Also check best 2024 trading bot up to ScammerWatch

Address Poisoning: The Hack That Targets Your Muscle Memory

Submit related evidence
Submit related evidence
November 26, 2025 (Updated May 29, 2026)
3 min
693

Overview

In the realm of crypto security, most users are vigilant against phishing links or sharing their seed phrases. However, a new and highly effective attack vector known as “Address Poisoning” exploits a different vulnerability entirely: our reliance on copy-and-paste and our tendency to only check the beginning and end of a wallet address.

This attack is particularly insidious because it doesn’t require the hacker to access your wallet or steal your private keys. Instead, they trick you into voluntarily sending your funds to them by polluting your transaction history.

How the “Dust” Attack Works

The anatomy of an address poisoning attack is simple but psychological.

  1. The Bot Watch: Attackers use bots to monitor the blockchain for high-value transfers. Let’s say you frequently send stablecoins to a specific address (e.g., your exchange deposit address).
  2. The Generator: The attacker uses software to generate a “vanity address” that looks remarkably similar to your trusted address. If your exchange address is 0x123…ABC, they will generate an address that also starts with 0x123 and ends with ABC, but has completely different characters in the middle.
  3. The Poison: The attacker sends a transaction of $0 (or a negligible amount like $0.0001) from their lookalike address to your wallet.
  4. The Trap: Now, the attacker’s lookalike address sits at the top of your wallet’s transaction history. The next time you go to send money to your exchange, you might lazily go to your history, see the most recent transaction, assume it’s your trusted address because the start and end characters match, copy it, and send your funds.

Why It Works: The Lazy Verification

Human brains are wired for efficiency. When we see a long string of alphanumeric characters, we naturally look for patterns. Verifying the first four and last four characters is a common shorthand. Attackers know this. By matching those characters, they bypass our mental security checks. Once you send the funds to the poisoned address, they are gone forever. There is no customer support to reverse the transaction.

Defensive Habits for the Modern User

Defending against address poisoning requires breaking bad habits.

  • Never Copy from History: Avoid copying addresses from your transaction history. Always copy the address directly from the source (e.g., the deposit page of the exchange) or use a saved “Address Book” feature within your wallet.
  • Check Every Character: If you are moving significant funds, check the middle characters of the address, not just the start and end.
  • Test Transfers: For large amounts, always send a small test transaction first.

While self-custody offers freedom, it comes with the responsibility of being your own bank security.

Evidence Checklist: If You Sent Funds to a Poisoned Address

If you believe you have been a victim of address poisoning, preserve the following evidence before attempting any recovery steps. This information is useful for reports to exchanges, wallet providers, blockchain analytics services, and law enforcement.

  • Transaction hash: the transaction ID of the funds you sent to the wrong address — find this in your wallet’s transaction history or on a blockchain explorer
  • Poisoned address: the wallet address you accidentally sent funds to
  • Correct address: the legitimate address you intended to send to
  • Poisoning transaction: the $0 or dust transaction the attacker sent to inject the lookalike address into your history — its transaction hash if available
  • Screenshot of transaction history: showing the poisoned address appearing above the legitimate address
  • Timestamp: date and time of both the poisoning transaction and your mistaken send
  • Wallet and network: which wallet you were using and which network the transaction occurred on (Ethereum, BSC, Tron, etc.)
  • Amount lost: value in USD or the token amount at time of transaction

Funds sent to the wrong address on a public blockchain cannot be reversed. However, documented evidence may be useful for reports to the receiving exchange (if the address is an exchange deposit address), blockchain analytics services, and law enforcement. If you encountered a platform or tool that facilitated or exploited this attack, submit a report at scammerwatch.com/report-a-scam
.

For registrars and hosting providers

ScammerWatch prepares structured fraud reports with URLs, screenshots, timestamps, reporter statements, and technical metadata. Provider teams can request a sample report format before enabling direct intake

View report format

Author

Michael Klias

Smart contract developer, crypto-investor, and entrepreneur with over 7 years of experience in blockchain development and ICO development from conception to execution.

View all posts

Recent articles

Everix Edge Risk Report — ScammerWatch
May 30, 2026 (June 12, 2026)
13 min
55
Non-Existent Trading Bots: Scam Websites Hide Behind “AI Brands” and Steal Your Money
May 22, 2026 (May 27, 2026)
9 min
114
How “Drainer-as-a-Service” Is Supercharging Crypto Wallet Theft
The Rise of “Drainer-as-a-Service”: The Industrialization of Wallet Theft
November 19, 2025 (May 29, 2026)
3 min
796
DNS Hijacking and BGP Attacks
The Silent Threat: Understanding DNS Hijacking and BGP Attacks
November 12, 2025 (May 29, 2026)
3 min
698