Get up to $90 of BTC for one week only.

Bitcoin boost

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

What Are Address Poisoning Attacks in Crypto and How to Avoid Them?

Read 8 min
Beginner
Black closed belt on a black background.
KEY TAKEAWAYS:
— Address poisoning involves sending small transactions from wallet addresses that closely resemble a legitimate one, tricking users into copying the wrong address when making future transactions.

— Address poisoning has led to over $83 million in confirmed losses. Victims include individual users and DeFi platforms.

— Users can evade address poisoning by rotating addresses, use hardware or multisig wallets, whitelist trusted contacts, and leverage blockchain analytics.

Ever copied a wallet address from your transaction history thinking, “Yeah, that’s definitely the one; starts with 0xAB and ends with 9F… good enough”? Well, you might’ve just sent your crypto to a scammer doing a pretty good impression of someone you trust, and not even know it. This is a type of cyber attack called Address poisoning.

Address poisoning attacks in crypto are scams where attackers trick you into sending funds to a fake address that looks almost identical to a legitimate one. These attacks exploit wallet address similarity, address reuse, or malware to mislead users into unintentionally transferring assets to the wrong party.

While the blockchain itself is secure, address poisoning targets human error and trust, often through clever deception, social engineering, or technical manipulation. 

Lets take a closer look at what address poisoning attacks are, their types and consequences, and how to protect yourself against them.

Address Poisoning Attacks in Crypto: What Are They?

In crypto, attackers influence or deceive users by tampering with wallet addresses. These scams use a mix of tricks to bypass the integrity of wallets and hijack otherwise secure systems. 

And the truth is, even if the blockchain itself is secure, the biggest point of failure is often human error; like copying the wrong address or trusting what looks familiar without checking and verifying. 

Address poisoning attacks are commonly used to steal your digital assets or disrupt the smooth functioning of blockchain networks.

These attacks may include:

  • Theft: Attackers trick users into transmitting their funds to malicious addresses using strategies such as phishing, transaction interception or address manipulation.
  • Disruption: Address poisoning can be used to disrupt the normal operations of blockchains by introducing congestion, delays or interruptions in transactions and smart contracts, reducing the effectiveness of the network.
  • Deception: Attackers frequently attempt to mislead crypto users by posing as well-known figures. This takes away community trust in the network and a possible end result being erroneous transactions or confusion among users.

Types of Address Poisoning Attacks

Address poisoning attacks in crypto include phishing, transaction interception, address reuse exploitation, Sybil attacks, fake QR codes, address spoofing and smart contract vulnerabilities, each posing unique risks to users’ assets and network integrity.

Phishing Attacks

Phishing attacks in crypto are a prevalent type of address poisoning, in which criminal actors build phony websites, emails or communications that closely resemble reputable companies like crypto exchanges or wallet providers.

These fraudulent platforms trick unsuspecting users into disclosing their login information, private keys or mnemonic phrases (recovery/seed phrases). Once gained, attackers can carry out unlawful transactions and get unauthorized access to victims’ Bitcoin assets, for example. 

For example, hackers might build a fake exchange website that looks exactly like the real thing and ask consumers to log in. Once they do so, the attackers gain access to customer funds on the actual exchange, resulting in substantial financial losses.

This actually happened with MyEtherWallet.com, an open source software wallet. 

In this incident, scammers manipulated the internet’s traffic routing to a fake site that looked like the real one, basically telling parts of the internet that their fake website is the real MyEtherWallet.com. 

Screenshot of the MyEtherWallet.com X page talking about the address poisoning attack they faced

People unknowingly interacted with a deceptive, imposter website designed to steal their login details and crypto, and that was that. The legitimate MyEtherWallet platform itself was not compromised, but its users were targeted through this redirection.

Graphic explaining how scammers hijacked myetherwallet.com

Transaction Interception

In transaction interception, attackers intercept valid crypto transactions and change the destination address. 

Funds destined for the genuine receiver are diverted by changing the recipient address to one under the attacker’s control. This kind of attack frequently involves malware compromising a user’s device or network or both.

Attackers, often using malware, subtly alter a crypto transaction as it’s being prepared or processed on a user’s device. This happens when a legitimate wallet address is copied, with malware instantly replacing it with the attacker’s address before the user pastes and confirms the transfer.

An infamous example is the recent ByBit cryptocurrency exchange heist on February 21, 2025, attributed to North Korea’s Lazarus Group.

During a routine transfer of funds between ByBit’s secure storage (cold wallets) and their active spending account (hot wallets), hackers found a weakness in the software being used. They secretly embedded malicious code. This allowed them to intercept a legitimate transaction request, change it to redirect the funds to their own wallet, and present it as valid for multisig approval by ByBit’s CEO. 

The attack resulted in the theft of $1.5 billion in Ethereum tokens, with at least $160 million laundered shortly after through decentralized exchanges and multiple wallets.

Address Reuse Exploitation

Since all crypto transactions are recorded and stored on the blockchain, this information can be used by scammers to exploit people. Attackers monitor the blockchain for instances of address repetition before using such occurrences to their advantage. For instance, if a user consistently gets funds from the same Ethereum address, an attacker might notice this pattern and take advantage of a flaw in the user’s wallet software to access the user’s funds without authorization.

This address repetition is problematic because it builds a comprehensive financial profile linked to that single address, potentially revealing transaction values, timings, and connections. The attacker can then exploit this detailed history. 

Suppose you’re a crypto whale using the same address to transact large sums of money, a scammer can find specific vulnerabilities discovered in your wallet’s software, manipulate your devices screen to display a legitimate-looking address or, in case you use a hardware wallet, even take their time to construct a highly personalized phishing attempt, or social engineer you into approving a malicious transaction.

Sybil Attacks

To exert disproportionate control over a cryptocurrency network’s functioning, Sybil attacks entail the creation of several false identities or nodes. With this control, attackers are able to modify data, trick users, and maybe jeopardize the security of the network.

Attackers may use a large number of fraudulent nodes in the context of proof-of-stake (PoS) blockchain networks to significantly affect the consensus mechanism, giving them the ability to modify transactions and potentially double-spend cryptocurrencies.

A real Sybil attack happened in August 2020 on Ethereum Classic (ETC). An attacker took control of over 51% of the network’s mining power by running many controlled nodes. The attacker was then able to undo past transactions on the Ethereum Classic network and then spend the same digital currency twice, effectively stealing millions.

Dusting Attacks

A dusting attack is when someone sends a tiny amount of crypto (so small it’s basically worthless) into your wallet. 

screenshot of a dusting attack

At first, it might just look like random spam, but it actually has more utility for scammers. Scammers use these tiny transactions, often called “dust,” to either track your activity across wallets or quietly slip a fake address into your transaction history. 

Let’s say you receive a dusting transaction of XRP, and you later move this asset between wallet addresses, the attacker can then link your dusted wallet to your other transactions, effectively de-anonymizing you or creating a financial profile around you.

This can then be used for all sorts of attack vectors against you as mentioned above.

Zero Value Transfer Attacks

Similar to dusting, a zero-value transfer is also an attack vector that involves negligible funds. This is a transaction where no tokens are actually moved, but a record of the transaction is still created on the blockchain. 

This is often used by scammers to place a look-alike address into your transaction history. 

There’s a difference between zero-value transfers and dusting, though. Both manipulate transaction history to exploit human error, but dusting is more about surveillance, and zero-value transfers are a direct method of address spoofing.

On May 26, 2025, scammers tricked a crypto trader by sending fake zero-value transfers from an address that looked almost exactly like one in the trader’s history, adding fake “sent” records to their wallet without stealing any keys. Fooled by these fake entries, the trader thought the address was safe and sent $843,000 in USDT to the scammers. Just three hours later, the same trick made them send another $1.75 million, for a total loss of about $2.6 million.

Zero-value transfers don’t require private key signatures, making them stealthy and effective. Over 270 million such attempts have occurred across Ethereum and BNB Chain, with $83 million in confirmed losses, which makes this a real, growing cross-chain threat.

Fake QR Codes or Payment Addresses

Address poisoning can also happen when fake payment addresses or QR codes are distributed. Attackers often deliver these fake codes in physical form to unaware users in an effort to trick them into sending crypto to an unknown address.

For example, a hacker might disseminate QR codes for crypto wallets that look real but actually include minor changes to the encoded address. 

Users who scan these codes unintentionally send money to the attacker’s address rather than that of the intended receiver, which causes financial losses.

Address Spoofing

Attackers who use address spoofing create cryptocurrency addresses that closely resemble real ones. The idea is to trick users into transferring money to the attacker’s address rather than the one belonging to the intended recipient. The visual resemblance between the fake address and the real one is used in this method of address poisoning.

An attacker might, for instance, create a Bitcoin address that closely mimics the donation address of a reputable charity or even an exchange. 

Unaware donors may unintentionally transfer money to the attacker’s address while sending donations to the organization, diverting the funds from their intended use.

Take the EOS blockchain attack for example. Following its rebranding to Vaulta, the blockchain experienced an address poisoning attack in March 2025. Hackers sent small amounts of EOS from addresses mimicking major exchanges like Binance and OKX, aiming to trick users into sending funds to fraudulent addresses. This attack then exploited the similarity in address names to deceive users.

Smart Contract Vulnerabilities

Attackers take advantage of flaws or vulnerabilities in decentralized applications (DApps) or smart contracts on blockchain systems to carry out address poisoning. 

Attackers can reroute money or cause the contract to behave inadvertently by fiddling with how transactions are carried out. Users may suffer money losses as a result, and decentralized finance (DeFi) services may experience disruptions.

Chainalysis uncovered over 82,000 wallets linked to a widespread campaign specifically targeting users with high crypto balances, underscoring how dangerous and far-reaching these scams can be.

SegWit Address Scam (Bitcoin / BTC Scam)

While address poisoning is most commonly associated with EVM-compatible chains like Ethereum, a similar scam exists in the Bitcoin ecosystem, often referred to as the SegWit address scam. This attack exploits the visual similarity between Bitcoin address formats such as Legacy (1…), SegWit (3…), and Bech32 (bc1…) by inserting a lookalike address into a user’s transaction history. 

The attacker sends a small amount of BTC from a spoofed address that closely resembles the user’s own, hoping the victim later copies it by mistake. 

Although technically distinct from Ethereum-style poisoning, this SegWit impersonation scam is functionally a form of address poisoning: it preys on human error, interface limitations, and partial address verification to misdirect funds.

Consequences of Address Poisoning Attacks

Address poisoning attacks can lead to serious money loss, with scammers tricking people into sending their crypto to the wrong wallet often without realizing it until it’s too late. 

But the damage doesn’t stop there. 

These kinds of scams also shake people’s trust in crypto as a whole. When users get scammed or lose funds, they start to question whether crypto is really safe to use. 

In some cases, these attacks can even mess with how a blockchain works, causing delays, bugs, or network slowdowns. 

How to Avoid Address Poisoning Attacks

To protect your digital assets and keep blockchain networks secure, it is crucial to avoid address poisoning assaults in the cryptocurrency world. One of the best defenses against address poisoning is building better habits around how you use and manage your wallet. 

1. Practice Self-Custody with Backup Plans

Self-custody means you and only you get to manage and control your private keys, so you’re in charge of your finances at all times. But this comes with the weight of protecting your 24 word seed phrase. Ledger devices offer secure self-custody and combine them with multiple backup options such as Ledger Recover and Ledger Recovery Key for you to get you through even the worst case scenarios.

2. Using new addresses

Most modern wallets generate fresh addresses automatically, which helps keep your transaction history harder to trace or mimic. Pair that with a hardware wallet and this will keep your private keys offline and away from malware.

3. Transaction & address management

Be cautious about where and how you share your addresses; avoid posting them publicly or tying them to your real identity. Stick to trusted wallet providers that are known for their security features, and keep your wallet software updated, many attacks exploit bugs that developers patch quickly, so staying updated also comes into play when transacting crypto.

Ledger’s wider ecosystem including the Ledger Live app ensures that all safeguards guarantee you industry leading protection from any online threats. Ledger Live now also hides zero-value token transfers by default, helping to filter out common poisoning attempts before they appear in your transaction history.

4. Don’t trust, verify

Always double-check the full transaction address (not just the first and last few characters) before sending funds, and compare it against a trusted source. Usually, the screens on everyday devices prioritise display over security. This is what sets Ledger devices apart from the rest.

All Ledger devices come with Secure Screens and Secure Touchscreens that run using the Secure Element chip directly, so while transacting, you can rest assured that the details you see on a Ledger screen is valid and legitimate.

These components work together to ensure that even if a scammer attempts to trick you with a fake transaction or address, the device will only sign what is explicitly approved on its isolated secure screen.

Plus, with Ledger’s Clear Signing initiative, you see and verify all transaction details clearly and the Ledger Live app hides sketchy zero-value token transfers to block common scams like address poisoning. You can also set up whitelisting in some wallets to only send crypto to trusted addresses, adding extra protection.

5. Be cautious with public sharing and identity links

The lesser you post your public addresses online the better, and best practice would be to not link them to your personal info on social media at all; this preserves anonymity, which is key for exploring censorship-resistant finance and avoiding targeted attacks.

6. Using multisig wallets

Multisig wallets boost crypto security by needing multiple keys to approve transactions, eliminating single points of failure. Ideal for shared funds, they also offer robust personal backups, like a 2-of-3 setup allowing recovery if one key is lost. This promotes secure self-custody and protects against hacks and phishing. For those with a lot of crypto, using a multisignature wallet through third-party tools like Sparrow Wallet with your Ledger adds another layer of security, needing multiple approvals for transactions.

7. Learn crypto security basics

Learning about how to protect your digital assets helps you understand the patterns and tricks that hackers may use to exploit your digital value. Even in the best case scenario when you adopt complete self-custody, a major point of failure is yourself. More awareness means more protection from cyber scams. 

For advanced users, blockchain analysis tools can flag suspicious dusting or address poisoning attempts in real time. And if you ever spot a poisoned address or suspect you’ve been targeted, report it to your wallet provider and, in serious cases, to authorities. Doing so helps others stay safe because when it comes to scams, one person’s vigilance can protect the whole ecosystem. 

If you encounter any phishing attempts impersonating Ledger via email, calls, or fake social media, you can also directly report them and help Ledger combat scams

Conclusion

Address poisoning attacks are a real and sneaky threat in web3, costing people millions of their net worth. Scammers pull this off by slipping fake wallet addresses into your transaction history, hoping you’ll copy the wrong one in a moment of distraction. Your first and last line of defense is always going to be you. 

Simple steps go a long way to fortify yourself, and with a Ledger device, it is encouraged not to trust, but verify your transactions. Ledger’s next-gen devices make this part of the process even easier, with larger touchscreens that make each transaction that much more visible and verifiable. 

So, take a minute to double-check, set up those security layers, and keep your guard up, because in crypto, ultimately you are your own best defense.


Stay in touch

Announcements can be found in our blog. Press contact:
media@ledger.com

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter. Learn more about how we manage your data and your rights.

Own your crypto future

Stay informed with security tips, updates, and exclusive offers from Ledger

Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time. Learn more

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.