Address Poisoning Attacks in Crypto, And How To Avoid Them

Quick Takes:

• Address poisoning tries to confuse senders and send cryptocurrency to another (but almost identical) wallet address.
• Attackers target several crypto wallets using blockchain records, address generators, and zero-value transactions.
• Whitelists are the best protection against address spoofing.

What Is Address Poisoning?

Address poisoning is a type of cyberattack and disguise tactic discovered by Metamask in 2022. The attacker generates a fake wallet address that’s almost like yours and adds it to your transaction history. When you copy the address for your next transaction, you might accidentally send crypto to the attacker’s address.

Does it work? To some extent. It’s not as effective as seed phrase phishing or identity theft, but even the most cautious senders can fall for this scam. It capitalizes on carelessness and speed, which is why address poisoning works best against experienced users.

While there’s no way to prevent it, it’s worth noting that there’s no security risk. Address poisoning isn’t a hack, and it won’t cost you the entire portfolio. Only whatever amount you send to the wrong address, let it be $10 or $1M.

NFT investors are way too familiar with address poisoning. Many well-known collectors have public addresses showing their collections. But it’s free to create and transfer NFTs to anyone without consent. Scammers bombard popular investors with junk NFTs and hope that their followers think that they bought them, so they should too— not to be confused with NFT spoofing.

The original term— DNS poisoning— can be more dangerous than address poisoning. It’s a cyberattack on the server that temporarily redirects users to another website with the same domain name. E.g. If the domain were hijacked, you would type “Metamask.com” and end up in a fake Metamask page trying to steal your seed phrase.

Thankfully, address poisoning is far easier to recognize and avoid once you know how it works.

How Address Poisoning Works in Crypto 

Address poisoning works for many reasons:

• Blockchain transactions aren’t reversible
• Free online tools can generate similar addresses within seconds
• Most users aren’t going to double-check every transaction
• In some blockchains, it’s almost free to send zero tokens to any wallet
• Wallet apps shorten the addresses to improve user experience

Some apps only allow sending across wallets that you previously whitelisted. But not in Metamask, and there might be hundreds of wallets with the same prefix and suffix.

(If wallets were websites, “myrealaddress.com” and “myfakeaddress.com” would be shortened to “my…address.com.”)

Whenever you send crypto:

1. Anyone can see the sender and receiver on the blockchain’s website.
2. An attacker uses a vanity address generator and opens a wallet that matches your shortened address. Either the sender or recipient's address.
3. The attacker adds funds to this wallet for network fees. Then, they make a zero-token transaction to your address.
4. While you don’t receive any tokens, the completed transaction will appear in your history. And the shortened sender looks identical to your previous (real) transaction.

That’s the setup. The next time you send crypto to the same address, scammers expect you to copy it from the history and paste it without second thoughts. Address poisoning is inexpensive, so they can repeat it with hundreds of users until eventually, someone falls for it.

You might wonder: how is it not suspicious for people to receive unexpected payments? That’s because tiny transactions are common for verification, voting, and other smart contract functions. Both the text and the amount are the disguise.

Even without shortened addresses, this scam would still work. They’re unreadable and too long to notice. Thankfully, it’s easy to protect your coins whether you recognize the trap or not.

How To Avoid Address Poisoning

The simplest and most tedious way to avoid poisoning is to type every character every time. But if you don’t remember what the address should be, it’s not any better than copy-pasting.

Here are other ways:

Whitelist the address

Almost every exchange and wallet app has a whitelist. Some will by default restrict payments only to those addresses, but it can be changed from settings. It’s a manual process that attackers can’t manipulate.

(if your wallet ever got hacked, hackers would still need device/2FA verification to change the whitelist)

Another benefit is having fewer verification steps when sending to those wallets. 

Compare Transactions

It’s unlikely that the attacker sends more than one fake payment. You just need to find two or more previous ones and compare the text. You can use this tool to make sure.

If they’re different, choose the oldest one.

Only Copy from the first-ever transaction

If you own a big account, there might be multiple attackers spoofing transactions at once. But attackers don’t know which address is real until you use that address first. So the first (successful) transaction will always have the correct address.

Only Copy from big transactions

Why would scammers ever send hundreds of dollars to strangers? Expect no more than a few cents. If the transaction is at least $5, the address is probably real.

Test transactions

It’s recommended to make a tiny transaction to prove that the address is correct. If you send $5 before sending $1000, you’re saving $995 in case it doesn’t go through. This assumes the network isn’t congested and fees make sense.

Even $5 can be profitable for this scam, so it won’t deter attackers. But it will save you a bigger loss, oftentimes from unrelated mistakes. 

Protecting Metamask From Address Poisoning

As the most popular Web3 wallet, Metamask has tools to prevent not just poisoning but most crypto scam variations:

• The whitelist is called Address Book and appears under Settings > Contacts. Only you can set and see usernames.
• Metamask can connect to hardware wallets like Ledger and Trezor. These require more verification steps that can prevent payment mistakes.
• If you use the Ethereum blockchain, consider Ethereum Name Service (ENS). It will attach the registered address to a custom wallet name. It’s supported by Metamask and easily reveals fake transactions.
• Address poisoning is less common on other EVM blockchains. Metamask supports Pulsechain, which is more efficient and imports Ethereum’s tokens.

Also, check the top security tips the pros use to protect your coins from attackers, companies, or yourself.