PreSaleCryptoBMIC

safety · 9 min read · last updated 2026-05-08

Address Poisoning Attacks: How They Drain Wallets in 2026

Address poisoning attacks trick you into copying a scammer's lookalike address from your own transaction history. Here's how the scam works and how to defend.

Address Poisoning Attacks: How They Drain Wallets in 2026

If you have been in crypto long enough to copy and paste a wallet address from your transaction history, you are already in the threat model for address poisoning attacks. This is one of the few scams that does not need malware, a phishing site, or a leaked seed phrase. It just needs you to be tired, in a hurry, and trusting your own wallet UI. We’ve watched this attack vector quietly become one of the most expensive in crypto, and most users still don’t know it exists.

How the scam actually works

The mechanic is depressingly simple. An attacker watches the mempool or recent on-chain activity, picks a target wallet, and generates a brand-new address using a “vanity” tool that matches the first 4-6 and last 4-6 characters of an address the target frequently sends to. They then push a transaction from that lookalike address to the victim, often a zero-value token transfer or a dust amount.

Now the victim’s wallet history shows a transaction “from” an address that looks almost identical to one they trust. Days or weeks later, the victim wants to send funds to their exchange or cold wallet. They open their history, copy what they think is the right address, and send. The funds go to the attacker.

Two technical details make this worse:

  • Zero-value transfers can be initiated by anyone using approval-free transferFrom calls in some token contracts, so the attacker does not even need the victim’s permission to plant the entry. Etherscan documented this pattern in 2023.
  • Most wallet UIs truncate addresses to something like 0x1f3a...c9b2. If the first and last few characters match, the human eye stops checking.

MetaMask, Trust Wallet, and Phantom have all published warnings about address poisoning since 2023, and most modern wallets now flag suspected poisoned entries. But flags get dismissed, and the scam has only escalated.

The numbers, where we could verify them

We try not to repeat figures we cannot source, so here is what is actually on the record:

  • In May 2024, a single Ethereum user sent roughly 1,155 WBTC (about $68 million at the time) to a poisoned address. The attacker later returned the funds after on-chain pressure, but the case demonstrated how vulnerable even sophisticated users are. (Source: Cyvers, May 2024.)
  • Chainalysis flagged address poisoning as a fast-growing category in their 2024 mid-year crime update, with tens of thousands of victim addresses identified across EVM chains.
  • We have not seen credible 2025-2026 totals yet, and we are skeptical of any vendor pitching a precise “$X billion lost” figure without methodology. Treat those numbers as marketing.

If anyone tells you they have an exact dollar figure for poisoning losses this year, ask them how they distinguished a poisoned send from a regular user mistake. Most cannot.

Why the usual advice does not save you

You will read “always double-check the address” on every wallet’s blog. That advice is correct and useless. Humans are bad at character-by-character comparison, especially after midnight, especially on mobile, especially when the first four and last four characters match. The scam exists because this advice does not work in practice.

What actually reduces risk:

  1. Use an address book / saved contacts feature. Most major wallets support labeling a destination once and selecting it by name afterward. We cover the wallets that do this well in our wallet shortlist guide.
  2. Verify the middle of the address, not the ends. Attackers vanity-grind the start and end. The middle 20+ characters are computationally expensive to match and are almost always different.
  3. Send a small test transaction first for any new or large transfer. Yes, it costs gas. It is cheaper than $68 million.
  4. Filter or hide zero-value transfers in your wallet UI. Several wallets have a setting for this; turn it on.
  5. Use ENS, SNS, or similar name services for repeat counterparties when the destination supports them, and verify the name resolves to the expected address at least once.

For broader operational security, our guide on seed phrase storage mistakes covers the second half of the picture: even if your destination is correct, your keys still need to be safe.

Where presale buyers get hit specifically

Presale wallets are juicy targets because they often hold a single large balance and the buyer plans exactly one outbound transaction: claim and move to a long-term wallet. Attackers monitor token claim contracts, identify wallets that just received a large allocation, and immediately seed those wallets with a poisoned entry from a lookalike of any address that wallet has ever sent funds to.

If you are buying into presales, assume your wallet will be targeted within hours of any visible token receipt. Our presale due diligence checklist covers the pre-purchase side; address poisoning is the post-purchase tail risk that catches people who survive the first nine traps.

We have also covered specific cases where presale claimers lost funds to poisoning in our recent scam roundup, and the pattern is consistent: large claim, lookalike address planted within 24 hours, funds gone on the next outbound transfer.

What we could not verify

A few claims circulate in security marketing that we have not been able to confirm:

  • That AI-generated address matching is meaningfully faster than vanity-grinding (the math suggests not, for the prefix lengths attackers actually use).
  • That specific wallet brands are “immune” to poisoning. None are, structurally, because the attack lives in user behaviour.
  • That any chain is poisoning-proof. Solana, Tron, and Bitcoin have all seen variants.

If you see a vendor claim immunity, that is a red flag for the vendor, not a green one.

Honest summary

Address poisoning works because wallet UIs and human attention spans both fail at the same task: noticing that two long hex strings differ in the middle. The fix is not “be more careful” — it is changing your workflow so you never copy from history again. Use saved contacts, send test transactions, hide zero-value spam, and assume any wallet holding meaningful balance is being actively targeted. The $68 million WBTC incident was not an outlier of carelessness; it was an outlier of scale. The same mistake happens at $500 every day, and nobody writes about those.

Wallet shortlist for this topic: see our wallet reviews

FAQ

What is an address poisoning attack?
It's a scam where attackers send tiny or zero-value transactions from a wallet address that looks almost identical to one you already use, hoping you copy the wrong one later.
Can address poisoning steal funds without my approval?
No. The attack relies on you voluntarily sending funds to the lookalike address. It does not bypass signing, but it weaponises your habit of copy-pasting from history.
Do hardware wallets prevent address poisoning?
Only partially. They protect your keys but cannot tell that the destination address you confirmed is a lookalike. You still need to verify the full address before signing.
How much has been lost to address poisoning?
Public reports include a single victim losing roughly $68 million in WBTC in May 2024, and chain analysts have tracked tens of millions more across thousands of smaller incidents.

Sources

Research, not advice. This article is editorial. We are not your financial adviser. Crypto presales can lose 100% of capital.