Every time you send cryptocurrency, you trust a 42-character hexadecimal address to be correct. Most people don’t read every character — they check the first few and last few and click send. Address poisoning exploits exactly this behavior, and it has cost victims hundreds of millions of dollars.
This guide breaks down how the attack works, shows real examples, and gives you a practical defense checklist.
BLUF: Address poisoning sends fake transactions from look-alike addresses so the scammer’s address appears in your transaction history. When you copy-paste from history, you grab the fake address and send funds to the scammer. Defense: never copy-paste addresses from transaction history. Use an address book or ENS names instead.
The Attack Step by Step
Phase 1: Surveillance
The attacker watches the blockchain for your wallet’s outgoing transactions. They’re looking for addresses you frequently send to — typically:
- Exchange deposit addresses (Binance, Coinbase, Kraken)
- Other wallets you own (transfers between your own accounts)
- Payment recipients (merchants, friends)
Phase 2: Vanity Address Generation
The attacker generates a wallet address that matches the first 6 and last 4 characters of your target address:
Your real exchange address: 0xa0b1...c2d3E4f5
Attacker's vanity address: 0xa0b1...9m8N7o6p
^^^^^^^^
Last 4 chars also matchUsing tools like profanity2, generating an address with matching prefix and suffix takes seconds on a modern computer.
Phase 3: The Poison Transaction
The attacker sends a tiny or zero-value transaction (usually USDT, since it supports 0-value transfers) from the vanity address to your wallet. This makes the vanity address appear in your transaction history alongside the legitimate address.
Phase 4: The Trap
Days or weeks later, you want to send funds to your exchange. You open your wallet, scroll through transaction history, find the address that looks right, copy it, and paste it into the send field. But you copied the poison address — the one the attacker controls.
Your funds go to the attacker. Permanently.
Real-World Examples
The $68 Million WBTC Loss (2024)
A victim intended to send WBTC to their deposit address on an exchange. They copied the recipient address from their transaction history — but it was a poisoned address. $68 million in WBTC was sent to the scammer. The funds were laundered through mixers and cross-chain bridges within hours.
Systematic Campaigns
Blockchain security firms have identified organized address poisoning campaigns targeting wallets with balances over $1 million. Attackers use automated tools to:
- Monitor all outgoing transactions from high-value wallets
- Generate matching vanity addresses automatically
- Send poison transactions in bulk
- Wait for victims to make copy-paste mistakes
Why It Works So Well
Visual Similarity
Human eyes are bad at comparing long hex strings. Take these two addresses:
0x4D3a...B6e7c89f01
0x4D3a...B6e7c89fO1One uses the digit 0, the other uses the letter O. Even careful users miss this in a quick glance.
Transaction History Trust
Users inherently trust their own transaction history. “I sent to this address before, so it must be safe” — but the poison transaction creates a false entry that looks identical to your legitimate transactions.
Zero-Value Transfers
ERC-20 tokens like USDT support 0 value transfers. The poison transaction costs the attacker only gas (a few cents), but creates a permanent entry in your transaction history.
Defense Checklist
Rule 1: Never Copy-Paste from Transaction History
This single rule prevents 100% of address poisoning attacks. Get your destination address from:
- The exchange’s deposit page (fresh copy every time)
- Your wallet’s address book
- A trusted contact (verified through a separate channel)
Rule 2: Use an Address Book
Set up labeled entries for every address you frequently send to:
| Label | Address |
|---|---|
| Binance Deposit | 0x1234… (saved, verified) |
| My Hardware Wallet | 0x5678… (saved, verified) |
| Alice | 0xabcd… (saved, verified) |
Select from the address book instead of copy-pasting.
Rule 3: Verify with ENS
ENS names (alice.eth) are human-readable and essentially impossible to spoof in the same way. If your recipient has an ENS name, use it.
Rule 4: Test Transactions
For large transfers, send a minimal test amount first:
- Send 0.01 ETH to the address
- Confirm it arrives at the correct destination
- Then send the full amount
The extra gas cost is trivial insurance against a $68 million mistake.
Rule 5: Read the Full Address
If you must copy-paste, check at least 10-12 characters in the middle of the address — not just the first and last few. Address poisoning only matches the extremes.
How to Check if You’ve Been Targeted
- Open your wallet on Etherscan
- Check incoming transactions for zero-value or tiny token transfers
- Look for addresses that resemble your frequent contacts
- If you find any — mark them, never use them, and set up an address book to avoid copy-paste entirely
Frequently Asked Questions
Q: I see a 0 USDT transfer from an unknown address. Did I lose money? A: Not yet. The poison transaction doesn’t steal anything — it just plants the address in your history. As long as you don’t copy-paste from history, you’re safe. Ignore it and use your address book.
Q: Can address poisoning affect hardware wallets? A: The attack targets behavior, not wallet type. If you copy a poisoned address into your wallet software and approve the transaction on your hardware device, the attack succeeds. Always verify the full address shown on the hardware device screen.
Q: Should I move all my funds to a new wallet if I’ve been targeted? A: Not necessary. Address poisoning doesn’t compromise your wallet — it only places look-alike addresses in your history. Changing behavior (not copy-pasting from history) is sufficient. But if you’ve already sent funds to a poison address, those funds are gone.
Q: Do exchanges warn about address poisoning? A: Some exchanges now show warnings when deposit addresses are accessed. But the responsibility ultimately falls on the sender. No exchange will reimburse funds sent to the wrong address.