What is an address poisoning attack?

Address poisoning is an attack where a malicious party sends a tiny dust transaction to your wallet from an address that visually matches a legitimate counterparty address — same first 4-6 characters and last 4-6 characters. When you later copy an address from your transaction history, you may unknowingly paste the attacker's address instead, sending funds directly to them.

How much has been lost to address poisoning?

Documented address-poisoning losses exceeded 50 million USD across Ethereum, Tron and BSC by mid-2025, with single-victim losses reaching over 70 million USD in the largest reported incident. The attack disproportionately targets high-value wallets making frequent transfers.

How do I prevent address poisoning?

Always verify the full address before sending, never copy from transaction history, use address-book functionality in your wallet, and run a pre-sign AML check on the destination address to catch flagged attacker addresses before signing.

Security · Pre-sign Updated Jun 2026

Address Poisoning Attack — How to Detect & Prevent It in 2026

Address poisoning is the single most successful attack vector against active crypto wallets in 2024 and 2025, with documented losses exceeding USD 50 million across Ethereum, Tron and BSC. The attack does not require a smart-contract exploit or a private-key leak. It exploits one mundane behaviour: users copy addresses from their wallet's transaction history instead of from a verified source. This guide explains how the attack works, the most-cited real losses, and the prevention workflow that combines wallet hygiene with pre-sign AML screening.

How address poisoning actually works

The attacker watches the mempool or recent block history for active wallets making frequent transfers. They identify a legitimate counterparty address — say, your CEX deposit address, your business partner's wallet, or your own treasury address. Then they generate a vanity address that visually matches the legitimate one: same first 4 to 6 characters, same last 4 to 6 characters. The middle characters differ, but the middle is exactly the part wallet UIs truncate when displaying transaction history.

The attacker sends a tiny dust transaction — often 0 USDT or a fraction of a cent — from the lookalike address to your wallet. The dust transaction now appears in your transaction history. To the eye, the lookalike address looks identical to the real counterparty, because both display as 0x7a25...f933f8 in the wallet UI.

Later, when you need to send funds to the legitimate counterparty, you open your wallet, look at recent transaction history, and copy the address from there. The address you copy is the attacker's lookalike. The legitimate counterparty's address and the attacker's lookalike both display the same truncated form. You paste, you sign, you send. The funds go to the attacker.

The visual deception in detail

Wallets display addresses in truncated form for usability. A typical Ethereum address is 42 characters; showing it in full would be unreadable. The standard truncation is first 4 to 6 characters + ellipsis + last 4 to 6 characters. For example:

Legitimate counterparty: 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D → displayed as 0x7a25...488D.
Attacker lookalike: 0x7a25e8b4F31A19Df8c4d2BfA5Bc9A2C6f4F4488D → displayed as 0x7a25...488D.

The displayed form is identical. The full addresses are completely different. Vanity-address generators can produce billions of candidates per second on commodity GPUs, so finding a 6+6 character match is fast and cheap.

Real losses — documented cases

Address-poisoning losses are publicly traceable on-chain. Notable cases include:

May 2024 — A single victim lost roughly USD 71 million in WBTC after pasting an address-poisoned destination from their transaction history. The attacker recovered the funds and partially returned them after on-chain negotiation.
July 2024 — A USDT-on-Tron address-poisoning campaign accumulated over USD 4 million from multiple OTC desk victims.
2025 sustained campaigns — Attackers running ongoing dust-poisoning at scale across high-value Etherscan-visible wallets, with monthly aggregate losses estimated in single-digit millions of USD.

The victims are not naive users. Many are sophisticated OTC operators, family-office traders, and active DeFi participants. The attack works because it exploits a UI assumption, not because the victim was uninformed.

Why standard wallet UIs are vulnerable

Wallet UIs were designed when address-poisoning was rare. The truncated-address display optimised for screen space and quick recognition. As address-poisoning emerged, wallets began adding mitigations — warning banners on incoming dust, address-book functionality, ENS or .sol name preference. But the underlying behaviour — copying from history — remains the default user pattern in most wallets.

MetaMask added an "address poisoning" warning in 2024 for transactions where the sender address differs subtly from a previously-used recipient. Rabby and Phantom have similar mitigations. None of these are bulletproof. The user must still verify the full address before signing.

Pre-sign AML screening as a second-line defence

Address poisoning is a security attack, not a sanctions issue. But the attacker addresses are often surfaced in AML databases anyway, because attackers reuse address infrastructure across multiple victims. By the time you are the next victim, the attacker's lookalike may already be tagged in mixer-cluster, drainer-kit or scam-deployer databases.

A pre-sign AML check catches this. The workflow:

You compose a transaction in MetaMask, Rabby, Phantom or your hardware-wallet UI.
Before clicking sign, copy the destination address from the transaction confirmation screen.
Paste it into AegisAML running locally on Windows.
Review the AML report. Clean addresses pass. Addresses flagged as drainer-linked, mixer-adjacent, or scam-cluster-tagged should not be signed.
Sign only after the address passes the AML check.

This adds 10 seconds to a transfer. It catches attacks that wallet UI mitigations miss, because AML databases aggregate attacker infrastructure across hundreds of campaigns.

Wallet hygiene to prevent address poisoning

1. Never copy addresses from transaction history

Treat your wallet's transaction history as untrusted user-generated content. Anyone can put data there by sending you a dust transaction. The only addresses you can trust are those you have personally verified — either from a saved address book or from a verifiable source (the counterparty's website, a signed message, a verified contract).

2. Use an address book

MetaMask, Rabby, Phantom and most modern wallets support an address book. Add legitimate counterparties once, verifying the full address character-by-character with the counterparty over a secondary channel (signed message, voice call, in-person). Never edit address-book entries based on incoming history.

3. Verify the full address character-by-character

For high-value transactions, verify all 42 characters of the Ethereum address (or 34 for Bitcoin, or 44 for Solana). Read it back to the counterparty over a separate channel. Do not rely on the truncated display.

4. Prefer ENS / SNS / .sol names where available

For counterparties who have registered ENS (Ethereum), SNS (Solana) or similar human-readable names, send to the name instead of the hex address. The resolution is verifiable on-chain.

5. Hardware-wallet display verification

If you sign on a Ledger or Trezor, verify the destination address on the device screen, not on the host machine. The host can be compromised; the hardware-wallet display cannot be poisoned by host-side malware. Read more in our Ledger and Trezor AML scan guide.

6. Test transactions for new counterparties

For any first transfer to a new counterparty, send a small test amount first (USD 1 to 10 equivalent). Wait for confirmation. Have the counterparty acknowledge receipt before sending the main amount. This catches both address poisoning and counterparty error.

What to do if you have been a victim

If you have already sent funds to an attacker's lookalike address:

Document the transaction immediately — transaction hash, both addresses, timestamp.
Report to the destination chain's law-enforcement liaison if amount is significant — the FBI's IC3 in the US, Action Fraud in the UK.
Tag the attacker address publicly — report to Etherscan, post to ScamSniffer, contact Chainalysis or similar firms for cluster labelling.
If you have CEX accounts — pre-empt potential AML holds by documenting the loss now, so future deposits do not inherit the flag.
Run a full AML audit on remaining wallet balances — the dust transactions may have other effects beyond the immediate loss. Read cold wallet portfolio AML audit guide.

Add pre-sign AML screening to your wallet hygiene — free, on Windows

AegisAML screens destination addresses against drainer-kit, mixer-cluster and scam-deployer databases before you sign in MetaMask, Rabby, Phantom or your hardware wallet. Locally, in 10 seconds, free.

Install AegisAML for Windows

Related security and pre-sign guides

For the broader category of pre-sign safety, read MetaMask pre-sign AML screening and wallet drainer kits detection and prevention. For scam-deployer specific patterns, see scam and phishing address checker.

Frequently asked questions

Does address poisoning work on Bitcoin?

Less commonly. Bitcoin's UTXO model and longer addresses (Bech32 bc1 addresses) make vanity-matching more computationally expensive. Most documented address poisoning is on Ethereum, EVM chains, Tron and Solana.

Can a sanctions screen catch address poisoning?

Sometimes. If the attacker has been previously identified and tagged in OSINT databases, AML tools will flag the lookalike. Brand-new attacker addresses may not yet be tagged, which is why wallet-hygiene practices remain the primary defence and AML screening is the second line.

Why do wallets allow dust transactions to appear in history?

By default, wallets display all transactions including zero-value transfers. This is a technical correctness behaviour — the chain records the event regardless of value. Some wallets now filter dust transactions below configurable thresholds, but this is opt-in and not the default.

Are hardware wallets safer against address poisoning?

Only if you verify the address on the device screen, not the host. The hardware wallet displays the actual destination address. If you read the device screen carefully before approving, you can catch host-side address swapping (including poisoning that affects copy-paste). Many users skim the device screen and approve without verification, which defeats the protection.