In a single week in August 2025, crypto address poisoning scams netted hackers $1.6M. This is more than the entire month of March, which saw a $1.2M loss in total. One user lost $636,000 in ETH, while another lost $880,000 in USDT.

Like most scams, the cause is simple user error. By and large, fraudsters rely on carelessness and basic exploits to exploit individuals, over and over. With these increasing address poisoning scams, the user copies the ‘poisoned’ transaction address, sending funds to the scam artist.

‍

What is Crypto Address Poisoning?

Each crypto transfer involves a long transaction (tx) string, which includes the sender’s address, the recipient’s address, and the amount of coins. This transaction is signed using the sender’s private key and broadcast to the network. The blockchain verifies the transaction and updates the balances of the involved addresses.
‍

In address poisoning attacks, this process is hijacked, and the network sends the transfer to the attacker’s address instead of the intended recipient. Crypto address poisoning is a type of attack where a hacker tricks a user into sending crypto to the wrong address. The attacker can create a near identical address or inject it into a system so that it replaces the correct address. 

All the hacker needs to do is change one character. Most often, the start and end of the address are the exact same. Despite many warnings from blockchain security firms, users typically just check the beginning and end. Even a small error or malicious substitution in an address can result in permanent loss of crypto. 

When a user sends crypto to the fake address, the funds are often lost for good. Blockchain transfers cannot be reversed. Users can reduce risk by double-checking addresses, using copy-paste carefully, and relying on whitelists. Some wallets include checks to detect slight changes in addresses. 

How do Address Poisoning Attacks Take Place? 

There are many ways to implement an address poisoning attack. Usually, a hacker will mimic a previous user's transaction, sending a tiny amount. This is known as a vanity or scam address. These transactions show up on blockchain explorers. The users can copy the vanity address, believing it to be the real one. 

Another common setup is that the hacker will create some kind of malware or browser extensions targeting crypto users. When a user copies a wallet address to send funds, the malware replaces it with the scammer’s address. The address has now been ‘poisoned’, but the user obviously does not know that. 

‍

The user pastes the poisoned address to send crypto, thinking it’s going to the intended recipient. However, the funds go directly to the scammer’s wallet. These transactions are irreversible due to the nature of blockchain. Once the funds are in the scammer's wallet, they are quickly laundered or rendered untraceable. 

‍

This is often done through the use of crypto mixers, also called tumblers. These mixers scramble  funds, sending them to many addresses, and often converting them to different coins (such as USDT or USDC) to make tracing harder. They pool funds from multiple users, shuffling them, and returning coins in a way that obscures the original source. 

‍

This makes tracking the flow of funds on public blockchains (like Bitcoin or Ethereum) much more difficult. While mixers can protect user privacy and prevent transaction tracing, they are often associated with illegal activities. 

Crypto Address Poisoning Variations

There are many variations of crypto address poisoning. The basic premise of changing the intended address will always remain the same, it just occurs through a different attack vector.

1. Typosquatting/Address Similarity - The most common. Scammers exploit minor typos or visually similar characters in wallet addresses. Users intending to send crypto to a real address may accidentally copy a poisoned address, sending funds to the attacker instead. These scams often rely on subtle changes, such as swapping letters with numbers or similar-looking characters, making detection difficult until the transaction is irreversible.
   
   
2. Clipboard Hijacking - Malware infects a user’s device and automatically replaces a copied wallet address with the attacker’s address when pasting. Users think they are sending funds to the intended recipient, but the transaction is redirected. This method is stealthy and can affect desktop and mobile wallets, requiring checking of addresses before sending.
   
   
3. Smart Contract Injection - Attackers modify smart contract code or links to include malicious addresses. When users interact with the contract - often in DeFi or NFT transactions - the funds or tokens are automatically diverted. This type of poisoning can occur in decentralized applications, phishing sites, or third-party wallets, often tricking users into approving transfers without realizing the address is compromised.
   
   
4. QR Code Manipulation - Scammers create fake QR codes that encode their own wallet addresses. Users scanning these codes assume they are sending crypto to the legitimate recipient, but funds are redirected. This technique is common in public spaces, events, or online listings, relying on visual trust rather than textual verification of the wallet address.

Whales Hit By Crypto Address Poisoning Scams

It’s not just individual users that get hurt by crypto address poisoning scams. People with huge funds can still forget to put basic security protocols in place. In May 2024, one whale lost $68M in wrapped Bitcoin by relying on a contaminated address history. Both the scam and trusted addresses begin with ‘0xd9A1’ and end with ‘53a91’. 

The vast majority of people only check the start and end, but whales should have security processes in place. The correct address reads ‘0xd9A1b0B’, while the contaminated address reads ‘0xd9A1C37’. However, in a very rare occurrence, the funds were actually returned. 

‍

The victim sent messages embedded in Ether transactions requesting the return of at least $61M in funds. All this is publicly viewable on Etherscan. The entire $68M was returned by May 9th, though the scammer did make off with a $3M due to price appreciation of the native coin. The message also contained a thinly viewed threat, 

One message did include a threat from the victim: “We both know there’s no way to clean this [sic] funds. You will be traced. We also both understand the “sleep well” phrase wasn’t about your moral and ethical qualities.”. The funds were returned via a number of wallets to avoid detection. The crypto funds were laundered through a KYC compliant exchange in Eastern Europe. 

‍

Other whales have also been hit in recent times. In May 2025, one trader lost $2.6M from address poisoning scams. This was a more advanced technique using zero value transfers with no requirement for private key signatures. These zero value transfer techniques have secured over $83M in confirmed losses total across the Ethereum and BNB blockchains. 

‍

Unfortunately, this trader did not see his funds recovered. 

Fighting Address Poisoning Scams

To safeguard digital assets and maintain blockchain security, it’s essential to guard against address poisoning attacks in crypto. Ways to reduce the risk include:

• Use new addresses - Generating a fresh wallet address for each transaction lowers the chance of attackers linking activity to your identity or past transactions. Hierarchical deterministic (HD) wallets automate this process, making it harder for attackers to spoof previous transactions.
  
  
• Rely on hardware wallets - Unlike software wallets, hardware wallets keep private keys offline, offering stronger protection against exposure.
  
  
• Be cautious when sharing public addresses - Avoid openly posting wallet addresses, especially on social media. When needed, use pseudonyms for added privacy.
  
  
• Select trusted wallets - Stick to reputable wallet providers with strong security reputations and frequent updates. Regularly update wallet software to ensure the latest security patches are in place.
  
  
• Enable whitelisting - Restrict transactions to pre-approved addresses where possible. Some wallets support whitelisting to block unknown sources.
  
  
• Consider multisignature wallets - Multisig wallets require multiple private keys for approval, adding another layer of defense.
  
  
• Leverage blockchain analysis tools - Use these tools to spot dusting or suspicious activity that may indicate poisoning attempts.
  
  
• Report attacks quickly - If poisoning is suspected, report it immediately to your wallet provider through official support channels and notify regulators or law enforcement if needed. Prompt reporting helps contain risks and protect the wider crypto community.

Moving Forward Against Crypto Address Poisoning

Individual users often don’t take the time for even basic precautions, despite repeat warnings from security firms. This is especially the case where the user is doing many transactions to various wallets, as it can be time consuming. Mostly, security protocols need to be coded into software as much as possible, to present basic errors. 

‍

Whales don’t have the same excuses. For a multi-million dollar transfer, the least that could be done is to double check the complete address, or store and whitelist the real address in a secure location. Institutions can also rely on multiple layers of security to safeguard transactions. 

‍

So far, it is mostly individuals that get caught with address poisoning. This is likely due to a failure to leverage exciting security protocols, as opposed to large enterprises who have tiered risk management protocols in place.

‍

About Naoris Protocol

Naoris Protocol is revolutionizing cybersecurity and digital trust with the world's first Decentralized Post-Quantum Infrastructure, operating at the Sub-Zero Layer, below layers L0 to L3 it secures blockchain transactions and Web3 & Web2 infrastructure, including DEXes, bridges, and validators, enterprise cloud and IoT networks. By transforming every device into a trusted validator node, our Post-Quantum infrastructure leverages the cutting-edge dPoSec consensus and Decentralized Swarm AI, to set a new standard in transparency, trust, and security, preparing Web3 and Web2 for a Post-Quantum future.

Led by industry experts and cyber pioneers adding decades of experience who are committed to advancing the frontiers of cybersecurity and trust, here’s some of our trusted advisors;

• David Holtzman: former CTO of IBM and architect of the DNS protocol
• Ahmed Réda Chami: Ambassador for Morocco to the EU. Former CEO Microsoft North Africa
• Mick Mulvaney: Former White House Chief of Staff
• Inge Kampenes: Former Chief of Norwegian Armed Forces & Chief of Cyber Defence adding decades of experience who are committed to advancing the frontiers of cybersecurity and trust.

‍

Want to learn more?
Download our Testnet

Visit our Website or check out our White Papers
Stay connected: X | Discord | LinkedIn | Telegram

‍