Wallet Security ยท Transaction Safety ยท EVM

Address Poisoning Attacks: How Scammers Steal Crypto With Fake Wallet Addresses

In May 2024, someone sent $71 million worth of WBTC to the wrong address. They checked it โ€” just not carefully enough. The attack that caused it has been draining wallets for years, and it targets the exact habit most people use to "verify" an address.

Here's how it plays out. You send crypto to a wallet address you use regularly โ€” a friend, an exchange, your own cold wallet. A scammer watching the blockchain sees that transaction. Within minutes, they send you a tiny amount โ€” sometimes less than a cent โ€” from a wallet they control.

That wallet's address starts and ends with the same characters as the real one you just sent to. Your wallet shows the fake transaction in your history. The next time you need that address, you scroll back, copy it, and paste. The first 4 characters match. The last 4 match. You send.

The middle 32 characters are completely different. The money is gone.

How address poisoning actually works

Scammers write scripts that monitor the mempool โ€” the pool of unconfirmed transactions โ€” for outgoing transfers. The moment they spot one, they generate a wallet address with matching prefix and suffix characters, then send a dust transaction (sometimes $0.001) to your wallet from that address.

Most modern wallets display addresses shortened: the first 6 characters, three dots, the last 4. That's exactly what the attacker matches. They can generate thousands of vanity addresses per second until they find one that matches.

The attack costs almost nothing. One successful hit on a $50,000 transfer pays for years of operation.

Why your normal address-check habit isn't enough

Most crypto users check the first 4 and last 4 characters of an address before sending. This habit exists because full addresses are 42 characters long and impossible to read at a glance. The problem: address poisoning is built specifically to defeat this check.

Poisoned addresses don't slip through because you were careless. They slip through because you were doing exactly what you were supposed to do โ€” and the attack exploits that behavior.

On-chain signals of a poisoned address in your history

Not every dust transaction is an attack, but these patterns together are a strong signal:

  • โ€ขIncoming amount is tiny โ€” fractions of a cent, a few tokens worth almost nothing
  • โ€ขThe sending wallet is brand new with no prior transaction history
  • โ€ขThe transaction arrived shortly after one of your outgoing transfers
  • โ€ขThe sending address looks visually similar to an address in your history
  • โ€ขThe same dust was sent to dozens or hundreds of wallets in the same block

Three habits that prevent this

Verify the full address, not just the ends. Before sending anything significant, paste the destination address into a text editor and read it from start to finish. It takes 10 seconds. The $71M loss would have been caught this way.

Use your wallet's address book. MetaMask, Rabby, and most hardware wallets let you save named contacts. Copy the address once, verify it fully, save it with a name like "My Ledger" or "Exchange Hot Wallet." From then on, select it from the address book instead of copying from transaction history.

Send a test transaction first. For any new recipient or large transfer, send $1 first. Confirm it arrived at the right place before sending the full amount. This adds one minute and has saved real money for real people.

You can also learn to read blockchain transactions on Etherscan to verify the full details of any transfer before it becomes a problem.

Frequently asked questions

What is address poisoning in crypto?

A scammer sends you a dust transaction from an address with matching first and last characters as one you've previously used. The fake address pollutes your history. Next time you grab an address from history, you might grab theirs instead.

How do I know if my wallet has been targeted?

Look for incoming micro-transactions from wallets you don't recognize that look similar to addresses in your history. Never copy addresses from transaction history without verifying the full string character by character.

Does GuardianAI protect against address poisoning?

GuardianAI shows you the full recipient address before you confirm any transaction โ€” not the shortened version. That extra visibility is often the difference between catching a poisoned address and losing funds.

See the full address before you send โ€” every time

GuardianAI shows you the complete recipient address in plain text before you confirm any transaction, so you can verify it in full rather than trusting a 6-character preview. Free Chrome extension.

Get GuardianAI โ€” It's Free