Ethereum Address Poisoning Attack Escalates: After a Single Transfer, He Received 89 Alert Emails

Written by: etherscan.eth

Compiled by: AididiaoJP, Foresight News

A few weeks ago, an Etherscan user named Nima shared an unpleasant experience. After completing just two stablecoin transfers, he received over 89 address monitoring alert emails in a short period.

As Nima pointed out, these alerts were triggered by address poisoning transactions. The attacker’s sole purpose in creating these transactions was to embed highly similar fake addresses into the user’s transaction history, aiming to trick the user into mistakenly copying and using these fake addresses in future transfers.

Address poisoning has existed on Ethereum for years. However, such incidents highlight that these attack activities have become highly automated and scalable. What were once sporadic spam messages can now be executed on a large scale, with attackers typically able to insert poisoned transfers within minutes after legitimate transactions occur.

To understand why these attacks are becoming more common today, we need to analyze two aspects: the evolution of address poisoning techniques and the fundamental reasons enabling easy large-scale operations.

Additionally, this article will emphasize a core security principle to help users effectively defend against such attacks.

1. The Industrialization of Address Poisoning

Address poisoning was once seen as a niche fraud tactic used by opportunistic attackers. Today, its operational model increasingly exhibits industrial characteristics.

A study published in 2025 analyzed address poisoning activities from July 2022 to June 2024 (before the Fusaka upgrade). The study showed approximately 17 million poisoning attempts involving about 1.3 million users on Ethereum, with confirmed losses of at least $79.3 million.

Based on the “Research on Blockchain Address Poisoning,” the table below shows the scale of address poisoning activities on Ethereum and BSC from July 2022 to June 2024. Data indicates that on BSC, where transaction fees are significantly lower, poisoning transfers occur 1,355% more frequently.

Attackers typically monitor blockchain activity to identify potential targets. Once a target transaction is detected, an automated system generates a highly similar address that shares the same starting and ending characters as an address previously interacted with. The attacker then sends a poisoning transfer containing this fake address to the target address, making it appear in the user’s transaction history.

Attackers tend to target addresses with higher profit potential—those that frequently transfer, hold large token balances, or participate in large transactions—since these are more likely to attract poisoning attempts.

Competitive Mechanisms Boost Attack Efficiency

The 2025 study revealed an interesting phenomenon: different attack groups often compete with each other. In many poisoning campaigns, multiple attackers almost simultaneously send poisoning transfers to the same target address.

Each attacker tries to be the first to embed their fake address into the user’s transaction history, so that when the user copies the address later, their fake address is more likely to be selected. The first successful embedding increases the chance that the user will mistakenly copy the attacker’s fake address.

The following case demonstrates the intensity of this competition. In this example, after a legitimate USDT transfer, within minutes, 13 poisoning transactions were inserted.

Note: Etherscan defaults to hiding zero-value transfers; here, hiding has been disabled for demonstration.

Common methods used in address poisoning attacks include dust transfers, fake token transfers, and zero-value token transfers.

2. Why Address Poisoning Attacks Are Easily Scaled

At first glance, the success rate of address poisoning seems low—most users won’t fall for it. However, from an economic perspective, the logic of such attacks is quite different.

Probability Game Logic

Researchers found that on Ethereum, the success rate of a single poisoning attempt is about 0.01%. In other words, out of every 10,000 poisoning transfers, only about 1 might cause a user to mistakenly send funds to the attacker.

Given this, poisoning campaigns are no longer limited to a few addresses. Instead, they tend to send thousands or even millions of poisoning transfers. When the number of attempts is large enough, even a tiny success rate can generate substantial illegal profits.

A single large fraudulent transfer can easily cover the costs of thousands of failed attempts.

Lower Transaction Costs Encourage More Poisoning Attempts

The Fusaka upgrade activated on December 3, 2025, introduced scalability improvements that significantly reduced transaction costs on Ethereum. This change benefits ordinary users and developers but also drastically lowers the cost for attackers to initiate individual poisoning transfers, enabling them to conduct large-scale poisoning attempts at unprecedented levels.

Post-Fusaka, Ethereum network activity surged. Within 90 days of the upgrade, daily transaction volume increased by 30% compared to the previous 90 days. During the same period, the number of new addresses created daily rose by about 78%.

Additionally, dust transfer activity increased markedly. Attackers send tiny amounts of tokens—matching the amounts from previous transfers—to target addresses.

The data below compares dust transfer activity for several major assets in the 90 days before and after the Fusaka upgrade. For stablecoins like USDT, USDC, and DAI, dust transfers are defined as transactions with amounts below $0.01; for ETH, transfers below 0.00001 ETH.

USDT

Before: 4.2 million

After: 29.9 million

Increase: +25.7 million (+612%)

USDC

Before: 2.6 million

After: 14.9 million

Increase: +12.3 million (+473%)

DAI

Before: 142,405

After: 811,029

Increase: +668,624 (+470%)

ETH

Before: 104.5 million

After: 169.7 million

Increase: +65.2 million (+62%)

These figures show that shortly after the Fusaka upgrade, dust transfer activity (below $0.01) spiked sharply, reaching a peak before declining but remaining significantly higher than pre-upgrade levels. In contrast, transfers above $0.01 remained relatively stable.

Charts: Dust transfer trends (<$0.01) for USDT, USDC, DAI before and after Fusaka

Charts: Regular transfer trends (>$0.01) for USDT, USDC, DAI before and after Fusaka

In many attack campaigns, attackers first distribute tokens and ETH in bulk to newly created fake addresses, then send dust transfers from these addresses to target addresses. Because dust transfers involve extremely low amounts, the reduced transaction costs enable attackers to conduct large-scale operations at minimal expense.

Illustration: Address Fake_Phishing1688433 sending tokens and ETH in bulk to multiple fake addresses in one transaction

It’s important to clarify that not all dust transfers are malicious. Dust transfers can also originate from legitimate activities, such as token swaps or small interactions between addresses. However, after reviewing large volumes of dust transfer records, a significant portion can be identified as potential poisoning attempts.

3. Core Prevention Principles

Always verify the target address carefully before sending any funds.

Practical tips for reducing risk when using Etherscan:

Use Recognizable Address Labels

Set private labels for addresses you frequently interact with on Etherscan. This helps distinguish legitimate addresses from similar-looking fake addresses.

Utilize domain services like ENS to improve address recognition across browsers.

Additionally, use your wallet’s address book feature to whitelist trusted addresses, ensuring funds are always sent to intended targets.

Enable Address Highlighting

Etherscan’s address highlighting feature helps users visually differentiate addresses that look similar. If two addresses appear nearly identical but have different highlight styles, one is likely a poisoning address.

Double-check addresses before copying

Etherscan prompts a warning when copying addresses that may be associated with suspicious activity, such as:

Low-value token transfers

Fake token transfers

Tokens with poor reputation

Tokens with outdated information

When you see such warnings, pause and verify whether the address you are copying is truly the intended recipient.

Remember: there is no “undo” button in crypto. Once funds are sent to the wrong address, recovery is extremely difficult.

Summary

As lower transaction costs make high-volume attack strategies more economically feasible, address poisoning attacks on Ethereum are becoming increasingly rampant. These attacks also negatively impact user experience, flooding transaction histories with spam and fake data.

Effective defense against address poisoning requires both increased user security awareness and better interface design. The key habit for users is: always verify the target address carefully before sending funds.

Meanwhile, tools and user interfaces should play a greater role in helping users quickly identify suspicious activities.

Etherscan’s Address Poisoning Labels ()

Etherscan continues to improve its browser interface and API services to assist users in recognizing such attacks more easily. We actively mark fake addresses, identify and hide zero-value token transfers, and label fake tokens. By providing this curated data, users can more easily spot potential address poisoning attempts without manually sifting through massive transaction records.

As poisoning attacks evolve with automation and high-volume dust transfers, clearly presenting these risk signals is crucial for helping users distinguish suspicious activity from legitimate transactions.