Address Poisoning in Crypto: How Fake Addresses Steal Millions

Crypto address poisoning attacks are a growing scam where attackers inject near-identical wallet addresses into your transaction history, then wait for you to copy the wrong one. A single mistake can route your assets to a wallet you do not control.

How the Attack Gets Into Your Transaction History

Every blockchain transaction is public. Attackers write bots that monitor activity on major chains and watch for patterns in your sending history. Once they identify an address you send to regularly, such as an exchange withdrawal address or a personal wallet, they use software to generate a vanity address that matches the first four to six and last four to six characters of that real address.

The middle characters differ, but most users never check them. The attacker then sends a dust transaction, a tiny amount of cryptocurrency, from the fake address to your wallet. This plants the lookalike address in your on-chain history. Blockchain explorers and many wallet apps display transaction history without any verification of whether an address is trusted or hostile.

This attack scaled sharply in early 2026. Ethereum's Fusaka upgrade, deployed in December 2025, reduced transaction fees by roughly six times. Within two months, monthly poisoning attempts jumped from 628,000 in November 2025 to 3.4 million in January 2026, a 5.5-times increase (Blockaid, 2026). Generating and sending thousands of fake dust transactions became economically practical for attackers.

What Losses From These Attacks Look Like

The consequences are irreversible. On December 20, 2025, a trader sent 49,999,950 USDT to a poisoned address after copying from their transaction history. The attacker had detected a small test transaction and planted their lookalike address just 26 minutes earlier. The $50 million is gone (CoinDesk, 2025).

On January 30, 2026, a separate victim lost 4,556 ETH, approximately $12.4 million, after an attacker spent two months sending dust to their wallet and generating a vanity address matching both the prefix and suffix of the victim's regular counterparty address.

Since January 2025, over 65.4 million address poisoning transactions have been flagged on-chain, averaging more than 160,000 per day (Blockaid, 2026). Separate academic research documented 270 million on-chain attacks targeting 17 million wallets, with confirmed losses exceeding $83.8 million across 6,633 incidents. Roughly 1 in every 200 poisoning attempts results in a successful transfer to the attacker, which is why attackers operate at high volume.

What to Check in Your Own Setup

The core habit to change is where you copy addresses from. Transaction history is not a safe address book. Addresses in your history can be placed there by anyone who can afford a small gas fee.

Specific steps to reduce your exposure:

• Save trusted addresses in a dedicated address book. Most hardware wallets and major software wallets support a contacts or whitelist feature. Add your regular counterparty addresses once, verify them from a trusted source, and copy only from there.

• Verify the full address before confirming. Matching the first and last few characters is not enough. Check the entire string, especially before sending large amounts. Some wallets display addresses in blocks of four to six characters to make this faster.

• Use a hardware wallet with an on-device display. The screen on your hardware wallet shows the exact destination address independent of what your computer or browser displays. Any discrepancy means something is wrong. This is a separate layer of protection from the blind signing risk present in some DeFi interactions.

• Look for wallets that flag suspected dust. Some wallets blur and mark transactions that show characteristics of poisoning attempts. If your wallet does not do this, apply extra caution when you receive inbound dust transactions you did not initiate.

• Use name services for regular counterparties. Services like Ethereum Name Service (ENS) let you send to a readable name rather than a raw address, removing the risk of copying a character-for-character lookalike.

You can map your wallets on the Asset Alert canvas to see whether your current setup has many active wallets across multiple chains, which adds surface area for this kind of attack.