Address Poisoning: The Copy-Paste Scam Draining Crypto Wallets
Attackers seed your transaction history with look-alike addresses so you paste the wrong one. Here is how the scam works and how to stop it.
Address poisoning is one of the most effective scams in crypto right now precisely because it exploits a habit almost everyone has: copying an address from your transaction history instead of typing it out or pulling it from a trusted source. It does not break any cryptography and it does not need malware on your device. It just needs you to glance at a string for half a second and trust what you see. Here is how the attack works, why it exploded in 2026, and the handful of habits that defeat it.
Quick answer
Address poisoning seeds your wallet history with a look-alike address whose first and last characters match one you really use, betting you will copy it by mistake on your next transfer. To avoid it, never copy a recipient from transaction history: send only from a labeled whitelist or address book, verify the full string (especially the middle), and send a small test transaction first for anything significant. Receiving a poisoned dust transaction is harmless on its own; the loss only happens when you copy and paste the fake.
Key takeaways
- Address poisoning seeds your wallet history with a look-alike address whose first and last characters match one you really use, hoping you copy it by mistake.
- The attack is cheap to run at industrial scale: researchers tracked over 270 million on-chain poisoning attempts and confirmed losses past $80 million, with individual victims losing tens of millions in a single paste.
- Attempts surged from roughly 628,000 in November 2025 to about 3.4 million in January 2026 on Ethereum alone, a 5.5x jump in two months.
- The only reliable defense is to stop trusting pasted addresses: verify the full string, use a labeled whitelist, and send a small test transaction first.
- It is a different threat from a wallet drainer, and good security has to cover both.
How the scam works
The attack relies on a human shortcut. Most people verify an address by glancing at the first and last few characters, not the whole forty-two-character string. Attackers exploit exactly that.
- They watch your wallet. Public blockchains let anyone see who you transact with, how often, and which deposit addresses you reuse.
- They generate a look-alike address. Using "vanity" address generation, bots create an address whose first and last characters match one you use regularly. The middle is gibberish, but you were never going to read the middle.
- They poison your history. They send a tiny "dust" transaction, or even a zero-value transfer, from the look-alike address so it appears in your recent activity right next to the real one. Anyone can push a zero-value
transferFrominto your history without your permission. - They wait. The next time you go to send funds, you scroll your history, copy the address that looks right, glance at the matching ends, and paste the attacker's instead.
The middle of the string is different, but you never looked at the middle.
Here is how each habit either exposes you or shuts the attack down:
| Habit | Exposure to poisoning | Better practice |
|---|---|---|
| Copy recipient from history | High; this is the exact bait | Copy from a labeled address book only |
| Verify first/last 4 chars only | High; those are what the attacker matched | Verify the full string or several middle chars |
| Reuse the same deposit address | Medium; gives attackers a target to sit beside | Rotate deposit addresses where the platform allows |
| Send full amount in one go | Medium; no chance to catch the error | Send a small test, confirm, then send the rest |
| Whitelist + test transaction | Low; removes the copy moment entirely | Keep as your default for any large transfer |
Warning
The losses are not theoretical. In one December 2025 incident a victim lost roughly $50 million in USDT, and the funds passed through a mixer within about half an hour. In January 2026 another victim lost 4,556 ETH (around $12.4 million) to a single poisoned paste. Treat every copied address as untrusted until fully verified.
Why it got dramatically worse in 2026
The technique scales almost for free. Generating vanity addresses and firing dust costs pennies, so attackers blanket millions of wallets and wait for a fraction to slip. A Carnegie Mellon study counted more than 270 million poisoning attempts against some 17 million wallets, and security trackers reported daily attempts on Ethereum crossing a million.
It has also professionalized. What used to be opportunistic spam is now run by organized crews with infrastructure for monitoring high-balance wallets, generating matching addresses on demand, and laundering proceeds quickly. The result is the spike researchers flagged in early 2026: poisoning attempts roughly quintupling in two months, with confirmed user losses estimated in the tens of millions over comparable windows.
How to protect yourself
None of these defenses require special tools, just discipline.
Verify the whole address, every time
Check the full string, or at the very least several characters in the middle in addition to the ends. The matching first and last characters are exactly the part the attacker controls, so they are the worst possible thing to rely on.
Use an address book or whitelist
Save trusted addresses with clear labels in your wallet and send only from those saved entries. Never copy a recipient from transaction history. A labeled whitelist is the single most effective structural fix because it removes the moment of copying entirely.
Send a small test first
For any significant transfer, send a tiny test amount, confirm it arrived at the intended destination, then send the rest. The few cents of fee on a cheap network are trivial insurance. If you are unsure how transaction fees break down, our explainer on reading Layer 2 gas fees shows why test transactions cost so little today.
Use fresh deposit addresses where possible
If your history does not repeat the same address, there is nothing for an attacker to poison near it. Exchanges that rotate deposit addresses reduce your exposure.
Consider a signing-preview tool
Browser extensions that show what a transaction actually does before you sign can flag an unexpected destination. Verify any tool's reputation before installing it, and treat it as a backstop, not a substitute for checking the address yourself.
Tip
The single highest-value habit: never copy a recipient address from your transaction history. Copy it from the source (the person, the exchange's official deposit page, your own labeled address book) and verify the full string.
Address poisoning versus wallet drainers
Address poisoning tricks you into sending funds yourself to the wrong place. It is different from a wallet drainer, which gets you to sign a malicious approval, often on a fake mint, airdrop, or migration page, that hands a contract broad permission to move your tokens. The rise of smart-account features has widened that second attack surface; see our walkthrough of how EIP-7702 changed what a single signature can authorize. Both threats end with lost funds, but the defenses differ:
- Against poisoning: verify the recipient address.
- Against drainers: verify what you are signing and what permissions you are granting.
Good security covers both. If you hold meaningful balances, pairing careful verification with strong key hygiene matters; our guide to self-custody and seed-phrase backups covers the foundation. Slow down, verify links and people, and review permissions before approving anything.
What to do right now
If you move crypto at all, take these steps before your next transfer:
- Open your wallet's address book and add labels for every counterparty you send to regularly (your exchange deposit, your hardware wallet, a friend).
- Set a personal rule: never copy a recipient from transaction history again, full stop.
- For your next large send, copy the address from the source (exchange deposit page or your labeled book), then read the whole string, not just the ends.
- Send a small test amount first, confirm it landed at the right place in a block explorer, then send the balance.
- If you use a hardware wallet, confirm the destination address on the device screen, not just in the app.
- Consider a transaction-preview extension as a backstop, but verify its reputation before installing.
Frequently asked questions
Can someone steal my crypto just by sending me a dust transaction?
No. Receiving dust or a zero-value transfer does not, by itself, move any of your funds or compromise your keys. The danger is entirely in the next step, when you copy that poisoned address from your history and send to it. The transaction is bait, not a breach.
Why do the fake addresses look so similar to mine?
Attackers run software that generates millions of candidate addresses until one matches the first and last characters of an address you use. Because wallets typically show only the truncated ends, a matching prefix and suffix is enough to fool a quick glance even though the middle is completely different.
Does using a hardware wallet stop address poisoning?
Not on its own. A hardware wallet protects your private keys, but address poisoning attacks your decision about where to send, not your keys. You can paste the wrong address into a perfectly secure hardware wallet. Verify the destination on the device screen and use a whitelist regardless of hardware.
Is this only an Ethereum problem?
No. The same pattern appears on Bitcoin, Tron, and other chains. Ethereum and Tron see the highest volumes because of heavy stablecoin transfers and reused deposit addresses, but the underlying trick, exploiting truncated address display, works anywhere addresses are long and people verify only the ends.
The bottom line
Address poisoning works because it hides in plain sight inside your own transaction history. The fix is unglamorous but reliable: never trust a pasted address without checking the full string, keep a labeled whitelist, and send a test transaction before any large transfer. A few extra seconds of verification is far cheaper than an irreversible mistake. None of this is financial advice; it is basic operational security that scales with how much you hold.
Sources & further reading
- chainalysis.com/blog/address-poisoning-scam/
- blockaid.io/blog/address-poisoning-the-growing-threat-draining-millions-from-crypto-users
- ledger.com/academy/topics/security/crypto-security-2026-how-to-avoid-scams-and-hacks-in-2026
- crypto.news/ethereum-address-poisoning-coas-6-2-m-two-months-2026/
- cryptodaily.co.uk/2026/04/address-poisoning-in-2026-how-the-attack-became-an-industry-and-why-victims-still-have-options
