Topic: What are Address Poisoning Scams? (Read 838 times)

I always try to be very cautious when copying any address during a transaction, because what I fear the most is to make the mistake of sending my dear coins to the wrong address.
After learning about address poisoning scams, am very confident that my knowledge of and safe practices on the blockchain has improved and although I try to double and even triple check addresses during transactions, I value learning about ways to stay alert and be wary of scammers and their deviced scams.

Very confusing post Sonia. Let's break it down.

It doesn't. Address poisoning scams aren't common on the Bitcoin network. They are more common on alternative blockchains, but even then the two addresses aren't exactly like. Only a few characters at the beginning and the end are the same.

No one types addresses out character by character. You copy them. However, you don't copy them from blockchain explorers and transaction histories. You do it from the receive tab/receiving feature of your wallet.

I assume you mean characters. Remember that you said that addresses involved in poisoning scams look exactly like your bitcoin address? Now you are talking about the last two "wallet numbers" only a few sentences later.

This is an address that looks exactly like your Bitcoin address wallet,if not properly checked, you will be mistaken for yours, it is being created by fraudster in other to scam crypto users,when they are sending or receiving coins/tokens. These always come up on Blockchain and so, it is adviceable not to copy address even if it appears instead type and check the address properly before any transactions to avoid it because these scammers works on your two last wallet numbers.

The transaction you saw couldn't have been an outgoing transaction, only an incoming one from an address with similar characters as yours.

Correct, but a victim could use a wallet that still hasn't implemented such filtering and be tricked to copy an address from their wallet's transaction history. But I think the most popular ones have already introduced some type of measure to not show these types of transactions by default.

Yeah this happens on pretty much every blockchain. Even the L2 networks for ETH.

I remember the first time it happened I freaked out, because it showed that someone actually sent some transaction from my cold storage address, it didnt make any sense and I assumed my seed was in jeopardy. However after making a thread on Bitcointalk it was revealed that its an ETH bug where its possible to send transactions with 0 ETH and its main goal is an address poisoning attack, these days most of these are filtered on etherscan so you wont notice. But if you don't use an address book and copy and paste your recent transactions, then you are at risk.

In an interesting turn of events, the scammer decided to return 90% of the stolen coins in the last couple of days. The victim has been in contact with the scammer in the days following the incident. As we can see from the message exchange, the initial owner of the coins promised a 10% bounty if he returned 90%. That's like $6-7 million. Eventually, the scammer gave in, and they discussed terms over Telegram.

The scammer converted the wBTC to ETH, and we can now see over $66 million worth of ETH in the victim's account. It's going to be interesting to see if the owner will keep their promise and not pursue the scammer and try to identify them, depending on how the remaining coins move.

Full story here:
https://cryptopotato.com/71m-wbtc-dusting-attack-victim-recovers-stolen-loot/

I am pretty sure that there is a large enough group of people that do it for it to be worth the time and effort for scammers to come up with schemes like address poisoning. If that wasn't the case, you wouldn't have people like this guy who lost millions. Besides, people lose hundreds of millions yearly on different crypto scams. A good amount from that isn't due to hacking, but social engineering scams they fall victims to.

I see if thats the case then its kinda dangerous. Good thing I am always copying from my own wallet either from app or something safe. Does anybody used a wallet from a transaction and copied it? Maybe he is just unlucky to use that from the explorer when checking his transaction but really too bad on his side.

It doesn't have to be fake coins and tokens. In the example of the person who lost tens of millions of dollars in wBTC, he didn't receive fake tokens. He received a 0-value ETH transaction because the Ethereum network allows it. That transaction now shows up at the top of their wallet's transaction history. If they make a mistake and copy the address from there, thinking it's a different one, they will send their coins to a scammer.

Don't take shortcuts and you should be fine. These scams are successful because people are lazy to do things right.   

I see thats why there are some few transactions sent to our address. Anyway as long as we dont interact with these fakes coins or tokens that we knew we didnt sign up or do will be safe but sometime with clutters on our wallet we likely seen some of these and thought of it as legit.

Too many same name coins I received from to my wallet and obviously they are fake cause it can be seen on our wallets as flagged scam sometimes.

Dust attacks and address poisoning scams serve different purposes. Dust attacks are a means of trying to identify the users behind certain addresses by having them spend or consolidate the dust together with other coins in addresses connected to a verified identity. It's not a scheme to steal and scam people. Poisoning attacks are exactly that, a scheme to trick people and steal from them.    

That's not very likely to happen. These altcoins are account-based, not UTXO-based. Like I said previously, it's very likely you are using the same altcoin address for all your tokens. You can't freeze 1 cent of unwanted ETH in an address that holds the rest of your ETH.

This is a good info actually, not everyone  using  a wallet is aware of this besides we have alot of visitors who might need it amd even some users. I know people see it to be so dump to copy address from history but what you think might be so dumb to you, some still do it because they are ignorant  of it.
However I feel this is like a younger sibling   to dust attack although they both have the word "dust" involve .
In my view actually, this address  poisoning can also serve as dust attack  so far the user only needs to spend the coin sent with or without additionals... extra measures could be taken on addresses poisoning transaction like placing the new coin or new token address under coin control by not spending it or freezing the address entirely if there's choice for multiple adress .

Tell your friend to not use transaction histories for information about destination addresses. He may never run into problems, but it could also happen the next time he does it. I see no reason to gamble like that.

There is no reason why poisoning scams couldn't be used in Bitcoin and against Bitcoin users. But there a few reasons why they are less effective:

1. They cost more. Compared to Ethereum, Polygon or BSC, you have to pay more in fees to transfer Bitcoin. It might be enough to pay a few cents on alternative networks, but you may need $1 or $2 for bitcoin and maybe much more.

2. Bitcoin has a dust threshold. There is a minimum amount of satoshis that you have to send, which is known as the dust limit. I think 0-value outputs were possible on the Bitcoin network in the past but not anymore. Or, if they are, they are non-standard. Many alternative chains allow 0-value transactions.

3. Bitcoin isn't account-based. With Ethereum, Tron, etc., you have one account for the native coins and you use the same account for all your tokens. With Bitcoin, you have outputs spread across multiple addresses. Address reuse isn't popular for privacy reasons. Also, it doesn't save you any money to use the same address over and over again. You can't target a Bitcoin address as easy in an attempt to fool the user like you would for those alternative chains. If you and me did some trades, I would give you a new BTC address every time. But if we used ETH, all transactions would probably go into the same address even if its tokens and not the native coin.   

4. It's harder to generate similar-looking Bitcoin addresses. I am not an expert in this topic, but I think it takes more computational power to generate a similar-looking Bitcoin address compared to an Ethereum one, for example. And it gets exponentially harder the more unique custom characters you want. It's also close to impossible to make the last characters identical (like in the example of the person who lost +$70 million) because there is a checksum.   

When you need $10 for each address you try to lure into this scam it suddenly becomes really expensive to launch such an attack, plus the lack of activity, on BTC people don't deal with the other 100 confusing tokens and airdrops.
There are cases of the same kind of attacks with BTC but it's all a matter of how profitable they are.


It's just 70 million, let me copy the address from the history, not check it once more, what could get wrong, it's not like it's such a big sum anyhow, right? Probably the spammers are just as surprised as him.

Asking on behalf of a friend, is this address poisoning possible on a Bitcoin wallet? He is still copying addresses from his wallet transaction history, I want to know but I do tell him it's a bad practice, it is always better to copy from the receiver, either exchange or receivers themselves rather than your transaction history.

I was once a victim of this scam too, I lost a lot of money but after a few days I was able to get over the pain and learn my lesson, this happened on my Ethereum wallet though and I have always heard about Tron too but not Bitcoin.

The original topic of this thread also doesn't include Bitcoin in the list, maybe thats the case? I will be waiting for someone to reply me on this, maybe this address poisoning is only possible on smart contract-based blockchain projects.

An address poisoning scam involving wrapped bitcoin (wBTC) on the Ethereum network resulted in a victim losing over 1155 wBTC, worth $74 million currently. The scam happened on 3 May.

A little earlier, the victim received a 0-value transaction that was recorded in their transaction history. This transaction came from an address that had similar characters at the beginning and the end to the address the victim wanted to send the tokens to. Both addresses begin with "0xd9A1" and end with "853a91."

The victim wasn't careful and didn't check the whole address they were sending to. They probably copied the receiving address from their transaction history and ended up sending a fortune to a scammer.
It's a good lesson for everyone reading this. Don't be in a hurry, and take your time. Check the transaction data once or twice, and when you are sure everything is correct, check it a third time.


Read more about it here:
https://cryptopotato.com/costly-mistake-victim-loses-68-million-in-address-poisoning-scam/

Yes, they are vanity addresses. You can use your computational power to create a custom address for you. Of course, you can't customize the entire address, just a few characters. That's how it is for Bitcoin and I assume for other cryptocurrencies as well. Depending on the quality of your hardware, it can take a few seconds, minutes, or hours to create a custom vanity address with a few unique characters.

But I wouldn't play around with those. You will probably be reusing them, and you shouldn't for privacy reasons. There have also been various scams with fake vanity address generators.

How are these identical addresses are created?

I am not a crypto expert, so I don't know how creation of address works. Can we actually choose numeric numbers and alphabets of a address when we create them? Not all but the starting and ending part. I was just reading a topic of this address poisoning. And there was a mention of this thing "similar vanity address" (Address poisoning scams). I knew that seed phrase could be chosen manually, but now I see address could be also. I could be wrong though. Need some clarity here.

They could easily generate addresses on an open source using the profanity address generator, but there are I think vanity address generators, I think they could generate a custom prefix and suffix. They can generate a lot of addresses when I take a lot on how profanity works. There are issues I think on profanity where it could generate an address that is already owned by other users, but it was already abandoned by the creator because of the exploits.

We are all guilty of just looking at the first four or last character, I guess it is also possible on the Bitcoin network since you could just send micro-transactions as well.

My guess is that if you clicked on the confirm button, Binance would start checking your transaction data. They would look if you have the needed amount of coins in your wallet and that you are sending the BTC to a valid address. The entered address wouldn't pass the test. 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBg is a normal BTC address, 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBh is an invalid one. You can check that on any blockchain explorer. Enter the first one, and it will show you its transaction history. But for the second one, the site will tell you that the address doesn't exist or is invalid (depending on what type of error the service was configured to show).

You can easily check that with a software or hardware wallet. The client shouldn't allow you to create the transaction using the 2nd addy. When you send BTC through Ledger Live, the first step is entering the receiving address. When you enter a correct one, the continue button gets enabled. Paste a non-existing one and you won't be able to click on continue, and an error message informs you that you made a mistake.

Don't take my word for it, but I think it was nothing at all over Tron. You would get 0 USDT, for example. Nothing else.

Isn't it micro transactions? like, for example, sending 0.000001 TRX is it possible to receive nothing in a wallet by just paying fees? I think it wouldn't register on your transaction history if it doesnt have value.


I think they are using tools like a profanity address generator, which could generate a custom prefix and suffix.

Tested this on binance and binance doesn't seem to warn the users in this case. Just used a random address.

Correct address : 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBg
Wrong address : 1EZJTPt5thSBE8XaMGHHrePAt53DcQxdBh

Replaced the last character alone and binance accepted it. I didn't proceed with the payment authentication but do you think they would have warned us after the authentication ?

Bitcoin addresses (I assume similar rules apply to the addresses of other cryptocurrencies) have a 4-byte checksum in the end. That number sequence protects against making copy/paste mistakes with addresses. Take a BTC address, paste it into your wallet software and change one of its characters, and the software will tell you that the address is invalid or non-existing. And you can't send to such an address, maybe not even with the worst type of wallet. More than only one character would have to change for the checksum to be OK: 

No it's definitely very hard to get more than 20 similar characters but there are two things to consider

1. May be the scammer can get 8 characters same i.e. the first 4 and last 4 characters.
Many people just check the first few and last few characters but tend to avoid the middle ones.

2. Just one different character is enough to send the amount to a different address.
May be we made a mistake in copy pasting or something but even if one character is wrongly entered then there are possibilities that the amount will be lost.

As for checking every character manually part it's quite easy. I have a strong short term memory and can remember 5-6 characters at once immediately.
So I verify the address 5 characters at a time and the whole address is verified by every character in not more than 30 seconds.
Would you risk your BTC for 30 seconds or lets say 1 minute ?

I don't think they can duplicate 20. But the problem is, if you check only the first 3-4 and the last 3-4, how are you going to know if the rest matches or not?

I can't remember the thread where this was discussed but it was probably in the technical Bitcoin boards. Someone created a discussion showing that scammers can match more than the usual couple of starting and ending characters in a bitcoin address from a huge pool of already generated addresses. I don't think it was used in a scheme to scam someone, but to show the current capabilities. Doublechecking only a few characters in the beginning and end is getting less and less safe. Do more for your own safety. 

The scammers didn't send anything at all. The transactions were empty, they only paid the network fees.

I'm just curious on this one.

Is it possible on the tron network that they can generate these type of wallet addresses so, this is like vanity addresses? where the first and last addresses can be modified depending on what are the characters they want to generate?

Honestly, I'm guilty on this one that I just look at the first and last characters of my addresses but this is for bitcoin and not with tron or any other altcoin.

I am quite confused here, actually i read a post of Becassine in which he was sharing that his money did not reflected in his wallet and then i read another post of Ale88 that he also faced the same issue, it just shaken me up because i have few dollars in mine (hahaha) i know those are less but for me every penny matters. So new posts were coming regarding to this issue, actually i did not read the whole story, i thought both didn't received the money but they did, it just did not reflected in their wallets, What type of attack is this because i can see from December "Address Poisoning" is on top, How are these attackers are able to generate such customized addresses similar to ours.

I am just confused now that, are these two are different type of attacks, because i have less knowledge about attacks on BTC wallets or any other hot wallet. Because Charles-Tim's mentioned the same issue of Trust wallet on this topic of Address Poisoning, are these the same thing?

Note*TBH this thread was of great knowledge to me, i learn two things one is Address Poisoning and second is Dust attacks, actually i spent no time on learning about these attacks before.

There were a lot of these cases on the TRON network, sending a small amount of Tron to wallets, scammers creating a similar address copying some of the first or last characters of the address hoping that the user will get lazy since we sometimes use to just checking the first few or last characters on our address.

The best thing to do is to follow best practices when sending our coin or when receiving tokens. Copying addresses without even checking them is one of the worst things that we can do.

I have seen some people get scammed up to 25k$ and it's actually very cheap to make this transaction by sending multi transactions to multiple users, But as long as we are aware of these scams the chances As long as we are aware of this scams the probability of getting scam plummets to a lower percentage.

How do you do that, man? I have never been that patient to check all the alphabet from an address to make sure I'm not going to be scammed. Well, I usually check a few first and last characters, and most of the time, if the address is a used one, I check with the blockchain explorer to identify the address from the transaction history lol. That's far easy I think than checking every character manually.
What's the chance that a scammer can generate almost the same address through a vanity search? Maybe it's possible to have the same address for a few characters but is it possible to have a similar address of mine with a similarity of more than 20 characters for example?

You are probably talking about dust attacks on the Bitcoin network. That's when spammers and scammers send just enough satoshis to be above the dust limit hoping you will consolidate the coins you receive together with other UTXO that might help in identifying who you are. The goal with address poisoning scams is different as explained in the OP.

Keep doing that. Better be safe than sorry. That one minute you saved because you were in a hurry can potentially get you in trouble.

I did know that scammers make near to zero transactions to many different addresses but I had heard that they do it for tracking the addresses.
I always wondered what could be the reason someone would track the addresses but I guess the real reason is what OP has mentioned in his post.
Copying addresses is where many people in crypto community have made mistakes and lost their coins.
I have a general practice to copy the address from wallet and reverify every alphabet of the address after pasting.
It hardly takes a minute but saves us our precious coins.

Tron's governance update from a few weeks ago that bumped the network fees by up to 50% in some cases seems to have stopped these address poisoning schemes. Or it wasn't financially rewarding enough for the scammers to keep going. Do any users of alternative chains still see these malicious transactions in their wallets?

Bitcoin's blockchain was never the primary target for this. With the introduction of Bitcoin Ordinals, which increased the average mining fees, it's even less likely we will see something like this on Bitcoin.

Many people are still way too gullible to use the internet, let alone bitcoin or any other cryptocurrency. 

Yeah, that's pretty much it. The scammer wants you to copy his address that will pop up at the top of your transaction history in your wallet or do the same thing using a blockchain explorer.

I am sure the addresses are monitored by a bot or smart contract maybe. The fake transaction sometimes gets broadcasted 15-20 seconds after a legitimate one. The scammers want their entry to be the first you see in your wallet.

Yeah, that's not going to work yet. I should probably not say this, but it doesn't matter. Water under the bridge already. Back when smartphones started becoming a thing, I helped a close family member to get acquainted with her phone. An older lady, let's keep it at that. I realized she would need some time to figure it all out, but I never imagined what would happen. A few weeks later, she calls me to ask if I can help her get rid of something on her phone. When I get there, I see her phone has been bombarded with SMS messages from someone/something. She kept receiving new offers to contact a "girl" because the girl has heard that she can keep it up and go for hours. I am not making this up. It was both funny and sad at the same time. She couldn't even remember what she clicked on that got her into that situation, or she was ashamed to say.

I still think it has to be way more than this to fall for this trap! Way more! Add unfit-to-own crypto to the list or something like that!
I mean seriously, who will look at the addresses and see that it has received some coins from x and instead of sending to his normal dress will just copy-paste x? Is this all that this "attack does" (copied from your links)?


What are the chances of this actually happening, let's forget the laziness, stupidity whatever, but not only this it will still need another thing, for the victim to not receive any other transaction to his wallet until he decides to send some coins out.

Furthermore, this whole thing is just ridiculous:



In the example of the article, the victim sends the transaction to an address that starts with 0x61, completely different than any address in the wallet or that has been used before,  I don't think that there is anybody who checks the last characters first and then simply decides to send while the first two are obviously not the same.

Just as you said I don't know how lucrative this would be on a different chain, probably on BNB or other networks it might work, on BTC fees will kill this spam immediately. Still, $1.5 million? Losing faith the whole be your own bank thing would work in this world!

Stupidity, laziness, being in a hurry, being careless... people use different excuses and justifications for why something bad happened to them. I have even heard someone say it's the network's fault for allowing such near-zero transactions to be recorded in the first place. Beginners and newbies are the primary targets, and since the scammers have earned over $1.5 million already (minus the costs for broadcasting the transactions), it's obviously working to some extent.     

Let no one be offended, but how stupid do you have to be to copy a coin address from a list of transactions, and still blindly believe that it is your address? In addition, in most cases (whenever possible) for privacy reasons, it is recommended to use new addresses, but I believe that many people are not even aware that they can have an unlimited number of coin addresses, because they might compare it to opening a bank account.

However, as we can see, this is aimed more at altcoins users than Bitcoin users, and it seems to me like a fairly trivial scam that only relatively inexperienced users can fall for.

the EVM chain is become one biggest targets for scammers, to be honest, I just heard this today from you. I actually like playing with DeFi on EVM chain so many dapp there the fee is cheap rather than bitcoin.

and there is type of scam till this day that fake token send to your address when you try to sell it boom your money is gone so please beware guys add more tips dont do any approval in new dapp that u dont hear it before, and if u still want do transaction read carefully what the smart contract asking for and revoke the access when you are done

That's true when we are talking about Bitcoin. With account-based networks like Tron or Ethereum you always reuse the same receiving address, unless, of course, you want to use multiple accounts. But using multiple accounts also requires that they are all funded with the native tokens - TRX on Tron accounts or ETH on Ethereum accounts. Luckily, Bitcoin doesn't have those problems because pay your fees in the same asset you are transacting with.   

With the publicity that dust transactions have received over the years, one would think that people would be wary of small insignificant transactions showing up in their wallets and also be more careful when creating a transaction, actually crosschecking that they copied it from the right source and that the entire address corresponds, not just skimming through the first and last characters.

"Safety Measures and What to do Next"
In addition, when possible users should not reuse addresses. Always generating a new unused address each time you are receiving crypto could prove useful.

- Jay -

The first time I heard about this scam method was in connection with Tron and Tron-based tokens.It might have started there and then expanded to other networks.

Ethereum's gas recommendations were several hundred gwei at times in the past while Ethereum was still on POW. They don't reach those numbers anymore and go as low as 5-15 gwei more recently. So, it's much cheaper to spam the Ethereum network now compared to that it was like before.

Don't forget that the scammers attempting these schemes have to pay transaction fees just like anyone else transacting over those blockchains. It's not going to be successful unless the fake address matches that of the victim for the first and last couple of characters. Bitcoin has been spared so far probably because more computational power is required to generate look-alike addresses compared to other blockchains. But who knows what the future might bring. 

Alert to Trust Wallet users: There's an ongoing address spam, be more cautious.

I got scammed out of 100000 dollars by fake 0 dollars withdrawal on BSC

This even happened to me last month with USDT TRC20 transaction. But I always copy from recipient address which makes the scam not possible to happen to me. Even if I want to send to myself, I copy address from the address list on my wallet, not from previous transaction or transaction history. But it was obvious for me that the zero transaction was not mine.

ERC20 transactions may not have cheap fee, even bitcoin transaction that people think it has high fee can be of cheap fee, bitcoin mempool is always not congested most of the time since many months ago, more than a year or 2 now. But this has not been experienced on bitcoin blockchain.

Someone sent ERC20 from my cold storage

Many of you have probably heard, and some have even experienced address poisoning scams. It's a relatively new type of fraudulent scheme, which has become popular in the last 30-40 days. It appears on blockchains with cheap transaction fees, allowing scammers to send many low-cost transactions. I have not read about cases where this affected the Bitcoin network, but it’s still worth knowing about just in case you experience it in your BTC wallet in the future. Hardware wallet manufacturers, like Ledger have reported that scammers are targeting their users as well. So, stay alert.   

What is Address Poisoning, and How Does it Work?

This scam works by sending potential victims small (near-zero) crypto transactions. You will see a new entry in your transaction history when that happens. The address that sends the coins/tokens will look similar to yours. The first and last two to four characters will be identical.

The scammer wants to make you think that this is your own address. So, you copy it from your transaction history when sending coins to yourself or give it to a different party to pay you. In that case, the funds will be transferred to the fraudster and not to you. 

On which Blockchains is Address Poisoning Common? 

Users of the following blockchain networks have already experienced address poisoning in one way or the other:

1.   Tron
2.   Binance Smart Chain
3.   Polygon
4.   Ethereum
5.   Maybe others

Safety Measures and What to do Next

If you were a victim of address poisoning, there are no reasons to panic. No one is targeting you personally. Fraudsters prey on those who make frequent transactions and move significant sums of money.

Your coins aren't at risk. Your private keys/seed hasn't leaked, and no one has gained control of your addresses, no matter the transaction history. There is no protection against address poisoning, per se, because you can't restrict someone from sending you crypto. It's safe to use those coins as well. 

There are a few things you should always do to stay safe when sending and receiving crypto:


•   Never copy addresses from your wallet's transaction history.
•   Never copy addresses from a blockchain explorer.
•   Always generate or copy addresses from your wallet's receive or addresses tab.
•   When sending coins elsewhere, copy the address from the source/destination.
•   If you are transferring crypto to a different person, ask the other party for the correct address.
•   Verify the full address, not just the first and last couple of characters.
•   If you use a hardware wallet, ensure the address in your software matches the one shown on your device's screen.   
•   Be prepared to double and triple-check if needed because cryptocurrency transactions are irreversible. So, once your money is gone, it's lost forever. As can be seen, it's better to spend an extra minute checking what you are doing than regretting you didn't.


For more information on address poisoning scams, take a look at these sources:

Beware Of Address Poisoning Scams
Address Poisoning Attack, A Continuing Threat
SlowMist: Another Airdrop Scam, but with a twist