A Closer Look at Address Poisoning in Crypto: What It Is and How to Avoid It

Cryptocurrencies have revolutionized finance by providing users with autonomy, transparency, and decentralization. However, with innovation comes risk, and a lot of threats in the growing digital asset landscape. One of these new threats is an insidious and deceptive scam known as Address Poisoning. Address poisoning capitalizes on user interface limitations, human behaviors and shortcuts, and exploits the user’s intent to divert funds to other addresses that aren’t tied to the intended transaction. In this article, we will cover what address poisoning is, how it works in detail, real-world examples, the logic behind address poisoning’s success, and most importantly, what you can do to help protect yourself.

What Does Address Poisoning Mean?

Address poisoning is simply a scheme perpetrated as an attempt to trick users into sending cryptocurrencies to the wrong wallet address. Address poisoning takes advantage of two things: the near-identical appearance of blockchain addresses and how crypto wallets display transaction history.

Scammers generate a crypto wallet address that looks deceptively similar to the ones the user is known to make frequent transactions. Using the new wallet, they send zero-value transactions to the targeted user’s wallet in an attempt to blend the zero-value transactions in with legitimate activity.  So, the next time the user copies an address from their history for future transactions, they might accidentally select a spoofed address.

Many crypto wallets (MetaMask and Trust Wallet, for example) use a truncated address to display the wallet address in the user’s history (showing only the first 6-9 characters and the last 4-6 characters). This is what makes it very difficult for users to visually distinguish between legitimate addresses and spoofed addresses. By poisoning the transaction history, the attacker anticipates the user accidentally copying the wrong address and sending funds to the wallet under the attacker’s control instead of the actual wallet

How Address Poisoning Works: Steps

To better explain how the scam works, we must first understand how easy and simple this scam is:

1. Scammer Creates a Similar Address

• The scammer creates a new wallet address that closely resembles the legitimate one. The scammer can use vanity address generators or brute-force techniques to get matching prefixes and suffixes.
• For example, if your address is 0x1234abcd5678efgh9012ijkl, the criminal may create the address 0x1234xyz9876mnop9012ijkl because many people only verify the start and end of an address.

2. Zero-Value Transaction Sent to Victim

• The scammer sends the victim a token (often worthless or non-existent) in a zero-value transaction to the victim’s wallet. Zero-value transactions still exist in the first sheet or activity tab of the wallet.
• Because there is no value, and gas is not charged to the user, this gets overlooked when the user checks their wallet or during transaction security level checks.

3. Poisoned Transaction History

• The spoofed transaction will be visible in their “Recent Transactions” list. Since the scammer’s address resembles the victim’s recent transaction to a legitimate address, it often gets overlooked.
• Even if the victim sees the address, they would recognize its format and assume it is safe.

4. The User Accidentally Sends the Funds

• When the victim has to transfer funds, they usually copy the address from transaction history. With the poisoned address similar to the actual address listed on top of the recent transaction list, the victim will end up copying the poisoned address instead of the actual address and use it to conduct transaction.
• Once the transaction is initiated, the funds will be sent irreversibly to the scammer’s wallet.

Real-World Use Cases

Case Study 1: Ethereum Wallet Scam (2023)

A user regularly transferred ETH to their Ledger hardware wallet. One day they copied an address from their transaction history and sent 2.5 ETH, only to realize the address had a slightly different checksum. The address had been poisoned weeks prior by a scammer who sent a fake ERC-20 token.

Case Study 2: Token Swaps on DEXs

Scammers poison users who perform token swaps, sending them zero-value tokens with similar names like “USDT Pro” or “TetherX” and “addresses” made to look like the official liquidity pools. Users conduct transactions through the spoofed pools and lose their assets.

Case Study 3: Business Wallets

The treasurer of a DeFi project sent 5,000 USDC to what they thought was a cold storage wallet after copying an address from their MetaMask transaction history. The funds were sent to the lookalike address that had been injected into their history by the facilitator of the poisoning attack.

Why Address Poisoning Works

Address poisoning is successful due to a few behavioral and technical weaknesses.

Trust in Wallet UI:

Users assume the wallet UI is trustworthy and safe without realizing that the history of previous transactions can be changed.

Human Cognitive Bugs:

Humans scan addresses instead of verifying them. Due to the complexity and length of full wallet addresses, users often only focus on the first 3 and last 3 characters.

Subtlety of the Attack:

With no money being taken in the act of address poisoning, users never receive any alerts. The attack is silent, waiting for the user to make a mistake.

Wallet UI Limitations:

Wallets offer limited address verification, and there are no known wallet-level anti-poisoning technology that protects users from wallet poisoning by default.

Address Poisoning Prevention

Preventing yourself from Address Poisoning involves not only awareness, but also having wallet discipline and technical safeguards.

1. Do not copy and paste from Transaction History

• Treat transaction history as potentially untrusted data. Never use it as a directory for or source of wallet address.

2. Use an Address Book or Whitelisted Addresses

• Store the addresses you frequently use in an address book or add them to the whitelist, available with many wallets and exchanges.
• Ensure both the address book and whitelist are secure, backed up, and accessible only through multi-factor authentication.

3. Verify the Entire Address

• Always compare the entire address string before sending funds. Some wallets have the option of expanded address views—go with it.

4. Use ENS or Other Naming Services

• Ethereum Name Service (ENS) or other naming technologies allow you to map friendly names to wallet addresses—i.e. using alice.eth is a lot safer than 0xABC…1234.

5. Label Known and Frequent Addresses

• Some wallets will allow you to label trusted addresses like “My Cold Wallet” or “Bob – Dev Fund.”

6. Use Anti-Poisoning Tools

• There are some third-party tools and a few advanced wallets that have plugins or modules that can detect zero-value amount transaction activity patterns and alert users.
• Some wallet software will have these features enabled by default, making poisoning less likely.

7. Educate Your Network

• Notify employees, partners, contacts, and clients about address poisoning. Make secure address management part of normal operating procedures.

What to Do if You Suspect Address Poisoning

If you feel like your wallet has been compromised:

• Don’t do anything with the suspect transactions or any unknown tokens.
• Flag or hide the spoofed transactions (some wallets will let you hide suspicious entries).
• Export your transaction history and audit it closely.
• Report this to your wallet provider, certain crypto forums, or security groups.
• Consider rotating wallet addresses, especially for cold storage, and notify trusted contacts.

The Importance of Wallet Developers and Platforms

User vigilance is pivotal, but wallets and infrastructure can also promote protection:

• Flagging Transactions: Detect and flag zero-value transactions to addresses identified as new or suspicious
• Expanded Address Display: Enable expanded/copy of full address by default instead of truncated addresses.
• Onboarding Training: Incorporate an address poisoning warning notice during wallet onboarding to educate users on what to watch out for with a new wallet.
• Metadata tagging: Display wallet origin metadata (e.g., name of address via ENS, length of use, contract source) next to wallet addresses.
• Community Blacklists: Allow asset to reference community-maintained lists of known scam addresses.

Address poisoning is a seemingly straightforward yet extremely successful scam that leverages human behavioral tendencies, along with technical limitations in the crypto ecosystem. This type of fraud does not rely on hacking or malware, but rather exploits user errors and design limitations to fleece individuals.

As always, the best way to protect yourself is to educate and be diligent. Verify all addresses carefully, use ENS whenever applicable, save addresses safely, and educate your friends. As the crypto space matures, we can expect to see improved tools and user interfaces that help mitigate these risks. However, until then, safety relies heavily on individuals being responsible.

Remember, you are your own bank when it comes to crypto assets, and with that privilege and freedom comes the responsibility to be cautious and protect your money.