Address Poisoning Fix: Detect and Prevent Crypto Address Poisoning Attacks

Address poisoning is a crypto attack where an attacker sends a dust transaction from a lookalike wallet address so it appears in your transaction history. If you later copy that address by mistake, you send funds to the attacker. The best fix is verified-address workflows and pre-broadcast destination screening before funds move.
Blockchain addresses are long, complex, and look similar enough that most users check only the first and last few characters. Address poisoning exploits exactly this habit. An attacker generates a vanity address matching those characters, sends a dust transaction to insert it into the victim's history, and waits. The next time the victim copies an address from their history rather than a verified source, they send funds directly to the attacker. Address poisoning does not require a smart contract vulnerability, phishing link, or malware to succeed. In many cases it succeeds purely through transaction-history manipulation. It is often preventable with the right controls before a transaction is submitted. This guide covers how the attack works, how to detect it, what to do if you have been targeted, and how pre-broadcast screening is designed to help prevent address poisoning before funds move.
Reviewed for technical accuracy by Web3Firewall · Last updated: 23 March 2026
Web3Firewall provides risk intelligence and analysis tools. It does not provide legal, regulatory, or investment advice. Nothing on this page constitutes legal or compliance advice. If you believe funds have already been sent to an attacker's address, consult a qualified incident response provider. On-chain transactions are irreversible once confirmed.
Book a Demo

What to do now

If you think you may have been targeted:
  1. Stop copying addresses from transaction history immediately
  2. Reconfirm the intended destination address from a trusted, independent source
  3. Use a saved address book entry or verified ENS name rather than history
  4. Check your recent transaction history for incoming dust or zero-value transactions from unfamiliar addresses
  5. If funds have already been sent to the wrong address, preserve all transaction records and contact a qualified incident response provider
For teams and platform operators:
  1. Enable incoming dust transaction monitoring to detect poisoning injection attempts in real time
  2. Implement pre-broadcast destination screening to flag lookalike addresses before outbound transactions are submitted
  3. Require full address verification for first-time high-value destinations above configurable thresholds
  4. Maintain an auditable record of all detected poisoning attempts for compliance documentation

What is address poisoning?

Address poisoning (also called address spoofing or transaction history poisoning) is an attack in which an adversary sends a small or zero-value transaction from a wallet address that closely resembles one the victim has previously transacted with, typically matching the first and last characters of the legitimate address. The goal is to insert the attacker's lookalike address into the victim's transaction history. If the victim subsequently copies an address from that history rather than from a verified source, they may send funds directly to the attacker. Address poisoning does not require a smart contract vulnerability, phishing link, or malware to succeed. It exploits the habit of copying addresses from transaction history.
In one sentence:
Address poisoning inserts an attacker-controlled lookalike address into a victim's transaction history, so the next time the victim copies a familiar address, they copy the wrong one.
The core mechanic:
An address matching the first and last characters of a legitimate counterparty looks identical at a glance. The middle characters are different, but most users never check them.
The fix:
Never copy addresses from transaction history. Always verify the full address from a trusted source. Use pre-broadcast destination screening configured to catch lookalike addresses before funds move.

How does address poisoning work?

Address poisoning unfolds in four stages, none of which require technical access to the victim's wallet or devices.
Stage 1: Target selection and address surveillance
The attacker identifies a target wallet, typically one that makes regular transfers to a consistent counterparty. On public blockchains, all transaction history is visible. The attacker identifies the most frequently used counterparty addresses in the target's history.
Stage 2: Vanity address generation
Using freely available vanity address generation tools, the attacker creates a new wallet address that matches the first and last characters of the target's known counterparty. On a standard Ethereum address, most users check at most eight characters, leaving the middle section entirely unchecked.
For example (illustrative fictional addresses, not real counterparties):
Legitimate address: 0x71C7656EC7ab88b098defB751B7401B5f6d8976F  
Attacker lookalike: 0x71C7890aB3d7f1234567890ABcd456789a8976F
The opening and closing characters are identical. The middle section differs entirely.
Stage 3: Dust transaction injection
The attacker sends a tiny or zero-value transaction from the lookalike address to the victim's wallet. The immediate financial value is usually negligible; the real risk is the poisoned history entry. This transaction inserts the attacker's address into the victim's history, making it appear as a familiar counterparty.
Stage 4: Waiting for the victim to copy the wrong address
The next time the victim sends funds to their legitimate counterparty, they may open transaction history, see the familiar-looking address, copy it, and send to the attacker instead. The transaction is valid, confirmed on-chain, and irreversible.

How do I know if my wallet has been targeted by address poisoning?

Request a demo

Unfamiliar dust transactions

One or more very small or zero-value transactions appearing in your wallet history from addresses you do not recognise and did not initiate. Each dust transaction is the injection mechanism, inserting the attacker's lookalike address into your history.

Lookalike addresses in history

Addresses in your transaction history that appear identical to known counterparties at first glance but contain different middle characters when the full address is examined. Most wallet interfaces truncate addresses. Always expand to full before copying.

Unexpected inbound transactions

Transactions you did not initiate appearing from addresses you have never previously interacted with. Any unexpected inbound transaction, regardless of value, warrants full address verification before any subsequent sends to similar-looking addresses.

Multiple dust injections with similar patterns

A pattern of small inbound transactions from addresses that all share character sequences with your known counterparties, indicating a systematic poisoning campaign rather than a single attempt.

Addresses mimicking exchange or protocol addresses

Dust transactions from addresses designed to resemble the deposit addresses of exchanges, DeFi protocols, or custodians you regularly interact with, targeting withdrawal flows where address copying is common.

Alerts from wallet monitoring tools

Wallet monitoring systems can be configured to detect incoming dust transactions from addresses matching lookalike attack patterns and alert before any subsequent sends. Proactive monitoring catches poisoning attempts at injection time, before the victim is in a position to copy the wrong address.

What is the fix for address poisoning?

If you have been targeted but have not yet sent funds, the poisoning attempt has succeeded in inserting the attacker's address into your history, but no funds have moved.
Never copy addresses from transaction history. Transaction history is not a safe address source. Copy the destination address directly from a verified source: the recipient's own communication, a verified address book entry, an ENS or blockchain name, or the platform's own interface.
Verify the full wallet address before every send. Not the first few characters. Not the last few. The complete address. Address poisoning is substantially mitigated the moment a user checks the full string rather than a truncated preview.
Mark or label known counterparties in your wallet's address book so you never need to copy from history for regular counterparties.
If you have already sent funds to a lookalike address
Blockchain transactions are irreversible once confirmed. Funds sent to an attacker's address cannot be recalled or frozen through any on-chain mechanism. Contact a qualified incident response provider. Preserve all transaction records and evidence. Report the attacker's address to relevant exchange compliance teams. If the attacker routes funds through an exchange, there is a possibility, though not a certainty, that the exchange may be able to act on a report. Do not send additional funds in an attempt to recover.
For organisations and platforms, the preventive fix extends beyond user education.
Implement pre-broadcast destination address screening, configured to evaluate the destination address before a transaction is submitted. Deploy incoming dust transaction monitoring to detect poisoning injection attempts at the moment they occur. Apply lookalike address detection against a wallet's known counterparty set to flag destination addresses matching a poisoning attack pattern before funds move.

How does pre-broadcast screening help prevent address poisoning?

Request a demo
The principle
Address poisoning is most effectively addressed at the pre-broadcast stage, before confirmation makes the transaction irreversible.
Why pre-broadcast matters:
Once a transaction is confirmed on-chain, it is irreversible. Post-transaction monitoring can detect a poisoning pattern, but cannot recover funds. Pre-broadcast controls are the most reliable intervention point, because they create a window where a transaction can be held, escalated, or blocked before funds move.
When configured appropriately, pre-broadcast screening can address address poisoning through four specific mechanisms:

Destination address novelty detection

A transaction to a destination the sending wallet has not previously used is flagged as a novelty event. For wallets with established counterparty patterns, a sudden transaction to a previously unseen address is a high-signal anomaly, even if the address looks familiar at a truncated glance.

Lookalike address pattern matching

The destination address can be compared against the wallet's known counterparty set. An address sharing the first and last characters of a known counterparty but differing in the middle is a direct lookalike attack indicator. This check requires a system holding the verified counterparty set and actively comparing against it, not transaction history inspection alone.

Dust transaction correlation

If the destination address first appeared in the wallet's history as the sender of a dust or zero-value transaction, that correlation can be surfaced as a risk signal. An address that entered history through a dust transaction should not be trusted without full independent verification.

Behavioral consistency check

The transaction can be evaluated against the wallet's established behavioral patterns, including typical counterparties, transaction sizes, and timing. A large transfer to a first-time address, in a context where the wallet normally sends to a small stable set of counterparties, is anomalous regardless of whether the address appears familiar.
When these signals are detected, systems configured with appropriate policies can hold the transaction, escalate for manual review, or block prior to broadcast within configured workflows, creating the intervention window that confirms or rejects the destination before funds become irreversible.

What signals indicate an address poisoning attempt?

Request a demo

Dust inbound transaction

Any inbound transaction of very small or zero value from an address not previously interacted with. The defining characteristic of the injection phase of an address poisoning attack. The immediate financial value is usually negligible; the real risk is the poisoned history entry.

Lookalike address pattern

An inbound or outbound address sharing the first and last characters of a known counterparty in the wallet's transaction history. The core structural signal of an address poisoning attack, requiring full address comparison against the verified counterparty set.

First-time destination with high value

A large-value outbound transaction to an address the wallet has never previously sent to, particularly anomalous when the wallet normally sends to a consistent, small set of counterparties.

Destination introduced via dust transaction

A destination address that first appeared in the wallet's history as the sender of a dust transaction. Any address that entered history through a zero or near-zero value transaction should be treated as a potential poison address until independently verified.

Address mismatch against saved counterparty

The destination address for a transaction does not match the saved, verified address for the named counterparty in the wallet's address book, indicating either user error or a poisoning-driven copy from history.

Vanity address characteristics

A destination address with a high degree of character similarity to known counterparties, particularly matching both prefix and suffix. This pattern strongly suggests deliberate vanity address generation for a poisoning attack.

Systematic injection campaign

Multiple inbound dust transactions from multiple addresses all sharing character sequences with the wallet's known counterparties, indicating a coordinated, multi-address poisoning campaign rather than a single opportunistic attempt.

Exchange deposit address spoofing

Dust transactions from addresses mimicking exchange deposit addresses, targeting the common behavior of copying a deposit address from a previous transaction rather than generating a fresh one from the exchange interface.

Protocol contract address spoofing

Addresses designed to resemble smart contract addresses the wallet regularly interacts with, including DeFi protocols, liquidity pools, or staking contracts, targeting users who copy contract addresses from their interaction history.

How does address poisoning differ from related attacks?

Attack type

Method

On-chain component

Fix

Address poisoning
Dust transaction injects lookalike address into history
Yes, dust transaction on-chain
Pre-broadcast destination screening; never copy from history
Phishing
Fake website or message substitutes attacker address
No, off-chain deception
Verify URL; use bookmarks; two-factor confirmation
Clipboard hijacking
Malware replaces copied address with attacker address
No, device-level attack
Malware removal; always verify address after pasting
Address typosquatting
Attacker registers ENS or domain similar to legitimate one
Partially, ENS registration on-chain
Verify full ENS name character-by-character; check registration date
SIM swap / account takeover
Attacker takes over account and changes withdrawal address
No, account compromise
Two-factor authentication; withdrawal address whitelisting
Approval phishing
Victim signs token approval granting attacker spending rights
Yes, approval on-chain
Review approval scopes; use simulation to surface unexpected approvals

Use cases by team

Request a demo

Exchange operations (CEX)

Monitor customer withdrawal flows for destination addresses matching lookalike attack patterns against the customer's prior withdrawal history. Flag first-time withdrawal destinations closely resembling previously used addresses. Detect incoming dust transactions to customer wallets at deposit address level.

Custodians

Screen all outbound transfer destinations before authorisation against the custodied wallet's verified counterparty set. Flag destination addresses introduced via dust transactions. Apply lookalike pattern detection to all withdrawal and transfer requests before submission within supported environments.

DeFi protocol teams

Monitor wallet interactions with your protocol for signs of address poisoning targeting your contract addresses. Detect dust injection campaigns that use lookalike addresses designed to mimic your protocol's smart contract or treasury addresses. Surface attempts before users interact with spoofed contracts.

Infrastructure providers

Integrate address poisoning detection into wallet APIs, transaction relay services, or RPC infrastructure, surfacing lookalike destination risks to downstream wallet and application clients at the infrastructure layer without each client building their own detection stack.

Security operations teams

Monitor wallets under management for incoming dust injection events in real time. Correlate dust transaction sources against known counterparty sets. Alert operators before a poisoned address can be copied and used in a subsequent transaction. Generate audit records of all detected poisoning attempts.

Compliance teams

Address poisoning attacks resulting in misdirected funds may create incident-review and jurisdiction-specific reporting considerations depending on the entity type and applicable frameworks. Monitoring for poisoning attempts and maintaining records of detection events supports proactive risk management and post-incident documentation.

Example: address poisoning signals in practice

Here is a concrete illustrative example of what address poisoning monitoring and pre-broadcast screening can surface for an outbound transfer that would otherwise appear routine. All addresses and figures shown are entirely fictional and are not based on any real organisation or incident.
This example shows why address poisoning is so effective against teams that rely on visual verification alone. A full address with a matching prefix and suffix looks identical to the legitimate address in every interface that truncates the middle. Verification must be systematic, not visual.

Why Web3Firewall for address poisoning detection and prevention

Request a demo
Web3Firewall is a Web3 security and compliance platform, often described as a SIEM for blockchain. It is designed for security and operations teams who need address poisoning detection and pre-broadcast destination screening to run continuously, integrate into existing transaction workflows, and produce auditable records of all detection events.
The platform is designed to combine behavioral monitoring, wallet risk scoring, transaction simulation, and a programmable policy engine into a single operational layer. Transactions routed through Web3Firewall can receive a real-time verdict of allow, deny, or require approval, applying customer-defined risk and policy controls within configured workflows before a transaction reaches the network.
This enables organisations to evaluate not just whether a transaction is technically valid, but whether its destination address has been screened for address poisoning indicators and is consistent with verified counterparty records.

Pre-broadcast destination address screening

Workflows can be configured to evaluate every transaction before broadcast, comparing the destination address against the wallet's verified counterparty set, detecting lookalike pattern matches, and flagging addresses introduced via dust transaction injection. High-risk destinations can receive a verdict before funds move, depending on integration and policy configuration.

Dust transaction injection monitoring

Incoming dust and zero-value transactions can be monitored as potential address poisoning injection events. When a wallet receives a dust transaction from an address matching the lookalike pattern of a known counterparty, an alert can be generated before any subsequent outbound transaction copies the poisoned address.

Lookalike address pattern detection

Destination addresses can be compared against the wallet's established counterparty set for prefix and suffix matching consistent with vanity address generation. Addresses sharing the first and last characters of known counterparties can be treated as high-confidence address poisoning indicators regardless of whether they appear on any external watchlist.

Behavioral counterparty baseline

Wallet activity can be modeled into a behavioral baseline of known counterparties, typical transaction sizes, and send patterns. A first-time high-value send to a previously unseen address is flagged as anomalous within that baseline, even if the destination address has no prior risk history in external datasets.

Programmable address security policy engine

Define address verification policies in a no-code interface or via API. Require approval for first-time destinations above configurable value thresholds, flag destinations matching lookalike patterns, or escalate any transaction to an address introduced via a dust transaction. Policies apply customer-defined rules within configured workflows.

Audit-ready poisoning attempt records

Every detected dust injection event, lookalike address flag, and pre-broadcast destination verdict can be logged with full supporting evidence. Security and compliance teams can maintain an auditable record of all address poisoning attempts and detection outcomes for governance reviews and incident documentation.
Disclaimer: Web3Firewall provides risk intelligence and analysis tools. It does not provide legal, regulatory, or investment advice. Detection outputs are risk indicators designed to support human and automated decision-making within configured workflows. They are not guarantees of detection or prevention outcomes. Results depend on integration, configuration, and supported environments.

Stop address poisoning before funds move

Address poisoning is one of the most effective and technically simple attacks in Web3, because it requires no exploit, only a user's habit of copying from history. Web3Firewall is designed to help catch it at the pre-broadcast stage, where the intervention window still exists. Try the sandbox to screen any wallet address, or book a demo to see how pre-broadcast destination screening fits into your transaction security architecture.
Try the sandbox
Book a demo

Frequently Asked Questions

What is address poisoning in crypto?

Address poisoning is a crypto attack where an attacker sends a dust transaction from a lookalike wallet address so it appears in your transaction history. If you later copy that address by mistake, you send funds to the attacker instead of the intended recipient. The best fix is verified-address workflows and pre-broadcast destination screening.

How does address poisoning work?

Attackers use vanity address generation tools to create wallet addresses matching the first and last characters of a target's known counterparty addresses. They send a dust transaction from this lookalike address to the victim's wallet, inserting the attacker's address into the victim's transaction history. If the victim copies an address from history rather than a verified source, they may send funds directly to the attacker.

What is the fix for address poisoning?

The most reliable fix combines several controls: always verify the full wallet address before sending, never copy addresses from transaction history, use a verified address book rather than history, and implement pre-broadcast transaction screening that can be configured to flag destination addresses matching lookalike attack patterns or introduced via dust transactions.

How do I know if my wallet has been targeted by address poisoning?

Signs include: receiving very small or zero-value transactions from unfamiliar addresses, those addresses closely resembling addresses you have previously used, or finding addresses in your transaction history that appear familiar at first glance but have different middle characters on full inspection. Wallet monitoring tools can detect dust injection events and alert before any funds are sent.

Can I recover funds sent to an address poisoning attacker?

In almost all cases, no. Blockchain transactions are irreversible once confirmed. Funds sent to an attacker's address cannot be recalled or frozen through any on-chain mechanism. Pre-broadcast controls are the most reliable intervention point. If funds have already been sent, preserve all transaction records and contact a qualified incident response provider.

What is a dust transaction in address poisoning?

In address poisoning, a dust transaction is a very small or zero-value transfer sent by the attacker from a lookalike address to the victim's wallet. The immediate financial value is usually negligible; the real risk is the poisoned history entry. The transaction inserts the attacker's address into history, making it appear as a familiar counterparty.

How does pre-broadcast screening help prevent address poisoning?

When configured appropriately, pre-broadcast screening can evaluate a transaction's destination address before it is submitted to the network, comparing it against the wallet's verified counterparty set, detecting lookalike patterns, and flagging addresses introduced via dust transactions. When these signals are detected, the system is designed to hold, escalate, or block prior to broadcast within configured workflows.

Is address poisoning the same as a phishing attack?

Address poisoning and phishing share the same goal of tricking a user into sending funds to an attacker-controlled address, but use different methods. Phishing uses fake websites, emails, or messages. Address poisoning does not require a smart contract vulnerability, phishing link, or malware to succeed. In many cases it succeeds purely through transaction-history manipulation. Both are addressed by pre-broadcast destination address verification, but address poisoning additionally requires monitoring for dust injection events at the wallet level.
HomeAbout UsCareerProductPartnership
CEXsCustodiansInfrastructure ProvidersMSSPsStablecoin and Token Providers
Docs Blogs Privacy Policy Terms and Conditions
© All rights reserved. Web3Firewall. Privacy |  Terms and Conditions