Address poisoning is a type of cyberattack and disguise tactic discovered by Metamask in 2022. The attacker generates a fake wallet address that’s almost like yours and adds it to your transaction history. When you copy the address for your next transaction, you might accidentally send crypto to the attacker’s address.
Does it work? To some extent. It’s not as effective as seed phrase phishing or identity theft, but even the most cautious senders can fall for this scam. It capitalizes on carelessness and speed, which is why address poisoning works best against experienced users.
While there’s no way to prevent it, it’s worth noting that there’s no security risk. Address poisoning isn’t a hack, and it won’t cost you the entire portfolio. Only whatever amount you send to the wrong address, let it be $10 or $1M.
NFT investors are way too familiar with address poisoning. Many well-known collectors have public addresses showing their collections. But it’s free to create and transfer NFTs to anyone without consent. Scammers bombard popular investors with junk NFTs and hope that their followers think that they bought them, so they should too— not to be confused with NFT spoofing.
The original term— DNS poisoning— can be more dangerous than address poisoning. It’s a cyberattack on the server that temporarily redirects users to another website with the same domain name. E.g. If the domain were hijacked, you would type “Metamask.com” and end up in a fake Metamask page trying to steal your seed phrase.
Thankfully, address poisoning is far easier to recognize and avoid once you know how it works.
Address poisoning works for many reasons:
Some apps only allow sending across wallets that you previously whitelisted. But not in Metamask, and there might be hundreds of wallets with the same prefix and suffix.
(If wallets were websites, “myrealaddress.com” and “myfakeaddress.com” would be shortened to “my…address.com.”)
Whenever you send crypto:
That’s the setup. The next time you send crypto to the same address, scammers expect you to copy it from the history and paste it without second thoughts. Address poisoning is inexpensive, so they can repeat it with hundreds of users until eventually, someone falls for it.
You might wonder: how is it not suspicious for people to receive unexpected payments? That’s because tiny transactions are common for verification, voting, and other smart contract functions. Both the text and the amount are the disguise.
Even without shortened addresses, this scam would still work. They’re unreadable and too long to notice. Thankfully, it’s easy to protect your coins whether you recognize the trap or not.
The simplest and most tedious way to avoid poisoning is to type every character every time. But if you don’t remember what the address should be, it’s not any better than copy-pasting.
Here are other ways:
Almost every exchange and wallet app has a whitelist. Some will by default restrict payments only to those addresses, but it can be changed from settings. It’s a manual process that attackers can’t manipulate.
(if your wallet ever got hacked, hackers would still need device/2FA verification to change the whitelist)
Another benefit is having fewer verification steps when sending to those wallets.
It’s unlikely that the attacker sends more than one fake payment. You just need to find two or more previous ones and compare the text. You can use this tool to make sure.
If they’re different, choose the oldest one.
If you own a big account, there might be multiple attackers spoofing transactions at once. But attackers don’t know which address is real until you use that address first. So the first (successful) transaction will always have the correct address.
Why would scammers ever send hundreds of dollars to strangers? Expect no more than a few cents. If the transaction is at least $5, the address is probably real.
It’s recommended to make a tiny transaction to prove that the address is correct. If you send $5 before sending $1000, you’re saving $995 in case it doesn’t go through. This assumes the network isn’t congested and fees make sense.
Even $5 can be profitable for this scam, so it won’t deter attackers. But it will save you a bigger loss, oftentimes from unrelated mistakes.
As the most popular Web3 wallet, Metamask has tools to prevent not just poisoning but most crypto scam variations:
Also, check the top security tips the pros use to protect your coins from attackers, companies, or yourself.
Join The Leading Crypto ChannelJOIN
Disclaimer:Please note that nothing on this website constitutes financial advice. Whilst every effort has been made to ensure that the information provided on this website is accurate, individuals must not rely on this information to make a financial or investment decision. Before making any decision, we strongly recommend you consult a qualified professional who should take into account your specific investment objectives, financial situation and individual needs.
Max is a European based crypto specialist, marketer, and all-around writer. He brings an original and practical approach for timeless blockchain knowledge such as: in-depth guides on crypto 101, blockchain analysis, dApp reviews, and DeFi risk management. Max also wrote for news outlets, saas entrepreneurs, crypto exchanges, fintech B2B agencies, Metaverse game studios, trading coaches, and Web3 leaders like Enjin.
Your Genius Liquid Loans Knowledge Assistant