Address poisoning is a social-engineering scam that exploits how people copy and paste wallet addresses. It does not hack private keys. It tries to make a wallet owner send funds to the wrong address by placing a lookalike address into the victim’s recent transaction history.
In practical terms, an attacker sends a small or zero-value transfer from an address that resembles a legitimate address the victim uses. Later, the victim opens recent transactions, copies the attacker’s address by mistake, and sends funds to the attacker. MetaMask’s own guidance describes this as a scam where attackers “poison” transaction history so the wrong address looks familiar and easy to select.
Address poisoning is usually a four-step loop. The details vary, but the core mechanism stays consistent.
Attackers look for wallets that send funds repeatedly to the same destinations, such as exchange deposit addresses, OTC desks, payment processors, or treasury multisigs. The goal is to find a pattern that produces repeated outgoing transfers.
This reconnaissance can be manual or automated. Public block explorers make it easy to spot a wallet that sends to the same “To” address frequently, especially if those transfers happen in similar sizes or at predictable intervals.
Once the attacker identifies a destination address the victim tends to reuse, the attacker generates a new address that visually resembles it. Many scams focus on matching the first and last characters because wallets and UIs often display addresses in truncated form.
Chainalysis describes this process as an attacker algorithmically generating new addresses until one closely resembles the address the victim most often interacts with, then using that lookalike to set the trap. Wallet teams have also highlighted the role of vanity address generation in this attack style.
Next, the attacker sends a small or zero-value transfer to the victim from the lookalike address. The victim’s wallet history now shows the attacker address near legitimate prior activity.
MetaMask notes that attackers often send transactions of no value to the account, hoping the victim later copies the attacker address from transaction history. The pattern is simple: small harmless transfers from a mimic address that turns the “recent addresses” list into a trap.
The final step is waiting for human error. When the victim goes to send again, the wallet or UI often makes it easy to reuse a recent address. If the victim selects the lookalike address, the transfer goes to the attacker.
Because blockchain transfers are generally irreversible, recovery is difficult unless the destination is a custodial service that can freeze inbound funds, which is rare and time-sensitive.
The most effective poison attacks do not just create a lookalike address. They also mimic what the victim expects to see in a transaction list.
Most wallet UIs truncate addresses, for example showing 0xABCD…1234. Attackers exploit this by generating addresses that share the same prefix and suffix, which creates a strong visual false match. Some analyses describe this as a vanity address strategy where the attacker matches the first and last characters of a target address to maximize confusion.
This is one reason address poisoning works even on careful users. If a user checks only the first four and last four characters, the attacker can intentionally pass that check.
Attackers sometimes mirror the victim’s typical send sizes or token types. For example, if a victim regularly sends stablecoins to an exchange, the attacker may send a tiny token transfer that looks similar in the UI. Many explorers and wallets show token transfers and approvals alongside native transfers. That makes “history” a mixed feed where spam can hide.
Some poison attempts also use token transfers that are worth effectively nothing but still appear as activity. Merkle Science describes how token transactions of nominal value can taint history and increase the chance of a miscopy event.
The scam succeeds when convenience beats verification. Many products offer:
When a poisoned address sits beside a legitimate one, the wrong copy action can happen quickly. This is why most wallet developers emphasizes that the attacker’s goal is to get the victim to absent-mindedly copy the wrong address from history.
Ethereum is a high-visibility chain with a dense wallet ecosystem. Most DeFi users route through Ethereum and Ethereum L2s, and a large share of consumer wallets use address truncation patterns. That makes the visual spoof tactic scale well.
Ethereum also has a heavy “token transfer feed” problem. Token spam and meaningless transfers can fill histories, which gives poison attempts more camouflage.
In 2026, poisoning becomes cheaper when transaction fees drop. A poison campaign needs many tiny transfers to “spray” targets or to repeatedly refresh a victim’s transaction list. When fees are high, that spam becomes expensive. When fees fall, attackers can scale.
Etherscan’s live gas tracker shows extremely low base fees, with the page indicating sub-cent costs for simple actions at that moment. That environment reduces the attacker’s cost per poison transaction.
Broader coverage also highlights how low fees can coincide with high throughput. A January 2026 report noted transaction activity hitting record levels while gas costs fell sharply, which is the kind of regime where small-value spam becomes more economically viable. When sending low-value transfers becomes cheaper, address poisoning becomes a higher ROI scam.
This does not mean every Ethereum weekend becomes dangerous. It means the attacker’s economics improve, so the tactic appears more frequently.
Address poisoning is not a private key compromise. If the wallet seed phrase is stolen, the attacker does not need the victim to make a mistake. In poisoning, the attacker relies on the victim’s normal behavior.
Address poisoning is also not the same as malicious smart contract approvals, though both appear in the same “wallet security” conversations. Approval scams drain tokens because a spender is authorized. Poisoning drains funds because the victim sends them to the wrong place.
The distinction matters because defenses differ. Malware defenses focus on device hygiene. Approval defenses focus on permission reviews. Poisoning defenses focus on address verification discipline.
The highest quality defense is a workflow change. The goal is to reduce situations where a wallet owner selects a recipient from a poisoned list.
Wallet owners can store trusted recipient addresses in an address book and reuse those instead of copying from recent history. For teams, withdrawal whitelists and recipient allow-lists reduce the chance of a single miscopy event.
Poisoners frequently match the first and last characters. Safer verification checks more of the address, including a middle segment, or compares the full address. Hardware wallets help because they display the full recipient address on a separate device screen.
For high-value transfers, a small test send to a new destination reduces catastrophic loss risk. It is not elegant, but it is effective. If the recipient is wrong, the loss stays small.
Some users prefer ENS-style names or verified deposit flows. The key is verification. A name is safer only if it is known, trusted, and checked carefully. Wallet owners should still validate the destination where possible.
Address poisoning works because history reuse is convenient. A safer habit is to copy the destination from a verified source, such as an exchange deposit page opened fresh, rather than from a transaction list. This approach directly removes the attack surface.
Wallet owners who see repeated tiny inbound transfers from unfamiliar lookalike addresses should treat it as a warning sign. The presence of such activity is not proof of compromise, but it is a sign that copy-from-history behavior is riskier than normal.
Wallet providers and security teams also publish updated guidance when scam waves rise, and MetaMask’s security reporting has described address poisoning as a recurring scam vector.
The best option is prevention, but if a mis-send happens, speed matters.
If the funds were sent to a custodial deposit address, such as an exchange, the recipient platform may be able to freeze or assist, but only if contacted quickly and only if internal policy allows it. If the destination is a private wallet, recovery is unlikely.
Wallet owners can still take useful steps:
Address poisoning is popular because it is simple, scalable, and relies on normal user behavior instead of technical compromise. Attackers create lookalike addresses, inject them into transaction history with low-value transfers, and wait for a victim to reuse the wrong recipient.
Ethereum becomes a prime target when fees are low because the cost to spam poison transactions drops, making the scam more economically attractive. The strongest defenses are operational: avoid copying recipients from history, store trusted destinations in an address book, verify more of the address than the first and last characters, and use small test sends for high-value transfers to new destinations.
The post Address Poisoning Explained: How It Works and How to Stay Safe appeared first on Crypto Adventure.
