• Address poisoning attacks are rising on Ethereum, inserting fake lookalike wallet addresses into transaction histories.
• A study identified 17 million poisoning attempts targeting 1.3 million users, with at least $79.3 million in losses.
• Automated attack campaigns can launch poison transactions within minutes of legitimate transfers.
• Lower transaction costs after the Fusaka upgrade have made these scams cheaper to execute.
• Security experts stress one key rule: always verify the destination wallet address before sending funds.

Rising Address Poisoning Attacks Raise Security Concerns on Ethereum

Address poisoning attacks are becoming increasingly common on the Ethereum network, raising concerns among users and blockchain security researchers. The tactic involves attackers sending transactions that insert deceptive wallet addresses into a user’s transaction history, with the goal of tricking victims into copying and using the wrong address in future transfers.

According to blockchain explorer Etherscan, address poisoning campaigns have become increasingly automated, allowing attackers to flood wallets with spoofed transactions within minutes of legitimate transfers.

The issue recently came into focus when an Etherscan user named Nima reported receiving more than 89 Address Watch Alert emails shortly after completing just two stablecoin transfers. The alerts were triggered by a series of address poisoning transactions sent to the wallet shortly after the legitimate transfers were recorded.

These transactions were designed to insert lookalike addresses into the user’s transaction history. If a user later copies an address from the list without verifying it carefully, they may inadvertently send funds to an attacker. While address poisoning is not new, recent incidents indicate that these campaigns have become more automated and widespread.

From Occasional Spam to Industrialized Attacks

In earlier years, address poisoning was often viewed as a minor nuisance – an occasional spam transaction sent by opportunistic attackers.  However, recent research suggests the tactic has evolved into a large-scale operation.

A 2025 study examining poisoning activity between July 2022 and June 2024 identified approximately 17 million poisoning attempts targeting around 1.3 million Ethereum users. Researchers estimated that confirmed losses linked to these attacks reached at least $79.3 million during the study period.

The data also showed that poisoning activity occurs across multiple blockchain networks. On Binance Smart Chain (BSC), for example, poisoning transactions were found to occur 1,355% more frequently than on Ethereum, largely due to lower transaction fees.

Attackers often rely on automated systems that continuously monitor blockchain activity. When a transaction is detected, the system quickly generates spoofed addresses designed to mimic the beginning and ending characters of legitimate addresses used by the victim.

These spoofed addresses are then used to send small transactions known as “poison transfers” to the target wallet. This causes the fake address to appear in the victim’s transaction history alongside legitimate ones.

Automated Campaigns Target High-Value Wallets

Attackers typically focus on wallets that appear more likely to produce profits. Addresses that frequently transfer funds, hold significant token balances, or conduct large transactions are more likely to become targets. Once a target is identified, automated systems can generate multiple lookalike addresses and send poison transfers within minutes of a legitimate transaction.

Researchers also observed that attackers often compete with one another. In some cases, multiple groups send poisoning transactions to the same address almost simultaneously. Each attacker attempts to insert their spoofed address into the transaction history before others do, increasing the chances that their address will be copied later.

In one observed case, 13 poisoning transfers appeared within minutes after a legitimate USDT transaction, highlighting the intense competition among attackers.

Common Techniques Used in Address Poisoning

Several techniques are commonly used in address poisoning campaigns, including:

• Dust transfers: Attackers send extremely small amounts of tokens or ETH to victims.
• Spoofed token transfers: Transactions involving tokens designed to mimic legitimate assets.
• Zero-value transfers: Transactions that record address activity without transferring actual value.

These transactions are often inexpensive to execute and can be sent in large volumes.

Why Address Poisoning Works Despite a Low Success Rate

At first glance, address poisoning may seem ineffective. Research suggests that the success rate for a single poisoning attempt on Ethereum is only around 0.01%. This means that only one in roughly 10,000 poisoning transactions leads to a user mistakenly sending funds to the attacker.

However, attackers rely on scale rather than precision. By sending thousands or even millions of poison transfers, attackers increase their chances of capturing occasional successful transactions. A single mistaken transfer involving a large amount of cryptocurrency can easily cover the costs of thousands of failed attempts.

Lower Transaction Costs Encourage More Attacks

Another factor contributing to the rise in poisoning attacks is the reduction in transaction costs on Ethereum. The Fusaka upgrade, activated on December 3, 2025, introduced improvements that significantly increased the network’s scalability and reduced transaction fees. While the upgrade benefited developers and users by making transactions cheaper, it also lowered the cost of sending poison transfers.

Following the upgrade, network activity increased noticeably.

In the 90 days after the Fusaka upgrade, Ethereum processed about 30% more transactions per day compared to the previous 90-day period. At the same time, the number of new addresses created each day increased by approximately 78%.

Dust transfer activity also surged significantly across major assets:

• USDT dust transfers: increased from 4.2 million to 29.9 million (+612%)
• USDC dust transfers: increased from 2.6 million to 14.9 million (+473%)
• DAI dust transfers: increased from 142,405 to 811,029 (+470%)
• ETH dust transfers: increased from 104.5 million to 169.7 million (+62%)

Dust transfers involving very small amounts – often less than $0.01 – rose sharply following the upgrade before stabilizing at levels higher than those seen before Fusaka. While not all dust transfers are malicious, analysts believe a significant portion of these transactions may be linked to poisoning campaigns.

Protecting Against Address Poisoning

Despite the sophistication of these attacks, security experts emphasize that the primary defense remains simple: always verify the destination address before sending funds. Several practices can help reduce the risk of falling victim to address poisoning.

Use recognizable address labels: Wallet users can assign name tags to frequently used addresses using services such as Etherscan or wallet address books. This makes legitimate addresses easier to identify.

Use ENS domains: Ethereum Name Service (ENS) domains can help simplify addresses and make them easier to recognize.

Enable address highlighting: Explorer tools such as Etherscan provide highlighting features that visually distinguish between known addresses and suspicious ones.

Pay attention to security alerts: Blockchain explorers may warn users when copying addresses associated with suspicious activity, including spoofed tokens or unusual transaction patterns.

Final Thoughts

Address poisoning attacks illustrate how even simple scams can become highly effective when combined with automation and scale. As blockchain networks grow and transaction costs decrease, attackers are able to launch increasingly large campaigns targeting unsuspecting users. For Ethereum users, the key defense remains vigilance. Carefully verifying the destination address before sending funds can prevent costly mistakes in an ecosystem where transactions are irreversible.

Meanwhile, blockchain explorers and wallet providers continue developing tools to detect and flag suspicious activity. These improvements aim to make it easier for users to identify potential scams and navigate transaction histories that may increasingly contain spam or malicious entries. As address poisoning campaigns continue to evolve, user awareness and improved interface design will likely play a crucial role in reducing their impact.