Crypto Address Poisoning Attacks: How to Detect and Prevent Wallet Address Spoofing

In May 2024, a crypto user was making a routine transfer. Out of habit, they opened their wallet's transaction history and copied an address that "looked completely correct." Minutes later, $710,000 worth of WBTC was sent to an address meticulously crafted by a scammer. The first 6 and last 6 characters matched the real address perfectly — but the characters in between were entirely different. By the time the user noticed something was wrong, the funds were long gone.

This is not an isolated case. According to on-chain data analysis, address poisoning attacks caused losses exceeding hundreds of millions of dollars in 2024 alone. The reason this attack method is so effective is that it requires no technical vulnerability whatsoever — it exploits human habits.

What Is an Address Poisoning Attack?

Address poisoning, also known as crypto address poisoning, is a social engineering attack that targets the transaction habits of cryptocurrency users. The attacker does not hack your wallet or steal your private key. Instead, they send specially crafted transactions to your wallet, injecting a fake address that closely resembles one you frequently use into your transaction history.

The mechanics are straightforward:

Monitor on-chain transactions: Attackers use blockchain explorers or custom scripts to track large transfers between active wallets.
Generate a lookalike address: Using address generation tools, they create a new address whose first and last characters closely match the target address.
Poison the transaction history: They send zero-value or dust-amount transactions from the fake address to the target wallet, making it appear in the wallet's transaction history.
Wait for the victim to take the bait: The next time the user makes a transfer, if they copy the address from transaction history rather than selecting it from their address book, they may inadvertently copy the attacker's address.

Key point: This attack does not compromise any assets in your wallet. Your funds, private keys, and seed phrase remain safe. The attacker is betting that you will not carefully verify every character of the full address when copying it.

How Attackers Generate Lookalike Addresses

Ethereum addresses consist of 42 characters (including the "0x" prefix), while Bitcoin addresses are typically 26–35 characters. Most users only check the first few and last few characters when verifying an address. Attackers exploit exactly this behavior.

Vanity Address Generators

Attackers use tools called vanity address generators, which brute-force private keys to find addresses matching specific prefix and suffix criteria. For example:

Real address: 0x1a2B...3c4D (30 characters omitted in the middle)
Fake address: 0x1a2B...3c4D (first 4 and last 4 characters match perfectly, middle differs)

The more characters that match, the longer it takes to generate — but costs remain low:

Characters Matched	Estimated Generation Time	Risk Level
First 4 + Last 4	Minutes	Extremely High
First 6 + Last 6	Hours	High
First 8 + Last 8	Days to Weeks	Moderate

With ample GPU power available today, matching the first 6 and last 6 characters costs attackers almost nothing. This means that if you only check the first and last few characters of an address, it is nearly impossible to tell real from fake.

Three Common Address Poisoning Techniques

1. Zero-Value Token Transfers

This is currently the most prevalent and stealthy poisoning method. Attackers exploit a feature of the ERC-20 token contract's transferFrom function to initiate zero-value transfers without holding any tokens.

Technical explanation: In the ERC-20 standard, the transferFrom function does not check balances or approvals when the transfer amount is zero. This means anyone can initiate a zero-value transfer on behalf of any address, paying only a small gas fee.

Practical effect: A transaction suddenly appears in your wallet history showing "You sent 0 USDT to [an address]." That address has the same first and last characters as your real transfer recipient — but it actually belongs to the attacker. The next time you need to send USDT, you might mistakenly copy this fake address.

In 2023, zero-value transfer attacks accounted for nearly 10% of all transactions on the Ethereum network at their peak, severely polluting on-chain data and users' wallet interfaces.

2. Dust Transfers

Similar to zero-value transfers, but the attacker sends a tiny amount of real tokens (usually worth less than $0.01) to the target address.

Characteristics:

The transfer amount is small but not zero, so it displays normally in all wallets
The transaction is entirely legitimate and cannot be easily filtered out
The attacker sends from a spoofed lookalike address, making it appear in the "recent received" list
The victim may mistake it for a transaction from a known counterparty

Typical scenario: You receive 0.001 USDT from an address that looks like your usual exchange withdrawal address. Next time you need to deposit funds at the exchange, you copy this "seemingly identical" address from recent transactions — but the funds go to the attacker's wallet.

3. Fake Token Transfers

This technique is even more cunning. The attacker deploys their own ERC-20 contract with the same name as a well-known token, then uses this fake contract to send tokens to the target.

How it works:

The attacker creates a fake token contract named "USDT" or "USDC"
They send fake tokens from the spoofed lookalike address to the target
In the wallet's transaction history, it looks just like a normal USDT/USDC transfer
Only by carefully checking the token contract address can you discover it is a completely different, fake contract

Impact: Fake token transfers are visually more deceptive than zero-value transfers because they show an actual transfer amount, making the entire transaction look more "real."

How to Identify Address Poisoning Attacks

Identifying poisoned addresses is not difficult — the key is developing correct operational habits. Here are the core detection principles:

Always Verify the Full Address

This is the most important and most effective safeguard. Do not just look at the first and last few characters. Before confirming a transfer, verify at least the first 10 and last 10 characters — ideally, check all 42 characters.

Wrong approach: Seeing 0x1a2B...3c4D and assuming the address is correct
Right approach: Comparing every segment of 0x1a2B7E8f9D...5A6b3c4D character by character

Never Copy Addresses from Transaction History

This cannot be stressed enough. Never copy an address from your wallet's transaction history for a new transfer. Transaction history is the primary battlefield for poisoning attacks — it is exactly what the attacker wants you to use.

Correct address sources include:

Your wallet's built-in address book or contacts feature
The deposit address page on the exchange's official website (re-fetch it each time)
Previously verified addresses that have been securely saved

Watch for Unusual Small Incoming Transfers

If you suddenly receive a tiny token transfer from an unfamiliar address (especially stablecoins like USDT or USDC), and that address closely resembles one of your frequently used transaction addresses — this is almost certainly a poisoning attack.

Use the ScamLens Address Checker

Before making large transfers, use the ScamLens crypto address checker to look up the safety status of the target address. ScamLens integrates security databases including GoPlus, Etherscan, and OpenSanctions, providing instant identification of known malicious and suspicious addresses.

Additionally, ScamLens offers a dedicated address poisoning detection feature that can analyze whether an address was created via a vanity address generator for poisoning purposes and provide a risk assessment report.

Comprehensive Prevention Measures

Use Your Wallet's Address Book

Virtually all major wallets offer an address book or contacts feature. The first time you transfer to a new address, after confirming it is completely correct, save it to your address book with a clear label (e.g., "Binance withdrawal address" or "Friend A's ETH address"). All subsequent transfers should be initiated from the address book, never from transaction history.

Enable Whitelisting

Most centralized exchanges (such as Binance, OKX, and Coinbase) offer a withdrawal whitelist feature:

Once enabled, you can only withdraw to pre-approved addresses
Adding a new whitelisted address typically requires email and 2FA verification, plus a 24-hour cooling period
Even if your account is compromised, the attacker cannot immediately withdraw funds to an unknown address

This is one of the most effective measures against address poisoning and other address spoofing attacks.

Send a Test Transfer First

Before making a large transfer to a new address, send a tiny amount first (e.g., 1 USDT) as a test. After confirming the recipient received it and everything checks out, proceed with the full transfer. Yes, you will pay an extra gas fee — but it is negligible compared to the potential loss.

Extra Protection with Hardware Wallets

If you use a hardware wallet like Ledger or Trezor, always verify the full address character by character on the hardware wallet's screen when confirming a transaction, rather than relying solely on what your computer screen shows. The hardware wallet's physical display is not susceptible to malware, making it the most reliable source for address verification.

Use ENS and Other Domain Name Systems

The Ethereum Name Service (ENS) lets you map a complex 42-character address to a readable name (e.g., alice.eth). Sending to alice.eth is much less error-prone than sending to 0x1a2B7E8f.... However, when using ENS, always confirm that the resolved address is correct.

Wallet Security Features

In response to the rising tide of address poisoning attacks, major wallets and blockchain explorers have rolled out protective measures:

MetaMask

Since late 2023, automatically flags suspicious zero-value transfers in transaction history
Displays warnings for new addresses that closely resemble the user's historical transaction addresses
Users can enable "Hide zero-value token transfers" in settings

Trust Wallet

Built-in transaction history filtering allows users to hide suspicious small and zero-value transfers
Flags and filters fake token transfers from known malicious contracts

Etherscan

Adds "Warning: Address Poisoning" labels to zero-value transfers and known poisoning transactions in the transaction list
Offers a "Hide zero-value transfers" filter option
Highlights suspicious addresses with similar first and last characters

OKX Web3 Wallet

Integrates an address risk detection API that automatically checks the recipient address when users fill it in
Displays a prominent interception warning for addresses flagged as high-risk

Note: Even if your wallet already has these protective features, do not rely on them entirely. Security tools reduce risk, but building correct operational habits is your most fundamental line of defense.

What to Do If You Are a Victim

If you have fallen victim to an address poisoning attack, take these steps immediately:

1. Assess the Damage

Check the transaction details on a blockchain explorer (Etherscan, BscScan, etc.)
Trace the fund flow to determine whether the assets have been moved
Record all relevant transaction hashes

2. Contact the Exchange Immediately

If the funds were sent to a centralized exchange address:

Contact the exchange's customer support and security team immediately
Provide complete transaction evidence and a description of what happened
Request that the funds in the involved address be frozen
Some exchanges can intercept funds before they are withdrawn

3. Use ScamLens Fund Tracing

The ScamLens crypto fund tracing service provides professional on-chain fund flow analysis, supporting 18 blockchains including Ethereum, BSC, and Tron. The system automatically traces every address the funds pass through, identifies exchange deposit addresses, mixers, cross-chain bridges, and other critical nodes, and generates a forensic report that can be submitted to law enforcement.

4. Report to the Community

Report the malicious address on ScamLens to help other users avoid the same trap
Post warnings on relevant communities (Twitter/X, Discord, Telegram groups)
Report the address to the wallet development team

5. File a Report with Law Enforcement

File a report with your local cybercrime or law enforcement agency
Prepare a complete evidence chain: transaction record screenshots, blockchain explorer links, fund flow diagrams
For significant losses, you can also report to national fraud centers (e.g., FBI IC3 in the US, Action Fraud in the UK)

Key Takeaways

Address poisoning is a low-tech, high-reward scam that exploits human habits. Defending against it does not require deep technical knowledge — just a few simple but critical operational habits:

Never copy addresses from transaction history — this is the sole entry point for poisoning attacks
Save verified addresses in your address book — initiate all transfers from the address book
Send a test transfer before large transactions — an extra gas fee is far cheaper than losing everything
Verify the full address, not just the first and last characters — check at least the first 10 and last 10
Enable exchange whitelisting — systematically eliminate the possibility of sending to unknown addresses
Use security tools for verification — ScamLens lets you quickly verify address safety before transferring

In the world of cryptocurrency, every transaction is irreversible. Taking 30 seconds to carefully verify an address could save you tens or even hundreds of thousands of dollars. Good security habits are not a burden — they are your most important safeguard in the decentralized world.