What is Address Poisoning?
Address poisoning is a social engineering attack where a scammer creates a wallet address that looks almost identical to one you’ve previously sent funds to. They send a tiny transaction (usually 0 USDT or a negligible amount) from this fake address to your wallet. When you later copy the recipient address from your transaction history, you paste the scammer’s address instead of the real one.
The attack exploits a simple human limitation: most people don’t read every character of a 42-character hexadecimal address. They recognize the first few and last few characters and assume it’s correct.
How Address Poisoning Works
1. Scammer monitors the blockchain for your transactions
2. They identify an address you frequently send to (e.g., your exchange deposit address)
3. They generate a vanity address matching the first 6 and last 4 characters
4. They send a 0-value transaction FROM the fake address TO your wallet
5. The fake address now appears in your transaction history
6. Next time you copy-paste the address from history, you grab the fake one
7. Your funds go to the scammerThe Vanity Address Trick
Ethereum addresses are 42 characters (including 0x). Generating an address with matching first 6 and last 4 characters takes only seconds using tools like profanity2. The full address is completely different in the middle, but quick visual inspection misses this.
Red Flags
| Red Flag | Why It Matters |
|---|---|
| Tiny or zero-value transactions from unknown addresses | Classic poisoning setup — the sender wants to appear in your history |
| Two addresses in your history with similar prefixes/suffixes | One is real, one is fake — verify carefully |
| An address you don’t recognize sending you tokens | Never interact with unsolicited token transfers |
How to Protect Yourself
1. Never Copy-Paste from Transaction History
This is the single most important rule. Always copy the destination address from your trusted source — your exchange’s deposit page, your address book, or a verified contact.
2. Use an Address Book
Most modern wallets (MetaMask, Rabby, Frame) support address books. Save frequently used addresses with labels. Select from the address book instead of copy-pasting.
3. Check the Full Address
Don’t just check the first and last few characters. Use a checksum verification tool or compare at least 10-12 characters in the middle.
4. Send a Test Transaction First
For large transfers, send a small test amount first and confirm it arrives at the correct destination before sending the full amount.
5. Use ENS or Other Name Services
vitalik.eth is easier to verify than 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045. Use ENS names where possible — they’re human-readable and much harder to spoof.
Address Poisoning vs Dusting Attack
| Aspect | Address Poisoning | Dusting Attack |
|---|---|---|
| Goal | Trick you into sending funds to wrong address | De-anonymize you by linking wallets |
| Method | Fake address mimicking your contacts | Tiny amounts sent to many wallets |
| Danger | Direct financial loss | Privacy violation |
| Prevention | Address book + full verification | Use mixer or new wallet |
Frequently Asked Questions
Q: I received a 0 USDT transfer from an unknown address. Am I hacked? A: Not necessarily hacked, but you’ve been targeted. The scammer is trying to poison your transaction history. Do not interact with the address, and never copy-paste addresses from your transaction history.
Q: Can address poisoning work on hardware wallets? A: Yes, if you copy-paste the address from transaction history into the send field. The hardware wallet will display the address on its screen — always verify the full address shown on the device before confirming.
Q: How much can address poisoning attacks steal? A: Victims have lost millions. In one notable case in 2024, a user lost $68 million in WBTC after copying a poisoned address from their transaction history.
Q: Does using a fresh wallet prevent address poisoning? A: A new wallet has no transaction history, so there’s nothing to poison. But once you start transacting, you become a potential target. The best defense is behavioral — never copy-paste from history.