Address poisoning, also known as address contamination, is an on-chain attack that exploits human habits. Attackers generate fake addresses that closely resemble your frequently used addresses, then plant them in your transaction history through various methods, waiting for you to accidentally copy and use the wrong one during a transfer. This type of attack has been widespread since 2022 and remains a significant cause of asset losses today.
How Does an Address Poisoning Attack Work?
The core logic behind address poisoning is deception through similarity. The attack unfolds in stages:
Step 1: Selecting Targets
Attackers use automated scripts to monitor on-chain transactions, identifying active addresses that frequently make large transfers as targets.
Step 2: Generating Look-Alike Addresses
Using address collision tools, attackers mass-generate addresses whose first and last characters match the target's address. For example:
- Real address: 0x71C7abcd1234efgh5678F3
- Attacker's address: 0x71C7XXXXXXXXXXXX5678F3
Since most wallets only display the first 6 and last 4 characters of an address, the two appear identical on screen.
Step 3: Contaminating Transaction History
The attacker plants the fake address in your transaction records through:
- Zero-value transfers: Sending transactions of 0 tokens from the fake address to you
- Micro transfers: Sending extremely small amounts (such as 0.001 USDT)
- Spoofed Transfer events: Exploiting certain token contract features to fabricate a record showing "you transferred to the fake address"
Step 4: Waiting to Harvest
Once these fake transactions appear in your history, the attacker simply waits for you to copy an address from your past transactions the next time you make a transfer. If you accidentally copy the fake address and confirm the transaction, your funds are gone.
Why Is Address Poisoning So Effective?
Reason 1: User Habits
People tend to copy "previously used" addresses from their transaction history rather than fetching the full address fresh each time. Attackers exploit this convenient habit with precision.
Reason 2: Address Display Truncation
For a cleaner interface, wallets and block explorers typically show only the beginning and end of an address. Attackers only need to match these visible portions.
Reason 3: Visual Verification Is Difficult
Even if you try to compare addresses, accurately verifying a 42-character hexadecimal string is extremely difficult for the human eye, especially when the middle section is hidden.
Reason 4: Extremely Low Attack Cost
Generating large numbers of similar addresses and sending zero-value transactions costs very little, especially on low-gas chains like BSC and Polygon. Attackers can poison thousands of addresses simultaneously.
Real-World Loss Cases
In May 2024, one user lost $68 million worth of WBTC to an address poisoning attack. The user copied what appeared to be a familiar address from their transaction history for a large transfer, but it was actually the attacker's look-alike address. This remains one of the largest single losses caused by address poisoning.
Many additional small and medium losses go unreported because the amounts involved aren't "large enough" for victims to publicize.
How to Protect Yourself Against Address Poisoning
Method 1: Use an Address Book
Pre-save all your frequently used transfer addresses in your wallet's or exchange's address book. Always select from the address book when making transfers — never copy from transaction history.
Method 2: Verify the Full Address
If you must copy and paste an address, expand the full address and compare it character by character. Check at least the first 12 and last 12 characters.
Method 3: Send a Test Transaction First
Before making a large transfer, send a tiny amount to the target address. Once confirmed by the recipient, proceed with the larger transfer.
Method 4: Use Domain Name Services Like ENS
Ethereum Name Service (ENS) lets you use human-readable names like "alice.eth" instead of long address strings. Transferring via domain names effectively prevents address poisoning.
Method 5: Keep Your Wallet Updated
Some wallets have been updated with algorithms that can identify and flag suspicious zero-value transfers. Keep your wallet app on the latest version.
Security Reminder
Address poisoning exploits human carelessness rather than technical vulnerabilities. Prevention relies on building good habits:
- Never copy addresses directly from transaction history: Use your address book or manually obtain the full address
- Always send a test amount before large transfers: This is the last line of defense against all types of address errors
- Verify the complete address: Don't check only the first and last few characters
- Ignore unexplained incoming transactions: Zero-value or tiny deposits from unknown sources may be poisoning attempts
- Use tools that support address labeling: Labeling your frequently used addresses helps with quick identification
- Stay highly focused: Transferring funds is a high-risk operation — maintain full attention when doing so
When transferring through exchanges, you can use the platform's whitelist feature for added security. Visit Binance to enable withdrawal whitelists, or download the Binance app — iPhone users can refer to the iOS installation guide — for safe and convenient operations.
Can address poisoning directly steal my assets?
No. Address poisoning itself cannot move your funds. It only plants a trap in your transaction history. Losses only occur when you actively copy the fake address and initiate a transaction. If you ignore suspicious transaction records, you won't be affected at all.
How can I tell if a transaction in my history is a poisoning attempt?
If you see a transfer you didn't initiate (typically for an amount of 0), or receive a tiny deposit from an unknown source, and the address involved looks similar to one you frequently use at the beginning and end, it's very likely a poisoning attack.
Which blockchains see the most address poisoning?
Ethereum, BSC, and TRON are the most common targets. BSC and TRON's extremely low gas fees allow attackers to execute mass poisoning at minimal cost. Ethereum has higher attack costs, but attackers still target high-value accounts there given the larger asset values at stake.
Can wallet apps filter out poisoning transactions?
Some wallets (such as the latest version of MetaMask) have added zero-value transfer filtering features that can hide suspicious poisoning transactions. However, this feature is not 100% reliable, and users should still remain vigilant. Enable all available security filtering options in your wallet.