Ethereum Faces 17M Address Poisoning Attacks: Here’s What You Should Know

Address poisoning attacks on Ethereum appear to be increasing in both scale and automation, with attackers flooding wallets with transactions designed to insert look-alike addresses into transaction histories.

The goal is simple: trick users into copying a spoofed wallet address when making their next transfer. These transactions were designed purely to populate the wallet’s history with addresses that visually resemble legitimate ones. Simply put, hackers send low-value or zero-value token transfers so the spoofed address appears inside the victim’s wallet or explorer history. If the victim later copies that entry without checking the full string, funds go to the attacker.

According to the academic paper Blockchain Address Poisoning, researchers identified 17.37 million poisoning transfers on Ethereum between July 1, 2022, and June 30, 2024. The study found these attacks targeted around 1.33 million victim addresses, involved approximately 6.49 million lookalike addresses, and led to at least $79.3 million in confirmed losses across 1,738 successful transfers. That makes address poisoning one of the most underappreciated but financially damaging forms of crypto phishing currently active on-chain.

Coinbase described this model in early 2023 as “zero transfer phishing,” while the FBI warned in 2024 that address truncation in wallet software helps criminals make malicious addresses look familiar.

While address poisoning has existed on Ethereum for several years, the scale and speed at which these attacks now occur suggest that the tactic has evolved into a high-volume automated operation.

What is address poisoning?

Address poisoning is an on-chain phishing technique that exploits a simple user habit: selecting or copy-pasting a receiver address from recent transaction history, often shown in truncated form. Rather than “hacking” the protocol, attackers “pollute” a victim’s visible history with lookalike addresses, aiming to be mistakenly chosen for the next larger transfer.

Across the last several years, multiple independent data points indicate that address poisoning has progressed from opportunistic spam into high‑volume, automated campaigns. A large-scale measurement study, covering July 2022–June 2024, found tens of millions of poisoning transfers on Ethereum alone, and hundreds of millions across Ethereum and Binance Smart Chain, with confirmed losses on Ethereum in the high tens of millions of USD. 

More recent post‑2025 on-chain analytics show a step change in low-value “dust” activity consistent with wallet seeding/poisoning behavior after December 2025’s Fusaka upgrade, which expanded capacity and lowered the marginal cost of sending spam transfers. 

How does it trick users?

In a typical address poisoning flow, an attacker monitors transfers, generates a “lookalike” address that matches the beginning and end characters of an address the victim has used, and then sends one or more small or fake “transfer” events so that the attacker’s address appears in the victim’s history. If the victim later copies that poisoned entry—especially when interfaces show shortened addresses—they may send funds to the attacker. 

Researchers and major ecosystem operators generally describe three common on-chain “planting” methods:

• “Tiny” dust transfers: a small amount of a token the victim recently used, sent from the lookalike address to the victim to get into history. 
• Zero-value transfers (“zero transfer phishing” / “poison transactions”): abused via ERC‑20 transfer mechanics to emit convincing transfer logs without moving value, making it appear the victim previously sent to the lookalike address. 
• Counterfeit-token transfers/event spoofing: deploying tokens or contracts that imitate names/symbols or emit misleading transfer events, increasing the chance users misread transaction lists. 

Many wallet and explorer UIs intentionally shorten addresses; the Federal Bureau of Investigation explicitly warns that attackers exploit address truncation so the first/last characters can match while middle characters differ, and advises checking the entire address. 

Evidence the activity is large-scale and operationally mature

As mentioned earlier, “Blockchain Address Poisoning” ran a detection system from July 1, 2022, to June 30, 2024, and reported that on Ethereum, it identified 17.37 million poisoning transfers over ~1.69 million transactions, targeting ~1.33 million victim addresses using ~6.49 million lookalike addresses. It also recorded a peak day on Feb 18, 2023, with 362,934 poisoning transfers, illustrating how bursts can reach “industrial” throughput. 

The same study reported confirmed losses on Ethereum of $79.3 million across 1,738 successful payoff transfers involving 1,502 victims and estimated an Ethereum success rate of about 0.01%, roughly 1 in 10,000 attempts, leading to a mistaken transfer in their ground-truthed set. 

Two findings from that research are particularly relevant to the “industrialization” claim:

First, attackers optimize for scale: bundling multiple poisoning transfers into single transactions, reusing contracts/addresses, and in some cases launching more than 100 poisoning transfers in a single transaction. 

Second, attackers compete: in 79% of successful Ethereum attacks observed in the dataset, multiple lookalike addresses targeted the same victim, and high similarity and fast timing helped an attacker “win” the victim’s eventual mistaken selection. 

Cross-chain comparisons in the same dataset support the idea that lower fees amplify spam. On Binance Smart Chain, the study identified 252.7 million poisoning transfers vs. 17.37 million on Ethereum and noted higher prevalence on lower-fee chains; numerically, that is about 14.6× as many poisoning transfers, i.e., roughly +1,355% versus Ethereum over the studied window. 

Why campaigns look more widespread in 2025–2026

A major change in late 2025 is Ethereum’s Ethereum Foundation‑coordinated Fusaka network upgrade, activated on December 3, 2025 (21:49:11 UTC). The upgrade increased execution capacity, for example, raising the default gas limit to 60M, and introduced data-availability scaling (PeerDAS) designed to support higher throughput and lower costs, especially for L2 data posting, with follow-on “Blob Parameter Only” adjustments beginning days later. 

Several post-upgrade analyses argue that lowering the marginal cost of transfers changes attacker economics substantially. Coin Metrics reported that after Fusaka, the network saw materially higher headline activity and that a non-trivial portion was consistent with address poisoning/dust seeding rather than purely organic usage. In particular, it reported:

1. Daily transactions around ~2M on average, spiking to 2.89M on Jan 16, 2026, alongside daily active addresses around 1.4M.

2. Analysis of 227M USDC/USDT balance updates from Nov 2025 to Jan 2026, where 43% were under $1 and 38% were under $0.01, described as having “insignificant economic purpose other than wallet seeding.”

3. An estimate based on an average day of stablecoin dust activity accounted for ~11% of all Ethereum transactions and ~26% of active addresses, rising from ~3–5% of transactions pre‑Fusaka to ~10–15% post‑Fusaka, a 2–3× increase. 

Coin Metrics also highlighted concentration among top senders and detailed a top address sending nearly 3M dust transfers to over 1M unique addresses, plus batching patterns where single transactions dust multiple recipients, behavior aligned with “automation at scale.” 

Another line of evidence comes from reporting on early‑2026 transaction spikes. Daily transactions hit an all-time high above 2.8M on Jan 16, 2026, and attributed much of the bump to a mass address poisoning campaign, including a quote from Cyvers claiming detection of “more than one million address poisoning preparations per day” over a recent week. 

An X user, Nima, reported receiving 89+ email alerts after only two stablecoin transfers—fits the same pattern: poisoning transfers are cheap and fast, and they can create UX “noise” quickly. 

Economics and attacker playbooks behind “industrialized” poisoning

The core economics is a numbers game: even with very low conversion rates, high-volume campaigns can be profitable because a single victim error can be very large. The measurement study above estimated a success rate of ~0.01% on Ethereum; in that dataset, $79M+ in confirmed losses is still observed.

Lower transaction costs reduce the attacker’s “cost per lottery ticket.” In the 2022–2024 measurement window, the study noted that “one poisoning transfer costs only about a dollar in Ethereum and a cent in BSC,” which helps explain why dramatically higher attempt volumes were observed on lower-fee chains. 

The most mature attacker playbooks combine:

• Real‑time monitoring of transfer events to identify targets immediately after legitimate activity; 
• Lookalike address generation (potentially using GPUs/optimized tooling): the academic work benchmarked GPU vanity generation (e.g., Profanity2) at hundreds of millions of addresses per second and inferred one large group likely used GPUs given the similarity levels it achieved; 
• Batching and contract-assisted distribution: both academic measurement and Coin Metrics describe batching multiple poisonings into single transactions to minimize gas overhead. 
• Multi‑attacker competition (several lookalikes racing to be the most visible / earliest in a victim’s history). 

High-profile incidents show the upside when the “lottery” pays out. For example, in December 2025, a user mistakenly sent 49,999,950 USDt after copying a poisoned address from the transaction history. Even after first sending a small test transfer, illustrating how quickly attackers can react between a test payment and a large follow-up. 

Victim lost $50M to address poisoning

Swapped for $ETH and transferred to two wallet

I'm really speechless wtf

Victim: 0xcB80784ef74C98A89b6Ab8D96ebE890859600819
Theft: 0xBaFF2F13638C04B10F8119760B2D2aE86b08f8b5
0xBcb94F7609973E5ea7d2CbeDAf0C5518b911e6cb… pic.twitter.com/pZUV4eqakA

— Specter (@SpecterAnalyst) December 19, 2025

Defensive practices and how tools can reduce risk

Most mitigations are about removing the “copy from poisoned history” failure mode and making mismatches obvious.

User-level best practice is consistently the same across security write-ups from Coinbase, the FBI, and explorer guidance: verify the full destination address before signing/sending—not just the first and last characters—and be cautious about copying addresses from transactions you did not originate. 

Explorer and wallet UX features aim to make that easier. Etherscan recommends several specific defenses: hiding zero-value transfers, using private name tags, and using address-highlighting to help visually distinguish similar strings; it also describes pop-up reminders when copying addresses in suspicious contexts (e.g., low-quality tokens or spoofed events). 

Watch/alert systems can unintentionally amplify UX pain: Etherscan’s watch list feature sends email alerts whenever incoming/outgoing transactions occur for watched addresses, so high‑volume poisoning attempts can translate directly into notification floods.

At the wallet layer, research suggests the ecosystem is still uneven. A 2025 study that experimentally evaluated 53 popular Ethereum wallets found substantial variance in phishing transfer display and warnings and reported that only a small minority emitted explicit warnings when users attempted to transfer to a phishing address, indicating room for systematic improvement. 

Some large wallets are now beginning to implement dedicated screening. For instance, Trust Wallet introduced an address-poisoning protection feature that checks destination addresses against a database of known scam/lookalike addresses across multiple EVM chains. 

Where the ecosystem likely goes next

The research consensus is that address poisoning is fundamentally a UX/standards problem more than a protocol break: long hexadecimal identifiers, truncated displays, irreversible settlement, and permissive token/event semantics combine into a predictable class of user errors. 

Accordingly, proposed improvements cluster into three layers:

Protocol-layer ideas include broader adoption of human-readable naming (e.g., Ethereum Name Service) and approaches that increase the cost of generating convincing lookalikes. Academic authors explicitly discuss these as ways to reduce address poisoning and accidental transfer risk while noting trade-offs (e.g., naming introduces its own phishing patterns like typosquatting). 

Wallet/explorer-layer ideas are more immediately actionable: show more address characters by default, highlight mismatches, filter or de-emphasize suspected poisoning transfers, and require confirmations when an address is “too similar” to a previously used one. These mitigations are recommended both by Coinbase’s analysis of zero-transfer phishing and by the large-scale measurement study. 

Measurement-layer improvements matter because spam can distort perceived adoption. Coin Metrics argues for adjusted usage metrics that filter low-value dust activity to avoid confusing large-scale poisoning campaigns with genuine transaction growth, especially in a post-Fusaka world where the cost floor for spam is lower. 

Bottom Line

Address poisoning on Ethereum is best understood today as a scaled phishing system built on cheap distribution, automated tooling, and wallet UX weakness. The latest academic research shows the scam has already generated tens of millions of poisoning transfers and at least $79.3 million in confirmed Ethereum losses. Post-Fusaka data suggests the economics may now be tilting even further in the attackers’ favor by lowering the cost of mass wallet seeding.

That does not mean Ethereum itself is broken. It means the ecosystem is still asking users to operate in an environment where long hexadecimal strings, truncated displays, and irreversible settlement leave too much room for one copy-paste mistake to become a multimillion-dollar loss.

Also Read: Ethereum Survived the Drone Strikes — But Its $112B Infrastructure Problem Is Just Beginning