More than $50 million has been stolen through address poisoning attacks over the past six months, according to blockchain analytics data compiled from multiple EVM chains. The attack is deceptively simple — it exploits human laziness rather than code vulnerabilities — and its effectiveness has grown as transaction volumes increase and users develop the habit of recycling addresses from history menus. Every crypto user with more than a handful of outgoing transactions is a potential target. The most effective countermeasure begins with hardware wallets reviewed at Ledger and Trezor, and comparing wallet solutions at the wallets rating.
How Address Poisoning Works
The mechanics are elegant in their simplicity. A victim regularly sends funds to address 0xABCD...1234. An attacker, monitoring the blockchain for high-value or high-frequency senders, generates a lookalike address — say 0xABCD...5678 — where the first and last characters match exactly. The middle characters are different, but most users never check the middle.
The attacker then sends a dust transaction (often a zero-value token transfer that costs fractions of a cent in gas) from the lookalike address to the victim. This transaction appears in the victim's history, indistinguishable at a glance from a legitimate counterparty. The next time the victim needs to send to 0xABCD...1234 and opens their transaction history to copy the address, they may accidentally copy the poisoning address instead.
The tragedy is that by the time the victim realises the error — if they ever do — the funds are typically irreversible. Blockchain transactions are final; there is no chargeback, no customer support hotline, no dispute resolution mechanism.
The Six-Month Loss Tally: Who Is Being Hit
Analysis of the $50 million in losses reveals a clear victim profile. The median victim was a regular DeFi user with 50+ outgoing transactions and a habit of reusing the same counterparty addresses (DEX routers, lending protocol contracts, personal secondary wallets). Higher-value individual losses clustered around users who regularly moved large sums to external addresses — traders, OTC desk counterparties, and business operators making payroll in crypto.
The largest single address poisoning loss in the period was $8.4 million — a crypto business operator who copied a poisoned address from transaction history while making a routine large transfer to a partner entity. The next three largest losses ranged from $2.1 million to $3.7 million, all involving users who made large infrequent transfers and had not updated their operational security practices.
- Total losses (6 months to April 2026): $50.3 million
- Chains affected: Ethereum ($29M), BNB Chain ($12M), Arbitrum ($6M), other EVM ($3.3M)
- Average loss per incident: ~$47,000
- Median loss per incident: ~$8,200
- Largest single loss: $8.4 million (single business operator)
- Estimated number of incidents: ~1,070
Why Lookalike Addresses Are Trivially Easy to Generate
The cryptographic economics of address generation are deeply unfavourable to users. A vanity address tool running on a modern consumer GPU can test billions of candidate private keys per second. Matching the first 6 and last 6 characters of an Ethereum address (12 characters out of 40) requires testing roughly 16^12 = 281 trillion combinations on average — achievable in hours on commodity cloud hardware costing a few dollars.
This means the cost to create a convincing lookalike address is negligible, while the potential payoff is enormous. Attackers operate profitably at even low hit rates: if one poisoning transaction in 10,000 results in a mistaken transfer worth $10,000, the operation generates positive expected value at a cost of a few cents per dust send.
Some blockchain explorers and wallets have begun flagging zero-value or dust incoming transfers as potential poisoning attempts. Etherscan now displays a warning banner when viewing addresses that have received suspicious dust transactions. However, these warnings are inconsistently implemented and rely on heuristics that determined attackers can evade.
Hardware Wallets as the Key Defence
The definitive protection against address poisoning is a signing device that forces the user to visually verify the full destination address before authorising a transaction. Hardware wallets display the complete address on a physically separate trusted screen — one that cannot be manipulated by malware on the connected computer — and require manual confirmation before signing.
Users who adopt the habit of verifying the displayed address on their hardware wallet screen rather than trusting the computer interface are essentially immune to address poisoning. The attack depends on users acting on an address they copied from an untrusted source without verification; break that habit and the attack fails entirely.
For a comparison of hardware wallet options, the Ledger review and Trezor review cover the market leaders in detail. The full wallets rating ranks both hardware and software options across security, usability, and asset support. Broader scam awareness resources are available in the top crypto scams 2026 guide.




