Address Poisoning Attacks: How They Scam Web3 Users

Crypto investors lost $3.1 billion in H1 2025 in various cryptocurrency hacks and scams, ranging from sophisticated methods to simpler ones that rely on the oldest of human weaknesses: deceit and human error.

Most Web3 scam losses involve phishing and social engineering tricks that activate wallet drainer malware, however there’s another very simple crypto deception trick that gets especially profitable when FOMO in bull markets make crypto users less diligent.

Address poisoning (also referred to in crypto as transaction poisoning) exploits Web3 user habits and a sense of familiarity when copying and pasting addresses. While other Web3 attack vectors try and exploit smart contract vulnerabilities, address poisoners deliberately plant lookalike wallet addresses to fool their victims into sending funds to a scam address.

Web3 security researchers over 2 years identified more than 270 million address poisoning attack attempts targeting over 17 million wallets, resulting in at least $83.8 million in losses across Ethereum and Binance Smart Chain (BSC).

In one of the biggest scams of 2024, a whale lost $68 million in wrapped Bitcoin (WBTC) to an address poisoning attack. Fortunately, the scammer returned the money, but not everyone gets lucky!

Source: X

At its core, this type of attack is a matter of wallet address manipulation. How does this happen? It follows a series of steps that can be identified and mitigated.

Source: Nano Banana

Attackers start by studying a victim’s transaction history and find the address(es) to target. Let’s use an example:

Original Ethereum Address:

0x742d35Cc6634C0532925a3b844Bc454e4638f44e

The poisoner next creates similar-looking crypto addresses with specialized software called vanity address generators. The fake address will usually have the same first few and last few characters, since many interfaces truncate addresses to those parts.

Scam Ethereum Address:
0x742d353D0000003002000003400003004438f44e

Once the attacker has a fake but lookalike address, they “poison” the transaction history by making tiny or dust transfers from that address to the victim’s wallet.

The transaction leaves a permanent trace on the blockchain and appears in the victim’s transaction history. It then blends in easily in the target’s activity history, especially when displayed in mobile wallets or browser extensions.

The final parts of the scam relies on simple human error. People make mistakes, and bad actors count on that. Later, the victim checks their transaction history, and copies and pastes what they think is their trusted address. They look the same, but they’re not.

Finally, the victim completes the rest of the transaction and unknowingly sends real funds to the attacker.
Cold facts: There is no wallet signature trickery involved. The transaction is fully valid and irreversible.

These attacks are not just random; they are systematic and large-scale. They are also very successful for many reasons. In short, address poisoning succeeds because it exploits normal user behavior like below, not technical vulnerabilities.

Most users assume that addresses in their transaction history are safe because they were “used before.” Attackers exploit this trust. Especially for high frequency transactions,users who make several transfers are prone to taking shortcuts, increasing their risk of relying on recent transaction history.

Let’s face it, hexadecimal wallet addresses are very long, and nearly impossible to remember or manually type for the average Joe or Jane. For simplicity, users prefer to copy and paste from their transaction history. This creates a loophole that allows attackers to embed a recently created fake wallet address for their own gain.

Most wallets truncate addresses, only displaying the beginning and ending numbers and letters. If those parts match, users rarely check the full 42-character string.

While transparency is a core tenet of blockchain, this also has its downside. All wallet activity is viewable on a public blockchain ledger such as Etherscan or Solscan.

This allows address poisoners to:

• Identify very active wallets
• See repeating transfer patterns
• Target users with high balances

Tech-savvy bad actors use sophisticated bots to poison thousands of wallets per hour across multiple blockchains at near-zero cost.

It makes sense that popular chains with a lot of stablecoin transfers will be the most prized targets since they are the most profitable for attackers. Crypto is a numbers game, and so are their scams.

Address poisoning works on any chain with a transparent transaction history, but it is most common on:

• Ethereum & Layer 2s (Base, Arbitrum, Optimism)
• Solana (increasing rapidly)
• BNB Chain
• Polygon
• Avalanche
• Tron (USDT transfers)

The best way to mitigate poisoning attempts is to shut the door that attackers can use to compromise your security.

You’ll need to be vigilant (friendly reminder: this is crypto!) and do your checks and balances to ensure that a compromised address is not lurking in your transaction history and taking that wallet balance down to zero.

Here are some address poisoning red flags to watch out for:

• Unexpected dust transactions - When a small and unknown transaction is sent to your wallet, always try to verify its origins. It may be a test transaction from someone you know, or the attacker may be injecting this fake address into your history to lay a future trap.

• Lookalike addresses: Watch out for addresses that look similar. Scammers generate addresses that mimic legitimate wallet addresses.

Here is what you can do to improve your Web3 security and save yourself the pain of being an address poisoning victim.

1. Don’t Trust, Verify

   Section titled “Don’t Trust, Verify”

• Users need to develop full-address verification habits, not just the first and last characters.
• Instead of pasting addresses from transaction history, whitelist ones you trust.
• Treat each new or unknown address as a potential threat until proven otherwise.

2. Use Automated, Real-Time Web3 Security Monitoring

   Section titled “Use Automated, Real-Time Web3 Security Monitoring”

Web3 threat detection requires state-of-the-art monitoring and blockchain analysis tools that can spot threats from miles away.

A top Web3 security tool like Kerberus provides 24/7 monitoring to detect malicious addresses and thwart poisoning attacks. Users can choose between a browser extension and API for protection.

3. Improve Your Web3 Wallet Hygiene

   Section titled “Improve Your Web3 Wallet Hygiene”

Web3 security requires users to be active, and not passive. Regularly update your Web3 wallet’s software and protect your private keys and seed phrases.

Use secure cold storage and multisig wallets. Enable all security features, such as biometric logins. You can never be too careful when it comes to your crypto asset protection.

4. Do a Test Run

   Section titled “Do a Test Run”

Send a minimum amount of crypto to an address before committing a larger amount. This test allows you to prevent a fake address attack.

5. Use ENS or SNS Domains

   Section titled “Use ENS or SNS Domains”

You can use an Ethereum Name Service (ENS) domain or Solana Name Service as a readable name for your wallet address, such as AliceBob.ETH. It can be memorized and makes it easier to pick out potential address poisoning threats. Of course, be aware that lookalike ENS addresses can also be created.

Kerberus’ Sentinel3 browser extension thwarts address poisoning attacks proactively with an automated, on-chain protection service that monitors and flags malicious activity. It has a 99.9% protection record since 2023, and offers up to $30,000 in coverage for Web3 transactions, unlike any of its competitors.

Unlike traditional methods that rely solely on user vigilance, the Kerberus solution uses a multi-layered approach:

• On-Chain Protection: Actively monitors your wallet addresses across multiple blockchains for address poisoning attempts.
• Real-time Detection: Automatically detects and blocks malicious Web3 sites used in these scams.
• Transaction Translation: Shows clear asset changes before you sign, helping you spot swapped destination addresses.
• Wallet Integration: Works independently in the background, adding security beyond traditional wallets.

• In May 2024, a crypto whale lost $68 million worth of Wrapped Bitcoin (WBTC) in a single transaction after being tricked by an address poisoning scam. The attacker mimicked the victim’s transaction history with a lookalike address, leading to a massive loss. All funds were eventually returned after bounty negotiations.
• In August 2025, a wave of address poisoning attacks caused over $1.6 million in losses within a week
• One campaign exposed more than 82,000 crypto wallets to address poisoning, with one user losing $57,000
• Multiple reports show thousands of smaller incidents occur regularly, with losses ranging from thousands to hundreds of thousands of dollars per case
• A Reddit thread detailed how one user lost $700k to address poisoning

Address poisoning is simple, but deadly.Follow the best practice tips in this guide to stay safe, by

• verifying your addresses before making transactions
• monitoring your wallet history for scam addresses
• using Web3 security tools like Kerberus to proactively protect you

And here’s an important rule of thumb to heed well: while tools like Kerberus can flag malicious intent, a blockchain cannot. It does what users instruct it to do, and there is no recourse or rollback if someone is tricked into routing their hard-earned cash straight into the pockets of scammers.

Immutability is a feature, not a bug. You are your own bank, and the responsibility in crypto starts and ends with you.