XDRIPACADEMY
Sign in

Lessons·Threats·8 min·Intermediate

Address poisoning and how to dodge it

Address poisoning is the modern version of changing the labels on filing cabinets. The attack costs nothing, scales infinitely, and works on careful people. Once you know the shape, it stops working.

Address poisoning is one of the most successful attacks in crypto right now, and it works on people who would never click a phishing link. Engineers, fund managers, builders. Not because they are careless, but because the attack uses one specific weakness everyone has: we recognize addresses by their first few and last few characters.

That habit is reasonable. It is also the entire opening for this attack.

The attack, explained simply

A blockchain address is a long string of letters and numbers. Forty characters or so, depending on the chain. No human reads forty characters. We glance at the start and the end, see something familiar, and trust the middle to be the same.

An attacker generates an address that matches the first four and last four characters of an address you have already used. Generating the match is cheap. The chain space is enormous, but with modern hardware you can find a four-and-four match in seconds, an eight-and-eight in minutes, and so on. The attacker does not need to crack anything. They just generate addresses until they find one that looks enough like yours.

Then they send you a tiny transaction, often for zero or near-zero value, from the lookalike address. Now your transaction history shows the lookalike sitting alongside your real contacts. Same first four characters. Same last four characters. Your eye sees what your eye is trained to see.

The next time you copy an address from your history, you copy from the wrong row. Funds go to the attacker.

That is the entire attack. No malware. No phishing. No social engineering. Just a tiny transaction that sat in your history until you misread it.

Key takeaway

Address poisoning works because we shortcut on the first four and last four characters of an address. The attacker exploits that shortcut by inserting lookalike addresses into your transaction history. The whole attack is psychological. Knowing how it works is most of the defense.

Why this is so effective

A few reasons compound.

  1. It is costless to scale. Generating lookalike addresses is computationally cheap. Sending dust transactions is nearly free. An attacker can run this against every active wallet on a chain at once.
  2. It does not depend on convincing you of anything. A phishing attack needs a story, a fake site, a sense of urgency. Address poisoning needs none of that. It just waits for you to misread your own history.
  3. It bypasses the security you thought you had. A hardware wallet does not protect you. The hardware signs whatever destination address you fed it. If you fed it the wrong one, the device cooperates.
  4. It targets the right moment. People most often paste from history when they are repeating a transaction they have done before. Familiarity lowers attention. Attackers know this.

The combination of "cheap to attack" and "exploits a human shortcut" produces an attack that runs at internet scale and works often enough to be profitable.

The simple defenses, in order

The good news is that address poisoning has obvious countermeasures. The bad news is that they only work if you do them every time.

  1. Never copy an address from transaction history. Copy from a trusted source. A saved contact in your wallet, an address book entry you wrote yourself, a freshly received message from the recipient verified through another channel. Never the row in the explorer or the row in your wallet's recent activity.
  2. Verify the entire address, not just the ends. When you have to use an address, look at the middle of it too. At minimum, glance at three to four characters from somewhere in the middle and confirm they match a trusted source.
  3. Use the wallet's address book. Most modern wallets let you save labeled contacts. Once you have verified an address (ideally with a tiny test send), save it. Send to the saved contact, not to a pasted string.
  4. Test sends for any new or large destination. Send a tiny amount first. Confirm with the recipient that it arrived at the right address. Then send the rest.
  5. Pay attention to the source of the address. Was it pasted from a website that could have been compromised? From a Telegram message that could have been impersonated? From a screen that may have a clipboard hijacker on it? Each of those is a separate poisoning surface.
Watch out

Clipboard hijackers are a separate, related attack. Malware on your computer watches for anything that looks like a crypto address being copied to the clipboard, and silently replaces it with the attacker's address. The defense is the same: verify the full string after pasting, on a screen the malware does not control, before signing. A hardware wallet's screen is the right place to do that final verification.

The hardware-wallet screen, used correctly

This is one of the few moments where a hardware wallet provides direct address-poisoning protection, if you use it correctly.

When you build a transaction, the destination address shows up on the small screen on the device itself. That screen is not running on your computer. Malware on your laptop cannot edit it. If you read the address on the device's screen, character by character, against a trusted source, and only then approve the signature, you have closed the loop. Whatever happened in the browser, in the clipboard, or in your transaction history, the device shows you the truth.

If you press the button on the device without reading the screen, you have a hardware wallet with the security of a paper wallet you printed from a phishing site.

What the wallet ecosystem is doing about it

Some wallets and security tools are now actively detecting poisoning patterns. Lookalike-address warnings, dust-transaction labels, and contact verification flows are becoming more common. A handful of cold-storage products include explicit address-poisoning detection as part of the signing pipeline (XColdPro's Sentinel Guard, for instance, includes address-poisoning detection alongside its other defenses). These are useful additions, not replacements for the habits above.

The core defense is, and will remain, the habit of verifying the full address against a trusted source before signing. Every other layer is helpful only when that habit is already in place.

A working mental model

Picture your transaction history as a public bulletin board where anyone can pin a card next to one of yours. The cards on the board are labeled with addresses. Most people, glancing at the board, look at the first few letters and the last few letters and pick the card they recognize.

The attacker prints a card with the same first few letters and the same last few letters, and pins it next to yours. They do not need to fool you on the entire card. They only need to fool you on the part you actually look at.

The defense is to read the whole card. Or to keep your own labeled stack of cards somewhere the attacker cannot reach, and copy from your stack instead of from the public board.

Drill: catch the lookalike

Reading addresses is a muscle. The drill below is the same problem an attacker is counting on you to fail. Three rounds, progressively harder. The mid-string is where the attack lives.

Drill · Address lookalike
Round 1 of 3 · Score 0/3

Two addresses. One is real, one is poisoned. Same first and last few characters. Pick the real one. The middle is where attackers hide.

Key takeaway

Address poisoning preys on the habit of recognizing addresses by their ends. Never copy from history. Use a saved address book. Verify the full address on the hardware-wallet screen before signing. Test-send for anything new or large. The attack is cheap and constant. The defense is a habit, applied every time.

Track your progress

Create a free account to mark lessons complete and unlock pillar discounts.

← All lessonsPhishing 101: what every attacker tries first