Address poisoning: what it is and how to defend against it
October 15, 2025
8 min
The core philosophy of the Web3 world, practically embodied by the concepts of decentralisation and disintermediation, dictates that the user is solely responsible for the custody and management of their funds. For this very reason, security has always been one of the most critical and sensitive topics.
In this deep dive, we’ll explain what address poisoning is, how its attack mechanism works, and what concrete strategies you can adopt to defend yourself against one of the most subtle and widespread threats to cryptocurrency users.
What is address poisoning, and how does it work
Address poisoning is a sophisticated social engineering scam that aims to intercept cryptocurrency transactions between two or more users. The goal is to trick the user into sending their funds to an incorrect address, which is, of course, controlled by the attacker.
To achieve this, the attacker exploits our common habit of copying and pasting addresses from the transaction history and only checking the initial and final characters to verify their authenticity. Due to its ease of execution, the aggressor’s complete anonymity, and the difficulty of recognition by users, address poisoning is currently one of the most prevalent attacks within the Web3 ecosystem.
Data and spread: the scope of the threat
Address poisoning, despite being a low-cost attack for the aggressor (who only spends the gas fees for the malicious transaction), can have a devastating financial impact on the victim.
Recent research conducted on major blockchains has revealed the vast scope of these attacks:
- Volume of attacks: Over 270 million address poisoning attempts were identified over a period of about two years, targeting millions of victim wallets.
- Most affected Blockchains: The prevalence of attacks is particularly high on chains with lower transaction fees. This makes the attack cheap to execute on a massive scale, amplifying the phenomenon.
- Financial Losses: Confirmed global losses due to this scam exceed $83 million, with some analyses estimating a potential overall damage of up to $144 million, making address poisoning one of the most profitable attacks in the crypto landscape.
- Target: Aggressors primarily focus on users with high balances or those who make frequent transactions, thereby increasing the statistical probability of the attack’s success.
These alarming data points necessitate that users study and adopt adequate countermeasures. The attack skillfully exploits distraction in the management of digital wallet addresses, making personal vigilance the most effective defence.
Attack mechanism: spoofing
Technically, address poisoning is an attack that falls squarely into the category of high-precision spoofing. Spoofing is a social engineering technique where the aggressor falsifies their credentials or identity—in this case, the sender’s address—to appear as a trusted entity.
In the context of address poisoning, the attack focuses on visual deception within the victim’s transaction history. It recreates a fake address to which the user will send funds, believing they are sending them to an address already known to them.
The complete operational process behind address poisoning can be described as follows:
- Target identification: The attacker first monitors the victim’s recent transactions and identifies a legitimate and frequently used address (for example, an exchange or another of the victim’s own wallets).
- Fictitious address generation (Vanity Address): Using specific software, the aggressor creates a new wallet that they control. These tools generate private keys via brute force until the resulting public address shares a particular sequence of characters with the legitimate address, focusing on the first and last characters. For example, if the correct address is 0xDeaD…fACe, the attacker aims to create one of their own, such as 0xDeaB…faCe.
- The Poisoning: Once the “bait” address is generated, the attacker sends a zero-value transaction to the victim’s address, thereby making this fake wallet appear in the victim’s history.
4. The Deception: When the user consults their history in the future to retrieve the address to send funds to, they will find the scammer’s address (0xDeaB…faCe), which is visually almost indistinguishable from the legitimate one (0xDeaD…fACe). The attacker counts on our superficial verification (only the first and last characters) and excessive reliance on history.
As soon as the victim copies the fraudulent address and authorises the transaction to it, the funds are transferred to the attacker’s wallet, resulting in the definitive loss of access to the funds, given the intrinsically irreversible nature of blockchain operations.
How to defend yourself: essential security strategies
Address poisoning relies on human error, exploiting the user’s distraction or excessive trust. Therefore, the most effective defence consists of adopting a methodical approach and exercising maximum attention in every single transaction. Protecting yourself from this type of attack requires a change in habits and a more critical attitude towards transaction history.
Here is a brief list of fundamental practices to follow before approving any operation via your digital wallets:
- Check the Entire Address: This is the golden rule. Attackers often create addresses with prefixes and suffixes identical to the real ones. It is therefore essential to take the necessary time to verify every single digit of the destination address.
- Avoid Copy-Pasting from History: One of the riskiest behaviours is copying an address directly from the list of recent transactions. The destination address must always be obtained from the original and verified source, such as the recipient’s wallet’s “Receive” section.
- Perform a Test Transaction for High Amounts: For substantial sums, it is advisable to first send a minimum amount (e.g., $1) as a test. After verifying that the funds have been received correctly, you can proceed with the principal amount. The additional cost of the double gas fee is a small price to pay to ensure security. Note: Even in this case, checking the entire address remains a mandatory step. Attackers are becoming increasingly fast and precise; even a few seconds’ interval between a test transaction and the actual one can represent a risk.
- Use Whitelists or Trusted Address Books: As an alternative to this double-check process, you can adopt whitelists or address books of trusted contacts for the most frequently used contacts. By verifying an address once and confirming its absolute correctness, you can save it permanently in your address book. This way, when initiating future transactions, you can retrieve the address directly from this secure address book, effectively making the operations immune to any address poisoning attempt or visual deception.
Adopting these security measures should be enough to avoid falling victim to what is now one of the most common and insidious attacks in the sector.
Conclusion: The responsibility for security in Web3
The blockchain is an immutable and almost impossible-to-compromise ledger, but the human mind remains the weakest link. These scams exploit haste and excessive reliance on shortcuts to trick us into making costly and, above all, irreversible mistakes.
Address poisoning is a subtle attack, but it is also highly preventable with the right combination of attention and adequate tools. Getting into the habit of verifying the entire address and using whitelists is not just a simple recommendation but an essential operational practice in a world that places all the responsibility for operational security on the end-user.
In Web3, your security is in your hands. Don’t take anything for granted; always verify.
For more information, see the section dedicated to security: academy.youngplatform.com/en/tag/crypto-security/
Practical tips for your security in the crypto world: youngplatform.com/en/security/
Related
