Sender Beware: Address Poisoning Spreads to Ethereum and Fake Tokens

Address poisoning first emerged as a major scam in early 2023. At that point, law enforcement agencies, wallet providers, exchanges, and other industry leaders, including Merkle Science, issued warnings to consumers about the scheme. Address poisoning has evolved since then from its roots in low-fee blockchains, meriting another consumer advisory.

How address poisoning works 

In early 2023, address poisoning emerged as a new scam in cryptocurrency. Scammers would use a token transaction to send a nominal amount of cryptocurrency to the target’s address. The sender’s address would be made from an open-source tool like Profanity so that it closely resembles the victim’s address. Typically, the first four or five beginning and end characters would match out of the 26 to 35 characters in a Bitcoin wallet address or the 42 characters in a MetaMask wallet address (one of the first companies hit with the scam).

This scam relied on people’s tendency to use heuristics or mental shortcuts. Because it would be impractical to memorize a full wallet address or cross-reference every number with a known address, most cryptocurrency users would simply scan the beginning and end characters to confirm an account is a legitimate one. 

This method unfortunately breaks down when a transaction history has been “poisoned” with the addition of a scammer’s account that looks eerily similar to their own:

0xC660DC4250C4F07cF780cBf0c897nHQPLN123Bn0 (a hypothetical user address) 

and 

0xC660EL1NDZK8L69cP9LKdRZNd213wPOX9T523Bn0 (a spoofed vanity address) 

As a result, users may mistakenly send funds to the scammer’s account rather than their own.  Experts predicted that address poisoning would proliferate, especially on blockchains where the network fees are cheap, such as Polygon, Tron, and Binance. 

New takes on address poisoning 

In 2024, criminals are operating in a way that seems counter-intuitive. They are now sending nominal amounts of cryptocurrency on Ethereum, where power fees are considerably higher. 

Using this blockchain, one victim mistakenly sent US$47.6k in ETH to a poisoned address. The fact that scammers are willing to eat expensive power fees in a bid to get one user to mistakenly copy the wrong address carries several interesting implications. 

The first is that address poisoning operations are becoming better funded. They can pay the cost of operating on Ethereum and invest in the associated fees for multiple transactions, even with the knowledge that not all targets will fall for the ruse. The second implication is that attacks are becoming more targeted, analogous to spear phishing of enterprises as opposed to the general phishing that usually ends up in spam inboxes. In previous crypto poisoning attacks, it seemed like scammers were almost playing a number game, dusting a large amount of random addresses with the hope that a small percentage would fall victim. 

With the higher costs associated with Ethereum, it seems like scammers are targeting whales, as evident by the one victim who dealt US$47.k in a single transaction. Scammers could be using monitoring tools to scan the Ethereum blockchain for addresses that meet particular criteria, such as a high average transaction amount or level of activity.

Another evolution of address poisoning involves the use of fake USDT. One user recounted how a scammer poisoned their transaction history by creating a fake transfer of USDT from the user’s wallet to one resembling their Kranken account. None the wiser, the user sent an astounding US$1 million to the scammer’s account.

Combatting address poisoning 

Although the Ethereum and fake USDT variations of address poisoning may seem novel, the best practices on prevention that were shared in public service announcements by exchanges, hardware wallet manufacturers, and other businesses still apply.

Users should source the original address, rather than copy and paste an address from their transaction history. Some products, such as MetaMask, enable users to maintain an address book, where they can store and save trusted addresses, including their own. Users should take advantage of this feature, which will not be prone to address poisoning. 

If users cannot source the original address or use an address book, they should at minimum compare an address with the known address, paying special attention to the middle characters that will likely be different from an original address and a spoofed vanity address. Users may also want to consider storing their funds in a cold wallet or hardware wallet, so that it is kept entirely offline, safe from not only address poisoning but other threats. 

The fact that one of the most common suggested defenses against address poisoning is to source the original address is poetic: Protection against threats involves monitoring the core data and records provided by blockchain technology. This proposition, done at a much larger scale, is exactly what Merkle Science aims to provide to regulators, authorities, and other stakeholders to defend against crypto-related crime, corruption, and fraud through sophisticated blockchain forensics.