Address Poisoning: The Silent Scam Draining Millions One Copy-Paste at a Time
A single copy-paste mistake cost one crypto trader $50 million in December 2025. No smart contract was exploited. No private key was compromised. The victim simply copied a wallet address from their transaction history — one that looked almost identical to the real thing but belonged to an attacker. Welcome to address poisoning, DeFi's most insidious and underestimated attack vector.
What Is Address Poisoning?
Address poisoning is a social engineering attack that weaponizes the way humans interact with blockchain addresses. Unlike traditional hacks that exploit code vulnerabilities, this scam exploits a far more fundamental weakness: human behavior.
Here's how it works in practice:
- Surveillance: An attacker monitors the blockchain for high-value wallets making regular transfers.
- Lookalike generation: Using GPU-accelerated vanity address tools like Profanity2 or Vanity-ETH, the attacker generates a wallet address that matches the first 4–6 and last 4–6 characters of the victim's frequently used recipient address.
- History poisoning: The attacker sends a tiny transaction — often zero-value or just fractions of a cent — from the lookalike address to the victim's wallet. This "seeds" the victim's transaction history with the fake address.
- The trap springs: When the victim later needs to send funds, they open their transaction history, spot what looks like their usual recipient address, copy it, and send. The funds go directly to the attacker.
The entire attack costs the adversary as little as a few cents in gas fees. The payout can be millions.
The Scale Is Staggering
Academic research presented at USENIX Security 2025 revealed the true magnitude of this threat. Over a two-year measurement period, researchers identified 270 million poisoning attempts across Ethereum and Binance Smart Chain, targeting over 17 million unique victim addresses using approximately 50 million lookalike addresses.
Confirmed losses exceed $83.8 million on Ethereum alone. And those are only the documented cases — the real number is almost certainly higher, as many victims never report or even realize what happened.
The Fusaka Effect
Ethereum's Fusaka upgrade on December 3, 2025 inadvertently supercharged address poisoning. By reducing transaction fees approximately 6x, the upgrade made mass-scale poisoning campaigns dramatically cheaper to execute. The results were immediate:
- Daily dust transactions jumped to 167,000, peaking at 510,000 in a single day in January 2026
- Poisoning attempts spiked from 628,000 in November 2025 to millions in January 2026 — a 5x+ increase in just two months
- 67% of newly active Ethereum addresses received less than $1 in their first transaction, a clear indicator of systematic dusting campaigns
While Ethereum's daily transactions rose ~50% and active addresses increased ~60% post-Fusaka, a significant portion of this "growth" was artificial — driven by poisoning bots rather than organic adoption.
Anatomy of a $50 Million Mistake
The most devastating address poisoning attack to date occurred on December 20, 2025. A crypto trader first sent a small test transaction to the correct address — standard best practice. But an attacker was watching.
Within minutes, the attacker generated a lookalike address matching the victim's destination, sent a dust transaction to poison the history, and waited. Just 26 minutes later, the victim copied the poisoned address from their transaction log and sent 49,999,950 USDT directly to the attacker.
The attacker moved with surgical precision:
- Within 30 minutes, swapped the entire $50M USDT to DAI via MetaMask Swap — a strategic choice since Tether can freeze USDT in flagged wallets, but decentralized DAI lacks such centralized controls
- Converted the DAI into approximately 16,690 ETH
- Deposited the ETH into Tornado Cash to obscure the trail
The victim published an on-chain message demanding return of 98% of the funds and offering a $1 million white-hat bounty. The funds were never returned.
The Sillytuna Case: When Digital Attacks Turn Physical
On March 5, 2026, crypto influencer "Sillytuna" lost $24 million in aEthUSDC through an address poisoning attack on Aave. The attacker quickly swapped the tokens to ETH, converted to approximately $20 million in DAI, and began bridging portions to Arbitrum to complicate tracing.
But this case went beyond digital theft. Sillytuna reported receiving physical threats, including weapons and kidnapping threats, following the attack. The victim announced plans to leave crypto entirely. The incident illustrated a terrifying escalation: address poisoning as the entry point for combined digital-physical attacks targeting known crypto holders.
Other notable 2026 incidents include:
- 4,556 ETH ($12.4M) stolen on January 30, 2026, from a victim making what appeared to be a routine OTC deposit
- Two victims lost a combined $62 million to address poisoning between December 2025 and January 2026, according to Scam Sniffer
Three Attack Variants
Researchers have identified three principal poisoning strategies, each exploiting different technical mechanisms:
1. Tiny Transfer Attacks
The attacker sends a small amount (typically under $10) from a lookalike address. This creates a legitimate-looking entry in the victim's transaction history. It costs the attacker real tokens but produces convincing history entries.
2. Zero-Value Transfer Attacks
Exploiting the ERC-20 transferFrom function, attackers can create token transfer events that show up in transaction logs without spending any tokens. The ERC-20 standard allows transferFrom calls with zero amounts, which block explorers and wallets display as normal transactions. This is the cheapest and most common variant.
3. Counterfeit Token Attacks
Attackers deploy fake token contracts that mimic legitimate tokens (like fake USDT or USDC). They send worthless counterfeit tokens from lookalike addresses, creating transaction history entries that appear identical to real transfers in many wallet interfaces.
Why Traditional Defenses Keep Failing
Address poisoning persists because it targets the gap between blockchain security and human usability:
- No malware required: Unlike phishing or keyloggers, address poisoning requires zero access to the victim's device
- No smart contract exploit: The blockchain itself functions exactly as designed — the victim genuinely authorizes the transfer
- Abbreviation reliance: Most wallets display addresses as
0xAbCd...EfGh, showing only the first and last few characters. Attackers specifically match these displayed portions - Transaction history as trusted source: Users treat their own transaction history as a reliable address book, not realizing it can be manipulated by anyone on a public blockchain
- Irreversibility: Once confirmed, blockchain transactions cannot be reversed. There is no customer service to call, no chargeback to file
The Defense Playbook
Protection requires both individual discipline and ecosystem-wide improvements:
For Individual Users
- Never copy addresses from transaction history. Always retrieve addresses from your original, verified source — a saved contact, an official website, or direct communication with the recipient.
- Verify the FULL address. Check every character, not just the beginning and end. Even a single different character in the middle means a completely different wallet.
- Use address books religiously. Most wallets support contact lists or address whitelisting. Once you verify an address, save it and always send from the saved contact.
- Leverage ENS and blockchain domains. Ethereum Name Service (ENS) names like
yourname.etheliminate the need to handle raw addresses entirely, dramatically reducing copy-paste risk. - Send test transactions — then verify carefully. Test transactions are good practice, but they don't protect you if you copy the poisoned address the second time. After a test, verify the recipient confirmed receipt through an off-chain channel.
Ecosystem-Level Solutions
The industry is beginning to respond, though progress has been uneven:
- Trust Wallet launched automatic address poisoning protection across 32 EVM chains in March 2026, scanning every outbound transaction in real time against known poisoning addresses
- Ledger Live now hides zero-value token transfers by default, filtering common poisoning attempts before they appear in transaction history
- Wallet-level warnings: Several wallets now flag transactions to addresses that closely resemble but don't match addresses in the user's history
- Clear Signing initiatives require users to review and confirm full transaction details on hardware wallet screens before signing
What the Industry Still Needs
Despite these improvements, critical gaps remain:
- Default-on protection: Address poisoning defenses should be enabled by default in every wallet, not opt-in features buried in settings
- Full address display: Wallets should show complete addresses during the confirmation step, not abbreviated versions
- Cross-chain coordination: Attackers increasingly bridge stolen funds across chains (as seen in the Sillytuna case). Wallet protections need to be multi-chain from day one
- Protocol-level mitigations: ERC-20 contracts could be updated to reject zero-value
transferFromcalls from unauthorized senders, eliminating the cheapest poisoning variant at the protocol level
The Uncomfortable Truth
Address poisoning exposes a fundamental tension in crypto's design philosophy. The same properties that make blockchain powerful — permissionless, immutable, pseudonymous — also make it a perfect environment for social engineering attacks. Anyone can send transactions to any address. Once sent, funds cannot be recovered. And addresses are designed for machines, not human memory.
The $83.8 million in confirmed losses is almost certainly a fraction of the true cost. Many victims never realize they were poisoned. Others are too embarrassed to report. And with Ethereum's post-Fusaka fee reduction making poisoning campaigns cheaper than ever, the attack surface is expanding, not shrinking.
Until wallets treat address verification as a first-class security concern — not an afterthought — address poisoning will continue to drain millions from users who did everything else right.
Building on blockchain infrastructure requires trusting the foundations beneath your application. BlockEden.xyz provides enterprise-grade RPC and API services across multiple chains, so developers can focus on building secure user experiences rather than managing node infrastructure. Explore our API marketplace to get started.