Ethereum Address Poisoning Attacks Escalate: After One Transaction, He Received 89 Alert Emails
TechFlow Selected TechFlow Selected
Ethereum Address Poisoning Attacks Escalate: After One Transaction, He Received 89 Alert Emails
The crypto world has no “undo” button—once funds are sent to the wrong address, recovery is nearly impossible.
Navigating Web3 tides with focused insightsAuthor: etherscan.eth
Translation & Editing: AididiaoJP, Foresight News
A few weeks ago, an Etherscan user named Nima shared an unpleasant experience: after completing just two stablecoin transfers, he received over 89 address-monitoring alert emails within a short period.
As Nima pointed out, these alerts were triggered by “address poisoning” transactions. Attackers create such transactions solely to inject highly similar fake addresses into users’ transaction histories—intending to trick users into mistakenly copying and using those fake addresses during their next transfer.
Address poisoning has existed on Ethereum for several years. Yet incidents like this highlight how such attacks have become highly automated and scalable. What used to be sporadic, isolated spam is now executed at scale, with attackers often completing poisoning transfers within minutes of detecting legitimate transactions.
To understand why such attacks have grown more prevalent, we must examine them from two perspectives: the evolution of address-poisoning techniques, and the fundamental reasons enabling their scalable execution.
Additionally, this article highlights one core defensive principle to help users effectively resist such attacks.
I. The Industrialization of Address Poisoning
Address poisoning was once considered a niche, opportunistic fraud tactic employed by individual attackers. Today, however, its operational model increasingly exhibits industrialized characteristics.
A study published in 2025 analyzed address-poisoning activity between July 2022 and June 2024—i.e., prior to the Fusaka upgrade. It found approximately 17 million poisoning attempts on Ethereum, affecting roughly 1.3 million users, with confirmed losses totaling at least $79.3 million.
The table below, drawn from the findings of “Blockchain Address Poisoning Research,” compares the scale of address-poisoning activity on Ethereum and BSC during that same period (July 2022–June 2024). Data shows that on BSC—a chain with significantly lower transaction fees—the frequency of poisoning transfers is 1,355% higher than on Ethereum.
Attackers typically monitor on-chain activity to identify potential targets. Once they detect a target’s transaction, automated systems generate fake addresses highly similar to the legitimate addresses the target has interacted with—matching the first and last characters. Attackers then send poisoning transfers containing those fake addresses to the target’s address, ensuring they appear in the user’s transaction history.
Attackers tend to prioritize addresses offering higher profit potential. Addresses frequently conducting transfers, holding large token balances, or involved in high-value transfers typically receive more poisoning attempts.
Competition Mechanism Enhances Attack Efficiency
The 2025 study revealed a notable phenomenon: competing attack groups often race against each other. In many poisoning campaigns, multiple attackers simultaneously send poisoning transfers to the same target address.
Each group strives to be the first to embed its fake address into the user’s transaction history—increasing the likelihood that its address will be selected when the user later copies an address. The first successful embedder thus gains a higher probability of having its address mistakenly copied.
The following case vividly illustrates the intensity of this competition. Within minutes of a legitimate USDT transfer, 13 poisoning transactions were injected.
Note: Etherscan hides zero-value transfers by default; hidden status has been disabled here for demonstration purposes.
Common tactics used in address-poisoning attacks include dust transfers, counterfeit token transfers, and zero-value token transfers.
II. Why Address Poisoning Is Easily Scalable
At first glance, address poisoning appears to have low success rates—after all, most users don’t fall for it. Yet economically, the logic behind these attacks is fundamentally different.
The Probability Game Logic
Researchers found that on Ethereum, the success rate per poisoning attempt is approximately 0.01%. In other words, only about one in every 10,000 poisoning transfers results in users accidentally sending funds to attackers.
Given this, poisoning campaigns no longer focus on a handful of addresses but instead launch thousands—or even millions—of poisoning transfers. When the base number of attempts grows large enough, even a minuscule success rate accumulates into substantial illicit gains.
A single successful high-value fraudulent transfer can easily offset the cost of thousands of failed attempts.
Lower Transaction Costs Drive More Poisoning Attempts
The Fusaka upgrade, activated on December 3, 2025, introduced scalability optimizations that effectively reduced Ethereum’s transaction costs. While benefiting ordinary users and developers, this change also significantly lowered the cost per poisoning transfer for attackers—enabling them to execute poisoning attempts at an unprecedented scale.
Following the Fusaka upgrade, network activity on Ethereum surged markedly. Within the first 90 days post-upgrade, the average daily transaction volume increased by 30% compared to the prior 90 days. During the same period, the average daily number of newly created addresses rose by approximately 78%.
Moreover, we observed a sharp increase in dust-transfer activity—where attackers send tiny-value transfers of the same token as the user’s historical transfers.
The data below compares dust-transfer activity for major assets before and after the Fusaka upgrade, across 90-day windows. For stablecoins such as USDT, USDC, and DAI, dust transfers are defined as transactions under $0.01; for ETH, they refer to transfers under 0.00001 ETH.
USDT
- Pre-upgrade: 4.2 million
- Post-upgrade: 29.9 million
- Increase: +25.7 million (+612%)
USDC
- Pre-upgrade: 2.6 million
- Post-upgrade: 14.9 million
- Increase: +12.3 million (+473%)
DAI
- Pre-upgrade: 142,405
- Post-upgrade: 811,029
- Increase: +668,624 (+470%)
ETH
- Pre-upgrade: 104.5 million
- Post-upgrade: 169.7 million
- Increase: +65.2 million (+62%)
Data shows that shortly after the Fusaka upgrade, dust-transfer activity (<$0.01) spiked sharply, peaking before declining slightly—but remaining significantly above pre-upgrade levels. By contrast, transfers exceeding $0.01 remained relatively stable during the same period.
Chart: Trend comparison of dust transfers (<$0.01) for USDT, USDC, and DAI before and after the Fusaka upgrade (90-day windows)
Chart: Trend comparison of regular transfers (>$0.01) for USDT, USDC, and DAI before and after the Fusaka upgrade (90-day windows)
In many attacks, attackers first batch-distribute tokens and ETH to newly generated fake addresses, then use those fake addresses to individually send dust transfers to target addresses. Since dust transfers involve negligible values, falling transaction costs allow attackers to conduct massive-scale operations at extremely low cost.
Diagram: Address Fake_Phishing1688433 distributing tokens and ETH in bulk to multiple distinct fake addresses in a single transaction
It should be noted that not all dust transfers constitute poisoning. Dust transfers may also stem from legitimate activities—for instance, token swaps or small-value interactions between addresses. However, upon reviewing large volumes of dust-transfer records, a substantial portion is highly likely to represent poisoning attempts.
III. Core Defensive Principle
Always carefully verify the destination address before sending any funds.
Below are practical suggestions for reducing risk while using Etherscan:
Use Recognizable Address Identifiers
Assign private name labels to addresses you frequently interact with on Etherscan. This helps distinguish legitimate addresses clearly amid many visually similar ones.
Using domain-name services such as ENS also enhances address recognition across browsers.
Additionally, leverage your wallet’s address book feature to whitelist frequently used addresses—ensuring funds always go to intended destinations.
Enable Address Highlighting
Etherscan’s address-highlighting feature helps users intuitively differentiate visually similar addresses. If two addresses appear nearly identical but display differing highlighting patterns, one is very likely a poisoned address.
Double-Check Before Copying Addresses
When users copy an address potentially linked to suspicious activity, Etherscan proactively displays warning pop-ups. Such suspicious activities include:
- Low-value token transfers
- Counterfeit token transfers
- Tokens with poor reputations
- Tokens with outdated information
When you see such warnings, pause immediately and carefully verify whether the copied address matches your intended recipient.
Remember: there is no “undo” button in crypto. Once funds are sent to the wrong address, recovery is virtually impossible.
Conclusion
As lower transaction costs make high-volume attack strategies more economically viable, address-poisoning attacks are growing increasingly rampant on Ethereum. These attacks also degrade user experience, flooding user-facing transaction-history interfaces with vast amounts of poisoning spam.
Effectively defending against address poisoning requires both heightened user security awareness and better UI design support. For users, the most critical habit is: always carefully verify the destination address before sending funds.
Meanwhile, supporting tools and user interfaces must play a stronger role in helping users rapidly identify suspicious activity.
Poisoning-address label on Etherscan (https://etherscan.io/accounts/label/poisoning-address)
Etherscan continues actively improving its browser interface and API services to help users more easily identify such attacks. We proactively tag fake addresses, detect and hide zero-value token transfers, and flag counterfeit tokens. By providing these curated datasets, users can spot potential address-poisoning attempts without manually sifting through massive transaction logs.
As poisoning attacks evolve—leveraging automation and high-volume dust transfers—clearly surfacing these risk signals becomes crucial for helping users distinguish suspicious activity from legitimate transactions.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@etherscan
