Address Poisoning

What is address poisoning?

Address poisoning is a crypto wallet scam where a scammer “seeds” your transaction history with a deceptive wallet address that looks similar to a real one you use, hoping you’ll copy it later and accidentally send funds to the attacker. It doesn’t hack your wallet or steal your keys; it exploits how people verify a wallet address by glancing at only the first and last few characters. This tactic is commonly discussed alongside other crypto wallet scams and how to avoid them because the loss usually happens during an otherwise normal transfer.

Address poisoning crypto

In address poisoning crypto scenarios, the blockchain itself is working as designed: anyone can send a transaction to your wallet address, and your wallet will typically display that activity in a list of recent transfers. Attackers take advantage of this by creating a “vanity” address that resembles an address you trust (for example, matching the same starting prefix and ending suffix) and then sending you a tiny transfer so their lookalike appears in your history. Often the transaction is a zero value transfer, meaning it’s effectively worthless but still visible. The scam succeeds when a user later copies the attacker’s address from the transaction list instead of retrieving the correct address from a verified source.

Address poisoning attack

An address poisoning attack usually follows a simple playbook. First, the attacker identifies targets who transact frequently (for example, people who regularly move stablecoins or interact with DeFi apps) because they’re more likely to copy from recent activity. Next, the attacker generates many candidate addresses until one becomes a convincing match to a commonly used recipient or self-transfer address. Then they broadcast a small transaction to the target so the lookalike address is “nearby” in the wallet’s UI and block explorer records. This is related in spirit to a dusting attack, which also uses tiny on-chain transfers to trigger a user action, but the goal here is specifically to manipulate what you copy-and-paste. The final step is purely behavioral: the victim pastes the wrong address during a future send, and the funds go to the attacker irreversibly.

Lookalike address

A lookalike address is the core weapon in address poisoning: it’s a real, attacker-controlled address engineered to resemble another address when shortened in wallet interfaces. Because most apps truncate long strings, users often rely on partial matching—like “it starts with 0x12… and ends with …9aB”—instead of verifying the full string. Attackers exploit that shortcut by matching those visible segments, making the fake appear “familiar” in a crowded transaction list. This is why defenses focus on process, not memory: use an address book/whitelist, verify the full address (or at least more characters than the UI shows), and learn how to spot address poisoning by checking whether a suspicious recent transaction introduced a near-duplicate address you don’t recognize.

Why address poisoning matters

Address poisoning matters because it turns a routine action—copying an address you’ve used before—into a high-impact failure point, without needing malware, phishing links, or private key access. It also scales: attackers can automate lookalike generation and send low-cost “bait” transactions to many targets, betting that a small percentage will eventually make a large mistaken transfer. For users and teams managing treasuries, payroll, or frequent DeFi movements, the risk is operational: one rushed send can cause an unrecoverable loss. Building habits that prevent this scam—verified contacts, careful address validation, and safer sending workflows—fits directly into broader crypto wallet scams and how to avoid them hygiene.