Address Poisoning Scam: How It Works and How to Avoid It
Picture sending crypto the way you usually do. You open your wallet, glance at your transaction history, copy the address you have used a dozen times, paste it, and hit send. The transfer confirms in seconds. The only problem is that the money just landed with a stranger who spent real computing power to create an address that looks almost exactly like yours, and the blockchain did precisely what you told it to. That, in a sentence, is address poisoning: no stolen keys, no malware, just a fake version of you planted inside your own records. This guide explains how the scam works, the three forms it takes, how much people are actually losing, and the handful of habits that stop address poisoning scams before you send funds to the wrong place.
What address poisoning actually is
Address poisoning is a phishing attack aimed at your memory and your screen, not at the cryptography underneath. Your private keys are never touched. Nothing is drained, decrypted, or hacked. Instead, the scam leans on one lazy human habit: a blockchain address is a long, unreadable jumble of letters and numbers (something like 0x4a3f...c91d), and almost nobody reads the whole thing. We check the first four characters, check the last four, shrug, and move on.
That shrug is the entire vulnerability. Produce an address that shares those visible characters, get it in front of someone who already trusts it, and you have a decent shot at being paid by accident. The cruel part is what comes next. On-chain transfers are final, so there is no bank to call and no charge to reverse; the second you confirm, the money belongs to someone else. Insurance and chargebacks, the safety nets that bail people out in traditional finance, simply do not exist here. Address poisoning does not break the blockchain. It breaks your attention, then lets the chain do exactly what your attention missed.
How address poisoning works in crypto
Although the result feels like magic, the mechanism is mundane. A successful address poisoning attack runs in three steps that anyone studying the chain can reproduce.
Step 1: generating a lookalike address
First the attacker picks a target, usually an address that moves money often, then runs a vanity address generator. The software grinds through candidate keypairs until it finds one whose address starts and ends with the same characters as an address the victim regularly sends to. Matching a handful of characters is cheap, which is the uncomfortable part: after Ethereum's Fusaka upgrade lowered fees, one analysis found attackers deploying three million dust transfers for roughly $5,175 in total. At those prices, poisoning is run like a factory, not a heist.
Step 2: poisoning your transaction history
Next the attacker plants that lookalike address inside your records, so it shows up looking like something you have dealt with before. They might send you a tiny amount of a real token, or trigger a zero-value transfer, or push a fake token your way. However it is done, the goal is identical: get the fake address to sit in your history next to the real one, wearing the same first and last characters.
Step 3: the copy-paste trap
Then they wait. The next time you go to pay your usual recipient, you reach for convenience and copy the address straight from your recent transaction history. The visible characters match, nothing looks off, and you send. Do it on autopilot and you may accidentally send tokens to the lookalike address instead of the one you meant. The blockchain executes the transfer correctly, just to the wrong person. This is why address poisoning is sometimes called the copy-and-paste trap, and why it works on careful, experienced users as readily as on beginners. What makes it so effective is the timing — the poisoning entry is often slipped in within minutes of a real transaction, so the fake address sits exactly where your eye expects the genuine one to be. You are not being careless so much as being efficient, and efficiency is precisely what the attacker is counting on.
The three types of address poisoning
A 2025 academic study from Carnegie Mellon sorted real-world attacks into three forms. They differ in how the fake address gets planted, which changes what you should distrust in your history.
| Type | How the fake address is planted | The tell |
|---|---|---|
| Tiny (dust) transfer | A real but minuscule token amount sent from the lookalike address | A trivial, unexpected incoming amount |
| Zero-value transfer | A transfer of "0" tokens that still records a Transfer event in your history | Shows your own address as the sender, value 0 |
| Counterfeit token | A fake contract mimicking a real token (a forged USDT or USDC) | Token name looks right, contract address does not |
Of the three, the zero-value transfer is the address poisoning variant that confuses people most, because it can appear to come from your own address. That is possible because some token contracts let anyone emit a "Transfer" event for zero tokens without the owner's permission, so the attacker scripts an entry that your wallet faithfully displays. Historically, BNB Smart Chain saw far more attempts than Ethereum thanks to lower fees, but the Fusaka fee cut flipped that, pushing the bulk of activity onto Ethereum.
How much money address poisoning steals
Address poisoning sounds like a rounding error until you add it up. The figures below are dated on purpose, because in this corner of crypto the numbers move fast and last year's totals understate the problem badly.
| Case or measure | Amount | When | Outcome |
|---|---|---|---|
| Carnegie Mellon / USENIX study (ETH + BSC) | 270M attempts, $83.8M lost, 17M victims | Jul 2022 to Jun 2024 | Largest study to date |
| Wrapped Bitcoin whale | ~$68M sent to lookalike | May 2024 | Funds returned; attacker netted ~$1.49M |
| Single USDT victim | $49.9M | Dec 2025 | Laundered through Tornado Cash |
| Ethereum losses (ScamSniffer) | $62M | Dec 2025 to Jan 2026 | Two-month total |
A couple of those cases are worth pausing on. The wrapped-bitcoin victim, who nearly lost about $68 million in May 2024, actually got the funds back, because the attacker (after laundering and negotiation) returned the bulk and walked away with roughly $1.49 million; investigators later tied that single campaign to 82,031 spoofed addresses. Almost no one is that lucky. The $49.9 million USDT victim in December 2025 saw the money disappear straight into Tornado Cash, with no return and no recourse.
The trend is the genuinely worrying part. After the Fusaka upgrade cut Ethereum fees, monthly poisoning attempts on the network jumped more than fivefold, and in January 2026 Citi flagged that Ethereum's record of 2.8 million transactions a day was driven largely by poisoning spam rather than real economic use. By early 2026, industry estimates of cumulative losses had reached around half a billion dollars. What unsettles me is not the cleverness of the scam but the price of it: a few thousand dollars in fees buys millions of attempts, and the attacker only needs one of them to land.
Poisoning vs spoofing vs IP poisoning
The word "poisoning" gets stretched across very different attacks, so it helps to separate them. Address poisoning, the subject here, is the crypto scam that plants a lookalike address in your history. Address spoofing is broader and usually means faking the apparent sender of a message or transaction to impersonate someone. And "IP poisoning," which people sometimes search for by mistake, refers to network attacks like ARP or DNS cache poisoning that have nothing to do with crypto wallets. Same verb, three unrelated worlds.
How to protect yourself from address poisoning
Almost every defense against address poisoning reduces to one rule: never trust your own transaction history, and never copy addresses straight out of it. The fake address lives there precisely because that is where you look. Build a few habits around that idea and the attack mostly stops working.
Verify the whole address, never first-and-last
Check the entire string, or at least a generous chunk from the middle as well as the ends. The attacker can match the first and last few characters cheaply, but matching a long run through the middle is far harder. Most modern wallets follow the EIP-55 checksum standard, and newer display conventions highlight more of the address so mismatches are easier to spot.
Use an address book, never copy from history
Save each recipient's address once, after you have verified it from a trusted source, and from then on send from that saved contact instead of copying addresses from recent transactions. Wallets like MetaMask call this Contacts; the principle is the same everywhere. The saved entry cannot be poisoned by an incoming transfer, which is the entire point.
Test transactions, hardware screens, and payout allowlists
For anything large, send a small test amount first and confirm the recipient address is correct before sending the rest; the few cents in fees are cheap insurance against a seven-figure mistake. Hardware wallets help here too, because they show the real destination on a separate screen that malware on your computer cannot quietly rewrite. Businesses running frequent crypto payouts are especially exposed, since they copy and paste addresses all day and often delegate the task to staff who may never have heard of poisoning, so locking payouts to a pre-approved allowlist (a fixed set of vetted destinations the system will not deviate from) removes the moment of human error entirely. If you accept crypto payments through a gateway, check whether it already pins withdrawal addresses for exactly this reason.
What wallets and exchanges are doing
The tooling is catching up, though none of it replaces the habits above. Block explorers like Etherscan now hide or flag zero-value transfers so they stop cluttering your history. Ledger Live and Trezor Suite filter suspicious entries, and in March 2026 Trust Wallet rolled out automatic address-poisoning protection across 32 chains. Centralized exchanges carry their own version of the risk, because users reuse the same deposit address repeatedly, so a poisoned entry there can be just as costly. None of this is foolproof, either — a determined attacker can still slip a fresh lookalike past a filter that has not encountered it yet — so the tooling buys you margin rather than immunity. Treat every one of these features as a safety net stretched under your own caution, never as a replacement for it.
Who gets targeted, and the takeaway
It is tempting to assume only careless newcomers fall for this, but the data says the opposite. The biggest losses hit active, experienced senders and businesses, exactly the people who move funds often and have trained themselves to paste quickly without a second look. Address poisoning is cheap to run, final when it works, and built entirely around a habit almost all of us share, which is what makes it so durable as a scam. Awareness is genuinely most of the cure here, because once you know the trap exists, the single act of verifying a full address defuses it. The real question is not whether you understand the scam. It is whether you would still catch it at two in the morning, on your phone, paying someone you have paid a hundred times before.
