How do I avoid falling for address poisoning?
- Never copy an address from your transaction history. Save the addresses you trust in an address book, and check every character of an address before you send β not just the first and last few. Sending a small test amount first is a cheap safety net.
- If I send to the wrong address, can I get my money back?
- No. Blockchain transactions are irreversible. Once the funds reach the attacker's address there is no bank or support line that can claw them back. That's why checking before you send matters so much.