Address Poisoning
What is Address Poisoning?
Address PoisoningAddress poisoning seeds a victim's transaction history with attacker-controlled lookalike addresses so they later copy-paste the wrong one and send funds to the attacker.
In an address-poisoning scam, attackers generate vanity addresses whose first and last characters match an address the victim has recently interacted with. They then send a zero-value transfer or tiny token transfer from that lookalike to the victim, so it appears in their wallet history. Later, when the victim copies an address from history rather than from a trusted source, they may paste the attacker's address and authorize a transfer. The technique was widely abused throughout 2022 to 2024 and has caused multi-million-dollar losses on Ethereum and BSC. Defences include never copying addresses from transaction history, using contact books, ENS, or hardware-wallet on-device address verification.
● Examples
- 01
A user pastes an attacker's lookalike address copied from recent history and loses 50,000 USDT.
- 02
An attacker poisons many wallets that recently used a specific bridge contract.
● Frequently asked questions
What is Address Poisoning?
Address poisoning seeds a victim's transaction history with attacker-controlled lookalike addresses so they later copy-paste the wrong one and send funds to the attacker. It belongs to the Web3 & Blockchain category of cybersecurity.
What does Address Poisoning mean?
Address poisoning seeds a victim's transaction history with attacker-controlled lookalike addresses so they later copy-paste the wrong one and send funds to the attacker.
How does Address Poisoning work?
In an address-poisoning scam, attackers generate vanity addresses whose first and last characters match an address the victim has recently interacted with. They then send a zero-value transfer or tiny token transfer from that lookalike to the victim, so it appears in their wallet history. Later, when the victim copies an address from history rather than from a trusted source, they may paste the attacker's address and authorize a transfer. The technique was widely abused throughout 2022 to 2024 and has caused multi-million-dollar losses on Ethereum and BSC. Defences include never copying addresses from transaction history, using contact books, ENS, or hardware-wallet on-device address verification.
How do you defend against Address Poisoning?
Defences for Address Poisoning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Address Poisoning?
Common alternative names include: Wallet address poisoning, Vanity-address phishing.
● Related terms
- web3№ 816
Permit2 Phishing
Permit2 phishing tricks an Ethereum user into signing a Uniswap Permit2 off-chain message that grants an attacker the right to transfer the victim's ERC-20 tokens.
- web3№ 181
Clipboard Hijacker
A clipboard hijacker (crypto clipper) is malware that watches the OS clipboard and silently substitutes a victim's copied cryptocurrency address with one controlled by the attacker.
- web3№ 365
Dust Attack
A dust attack sends tiny amounts of cryptocurrency to many wallets so that, when the recipients later spend the dust, on-chain analysts can cluster and de-anonymize the addresses.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 1065
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.