Address Poisoning
Address poisoning is a scam where an attacker sends a tiny transaction from a lookalike address, hoping the victim later copies it by mistake from their history.
Address poisoning is a scam in which an attacker sends a small or worthless transaction to a victim's wallet from an address deliberately crafted to closely resemble one the victim has genuinely transacted with before.
Most wallets and block explorers display transaction history with addresses often truncated to just the first and last few characters. An attacker generates a lookalike address that matches those visible characters — sometimes through brute-force generation, sometimes by exploiting vanity-address tools — and sends a tiny, unsolicited transaction to the victim, which then shows up in the victim's transaction history sitting right next to the genuine address it's imitating. The attack succeeds later, often much later: the victim, wanting to send funds to that familiar counterparty again, copies what looks like the right address from their history without checking every character, and the funds go to the attacker instead.
This matters directly for anyone swapping or sending crypto because it specifically exploits a habit that feels efficient and safe: reusing an address from transaction history instead of re-entering or re-verifying it. It doesn't require the victim to click a malicious link or approve a suspicious transaction — the poisoning transaction itself is harmless to receive; the danger is entirely in what the victim does afterward, days or weeks later, when they've forgotten the original address was ever verified carefully.
The most reliable defense is simple but requires discipline: always copy a destination address fresh from its original, verified source — a QR code, an official order screen, or a source you trust for that specific transaction — rather than from history, and check the full address, not just the first and last few characters, before confirming a send. This applies whether or not a network additionally requires a memo or destination tag; a poisoned address plus a correct memo is still the wrong destination. For a broader checklist on verifying transaction details before sending, see the verify a crypto transaction guide.
Address poisoning is part of a wider category of social-engineering and observation-based attacks in crypto, alongside things like fake support requests for a seed phrase, which should never be shared under any circumstance. High-profile whale wallets, given how much of their activity is publicly visible and closely watched, are especially frequent targets for these lookalike-address schemes, though the same technique works against any wallet with a visible transaction history.