All Posts

What is address poisoning? New type of sophisticated fraud

blockchainFebruary 9, 2026·#Blockchain

Address poisoning does not target technical vulnerabilities but exploits user psychology through transaction history. Explore defense mechanisms and solutions with Tan Phat Digital.

What is address poisoning? New type of sophisticated fraud

The development of blockchain technology and cryptoassets has opened up a new era of financial freedom, but at the same time has created unprecedented security challenges. Among modern attack methods, address poisoning has emerged as an extremely sophisticated form of fraud (fake address scam) that Tan Phat Digital has closely monitored. This method does not target the technical vulnerabilities of the protocol but directly exploits the most elementary errors in the user's psychology and habits.

Different from wallet hijacking or private key theft attacks, address poisoning is an automated form of social engineering, where the attacker manipulates the victim's transaction history to lure them into voluntarily transferring money to the fraudster. This report by Tan Phat Digital will analyze in detail the nature, technical mechanisms, typical cases and multi-layer defense strategies to protect assets in the digital era.

See more: What is crypto wallet phishing?

The nature and origin of Address Poisoning

Address poisoning, sometimes also called "dusting attack" in certain contexts, is a phishing tactic in which an attacker sends an amount of cryptocurrency Very small tokens — typically worth less than $0.01 — reach the user's wallet. However, the goal of this action is not the money itself, but rather for the attacker's address to appear in the victim's recent transaction history. This address is specially designed (vanity address) to look almost identical to the address with which the victim regularly interacts or the victim's own wallet address.

As noted by Tan Phat Digital, the name "address poisoning" accurately reflects its impact: the attacker "pollutes" the user's list of clean transactions with fake addresses. In the blockchain world, wallet addresses are hexadecimal strings 40-42 characters long, which are difficult to memorize completely. Therefore, users often have the habit of copying addresses from recent transaction history instead of checking each character from the original source. The attacker takes advantage of this carelessness, hoping that in the next transaction, the victim will accidentally copy the "poisonous" address instead of the actual address.

The danger of address poisoning lies in its "hidden" nature. It does not require the victim to approve any malicious smart contract, nor does it require the disclosure of a seed phrase. The transaction that lost funds was completely a valid transaction made by the victim himself, making asset recovery extremely difficult due to the immutable nature of the blockchain.

Technical mechanism and execution process of the attack

A successful address poisoning attack requires a combination of automation scenarios and careful computational preparation. This process usually takes place through four main stages: monitoring, creating impersonated addresses, poisoning history and exploiting user errors.

Monitoring and target selection

Attackers use real-time monitoring tools to monitor activity on popular blockchains such as Ethereum, Binance Smart Chain (BSC) or Tron. Targets are often selected based on specific criteria:

  • Wallets with large balances (whales) or high transaction frequency.

  • Transactions involving popular stablecoins such as USDT, USDC, as these are assets that are often transferred between individual wallets and exchanges.

  • Address pairs that have just had their first interaction, where the user has not yet saved the address in the address book.

Creating an impersonated Vanity address

After identifying a target transaction between wallet A and wallet B, the attacker will use custom address generators (vanity address generators) to create a wallet C address whose first and last characters match wallet B (or wallet A). In most wallet interfaces today, because the address is too long, the middle part is often shortened with an ellipsis "...". For example, a physical address 0x123...89abc will be impersonated by the address 0x123...xyzbc.

The mathematical complexity of generating an impersonation address depends on the number of characters the attacker wants to match. The probability of finding an address that matches a specific $n$ of characters in hexadecimal (base-16) is calculated by the formula:

P = (1/16)^n

For a typical attack that matches the first 4 characters and the last 4 characters (8 characters total), the attacker needs to perform an average of $16^8$ (equivalent to more than 4.2 billion) hashes. With the power of modern GPU clusters, this only takes a few seconds or minutes, allowing attackers to carry out a series of simultaneous poisonings on a large scale.

Classification of historical poisoning techniques (Poisoning)

For easy tracking, Tan Phat Digital classifies the two most common forms of poisoning as follows:

  • Dust Trading (Dusting):

    • Mechanism: Sends a very small amount of tokens (e.g. 0.0001 TRX or 0.01 USDT).

    • Identification: Appears as a normal "Received" transaction in the wallet.

  • Zero-Value Transaction Transfer):

    • Mechanism: Takes advantage of the transferFrom function in the token contract to create a transaction sending 0 tokens from the victim's wallet.

    • Identification: Appears as a "Sent" transaction in history, making the victim believe that they have sent money there before.

Technical Zero-Value Transfer is especially dangerous because it does not require the wallet owner's permission to make a transfer of 0 units of assets. This makes the transaction history look like the victim actively interacted with the fake address, increasing the address's credibility in the user's eyes.

Confusion Exploitation Phase

When the victim needs to make a subsequent actual transaction, they open the transaction history to find the previously used address again. Because the impersonated address is right at the top of the list and has identical identifying characters (start/end) to the real address, the victim will copy it and make a money transfer. Once the transaction is signed and broadcast to the network, the funds are transferred directly to the fraudster's wallet and cannot be recovered.

Statistical analysis and global impact scale

According to research from blockchain security organizations, address poisoning has become one of the biggest threats to personal wallet users. The scale of these campaigns is constantly expanding, targeting both common users and large organizations.

Data on attack attempts and damage (2022-2024)

Below are notable security indicators compiled by Tan Phat Digital:

  • Total number of attack attempts: More than 270 million times (Data data on Ethereum and BSC).

  • Number of victims targeted: More than 17 million wallets (Demonstrating large-scale automation).

  • Total confirmed losses: Over 83.8 million USD (Officially reported cases only).

  • Success rate (ROI): 58.363% (Calculated on gas and infrastructure costs compared to the amount of appropriation).

  • Number of impersonated addresses: Accounts for 1% of newly created addresses (Statistics on Ethereum network during peak periods).

Although the success rate per attempt is very low (only about 0.03% of impersonated addresses receive funds), due to the extremely low implementation cost and ability automation, attackers can still reap millions of dollars in profits from small mistakes of a few users.

See more: Sending to the wrong Blockchain network Can I get it back?

Chain Migration Trend

Initially, address poisoning focused heavily on Ethereum due to its high asset value. However, as gas fees on Ethereum have increased, criminal groups have migrated to low-transaction-cost networks such as Tron, Polygon, and Binance Smart Chain to carry out large-scale spam campaigns with minimal costs. Especially on the Tron network, sending "TRX dust" has become such a common problem that wallets have had to deploy specialized filters to hide these transactions.

Case studies of major scams

To understand the devastation of address poisoning, let's take a look at real cases involving large investors (whales) with Tan Phat Digital.

50 million USD USDT theft (December 2025)

On December 20, 2025, a cryptocurrency trader lost 49,999,950 USDT in a perfect address poisoning attack scenario.

  • 03:06 UTC: The victim performs a test transaction worth 50 USDT from Binance to his personal wallet to ensure the address is correct.

  • Immediately: The attacker's script creates a vanity address whose first 5 and last 4 characters are identical to the victim's wallet address. victim.

  • Poisoning: The attacker sends a small amount of USDT from the fake address to the victim's wallet, clearing the fake address to the top of the history.

  • 03:32 UTC: Just 26 minutes later, the victim copies the top address and sends 49.9 million USDT.

  • Money Laundering: Attacker Immediately exchange to DAI to avoid having your wallet frozen by Tether, then transfer to the Tornado Cash mixer.

71 million USD WBTC recovery (May 2024)

An Ethereum user lost 1,155 WBTC due to address poisoning. Fortunately, after blockchain security companies intervened and negotiated, the attacker returned $68 million and kept $3 million in profits from Bitcoin price arbitrage. This is a rare case of recovering assets thanks to the professionalism of security units.

Compare Address Poisoning with other forms of Fake Address Scam

Tan Phat Digital compares the identifying characteristics of fraudulent forms so that users can easily distinguish:

  • Address Poisoning:

    • Installation requirements: No requires malicious code on the device.

    • Method: Impersonation in transaction history.

    • Target: Human identification error.

    • Sign: Strange transactions worth 0 or dust.

  • Clipper Malware:

    • Installation requirements: Requires the machine to be infected with Trojan/Malware.

    • Method: Change data in the clipboard as soon as you press "Copy".

    • Goal: Directly interfere with the computer system.

    • Signs: Pasted address is different completely with the address you copied.

  • Phishing Site:

    • Installation required: No installation required, just go to the web.

    • Method: Lure users into signing malicious transactions.

    • Goal: Trust fraud or social engineering association.

    • Signs: Fake domain name (URL), one letter wrong from the real page.

The psychology behind the success of Address Poisoning

Attackers deeply exploit human cognitive biases and biological limitations:

  • Partial Pattern Matching):The brain usually only remembers the "anchor point" which is the first and last few characters of the wallet address. The attacker creates an address that perfectly matches these anchor points to fool the fast-thinking system.

  • Familiarity Effect: Sending many dusty transactions creates the feeling that the fake address is "familiar", making the victim less suspicious when seeing it at the top.

  • Time pressure: The attacker takes advantage of the user's haste to transfer funds to the exchange to sell when prices fluctuate, causing them to skip detailed checks.

Multi-layer security strategy from Tan Phat Digital

To protect assets, Tan Phat Digital recommends users implement the following strict security procedures:

Personal trading discipline

  • Check every single character: Absolutely do not just check the head and end. Compare all 40-42 characters of the address.

  • Use Address Book: Always save and select addresses from contacts saved in your wallet instead of copying from history.

  • Enable Whitelisting: On exchanges, only allow withdrawals to verified addresses first.

Strengthen technical security

    (Test Transactions): Always send a small amount first and confirm the money has actually reached the receiving wallet.

Support tools and Web3 Firewalls

2025-2026 sees an explosion of security tools that Tan Phat Digital recommends:

  • Kerberus Sentinel3: Detection and alert browser extension Real-time address impersonation reporting.

  • Pocket Universe & Blockaid: Simulate transactions before you sign to warn of unusual signs.

  • Wallet Guard: Security layer helps hide dusty transactions from the wallet's display history.

The future and professionalization of criminals

Address poisoning is evolving strongly following the "Scam-as-a-Service" model. Poisoning toolkits are widely sold on the darknet, allowing attackers without technical expertise to operate million-dollar phishing campaigns.

ROI analysis of a typical campaign:

  • Cost of creating 82,000 vanity addresses: ~120,000 USD.

    • (FAQs)

    1. What exactly is address poisoning? This is a phishing method in which an attacker sends small or zero-value transactions to your wallet from an "impersonated" address whose first and last characters are identical to the wallet address you normally use. The goal is for you to accidentally copy this fake address from your future transaction history.  

    2. Is it different from a "Dusting" attack?There is a difference in purpose. Dusting attacks are often used to track behavior or break wallet privacy. Meanwhile, address poisoning uses these "dust" transactions to directly lure you into sending the wrong money to the scammer through address impersonation.  

    3. Why can a scammer create a "Sent" transaction from my wallet when I do nothing? The attacker exploits the transferFrom function in token smart contracts (like USDT/USDC) to perform a transfer of 0 units of assets from your wallet. Since the value is 0, it does not require approval but is still recorded in the transaction history as a "Send" command.  

    4. If my address is poisoned, will my private key be exposed? No. Address poisoning does not infiltrate your wallet's technology or steal your recovery phrase. It's just a form of visual deception; Your assets are still safe unless you actively send funds to that fake address.  

    5. Why do attackers use "Vanity Address"? Vanity address allows attackers to customize specific characters in the wallet address. They create addresses whose first and last 4-6 characters exactly match your real address to fool users' quick checking habits.  

    6. Can cold wallets like Ledger or Trezor help prevent this? Cold wallets help you confirm addresses on an independent monitor, increasing the ability to detect errors. However, if you mistakenly copy the address from your computer and do not carefully check each character on the cold wallet screen, you could still sign off on a fraudulent transaction.  

    7. Which blockchains are most commonly targeted? Networks with low transaction costs such as Tron, Polygon, Solana and Binance Smart Chain (BSC) are top targets because attackers can send millions of "poisonous" transactions at extremely low costs. However, Ethereum also recorded a sharp increase after upgrades to reduce gas fees.  

    8. How frequent are these attacks? Research shows that more than 270 million address poisoning attempts were made on just the two networks Ethereum and BSC between 2022-2024, targeting more than 17 million victim wallets.

    9. How did the loss of 71 million USD WBTC happen in May 2024? A whale accidentally copied the impostor address from history and sent 1,155 WBTC to the scammer. After on-chain negotiation efforts and pressure from security agencies, the attacker returned most of the funds after retaining a portion of the profits.  

    10. Can I get my money back if I accidentally transferred it? Very difficult. Blockchain transactions are immutable and irreversible. The only way is to negotiate with the attacker through on-chain messages or ask for the intervention of professional security units to trace and freeze funds at exchanges.  

    11. How is it different from "Clipper Malware"? Address poisoning is based on mistakenly copying from your history. Clipper Malware is malicious code that infects your computer, automatically replacing the correct address in the clipboard with the thief's address as soon as you press the "Copy" command.  

    12. Does MetaMask Wallet have any warnings about this type of scam? MetaMask has implemented warnings for zero value transactions and recommends users use the "Contacts" feature to save trusted wallets instead of copying from history.  

    13. Are "Test transactions" always safe? Test transactions are a good habit, but attackers often use bots to immediately send an impersonated address to your wallet just seconds after you successfully send the test. If you go back to get the address for a large transfer without double-checking, you'll be caught in the trap immediately.  

    14. Why do thieves often exchange for DAI in big scams? Since USDT is managed by the Tether company, they have the right to freeze assets in wallets reported for fraud. In contrast, DAI is a decentralized stablecoin, with no entity able to intervene or freeze it, helping thieves disperse assets more safely.  

    15. What is the best tool today to detect this scam? Tan Phat Digital recommends utilities such as Kerberus Sentinel3, Pocket Universe or Wallet Guard. These tools will simulate transactions and issue red alerts if they detect that you are interacting with an imposter or suspicious address.  

    Address poisoning is proof that safety in the blockchain world comes not only from algorithms but also from alertness. The team of experts at Tan Phat Digital hopes this report has provided a comprehensive view for you to confidently protect your assets.

    Remember: Haste is a fraudster's greatest ally. Please take another 10 seconds to check the entire wallet address before pressing the "Confirm" button. Tan Phat Digital will always accompany you in updating the latest cybersecurity trends.

Share

Comments

0.0 / 5(0 ratings)

Please login to leave a comment.

No comments yet. Be the first to share your thoughts.

Related Posts

Why doesn't running Node help you make money as easily as advertised? | Tan Phat Digital
blockchain2/27/2026

Why doesn't running Node help you make money as easily as advertised? | Tan Phat Digital

Does Blockchain help increase customer trust | Tan Phat Digital
blockchain2/27/2026

Does Blockchain help increase customer trust | Tan Phat Digital

Enterprise Blockchain Deployment 2026: Starting Point & Roadmap for Implementation
blockchain2/27/2026

Enterprise Blockchain Deployment 2026: Starting Point & Roadmap for Implementation

Does Blockchain really prevent internal fraud? | Tan Phat Digital
blockchain2/26/2026

Does Blockchain really prevent internal fraud? | Tan Phat Digital

Integrating Blockchain into the application | Tan Phat Digital
blockchain2/26/2026

Integrating Blockchain into the application | Tan Phat Digital

Can Blockchain replace ERP systems? | Tan Phat Digital
blockchain2/26/2026

Can Blockchain replace ERP systems? | Tan Phat Digital

Blockchain Vietnam 2026: Potential, Challenges and Roadmap for Sustainable Development
blockchain2/25/2026

Blockchain Vietnam 2026: Potential, Challenges and Roadmap for Sustainable Development

Build Your Own or Ready-to-Use Blockchain? Infrastructure Strategy 2026 - Tan Phat Digital
blockchain2/25/2026

Build Your Own or Ready-to-Use Blockchain? Infrastructure Strategy 2026 - Tan Phat Digital