Address Poisoning Attack Explained: Copy Paste Trap

Address Poisoning Attack: The Copy Paste Trap That Steals Crypto

Have you ever sent crypto to an address, and then minutes later noticed another “transaction” appear with an address that looks almost the same?

That is often the start of an address poisoning attack.

This scam does not break blockchain security. It breaks your attention. It exploits a common habit: copying an address from your recent transaction history and only checking the first few characters.

If you self-custody Bitcoin or Ethereum, you should understand this attack. It has already caused real losses, including multi-million dollar mistakes.

What is an address poisoning attack?

An address poisoning attack is a scam where the attacker tries to make a fake address look like one you trust.

They usually do it by:

1. Generating a lookalike address
   It shares the same starting and ending characters as a real address you use often. Many wallets truncate addresses, so users only see a short prefix and suffix.
2. Poisoning your transaction history
   The attacker sends a tiny transfer (often near-zero value) to your wallet, or triggers a token transfer record, so the lookalike address appears in your history.
3. Waiting for the mistake
   Later, when you want to send funds, you copy the wrong address from history and approve the transaction. The blockchain executes it correctly, just to the wrong recipient.

There is no chargeback. Most chains are irreversible by design.

Why address poisoning is growing in self-custody

Self-custody is about control. But that also means you are the final line of defense.

This scam is growing because it is cheap to run and scales well:

• Attackers can generate huge numbers of lookalike addresses automatically.
• They can poison many wallets for pennies.
• They rely on one thing: a human copy paste mistake.

A large-scale academic and measurement study (covering Ethereum and BSC from July 2022 to June 2024) identified over 270 million poisoning attempts targeting over 17 million victims, with 6,633 successful incidents causing at least $83.8M in losses.

Verified real-world incidents you should know

Below are major, publicly documented events from reputable sources. I am listing them because they clearly illustrate how the scam works.

1) The $68M WBTC incident (May 3, 2024)

An address poisoning scam nearly cost a victim about $68 million in wrapped bitcoin (WBTC). The attacker poisoned the victim’s history with a lookalike address, and the victim sent funds to the wrong one. The funds were later returned, but the incident became one of the best-known examples of how dangerous this pattern is.

2) The $50M USDT loss (Dec 20, 2025)

A user sent 49,999,950 USDT to a scammer-controlled address after an address poisoning setup. Reports describe how even “test transfers” can be used against you if you still copy the next address from recent history.

3) The 4,556 ETH loss tied to a lookalike deposit address (Jan 31, 2026)

A victim sent 4,556 ETH (about $12M) after copying an address from a poisoned transfer history, reportedly while intending to deposit to a known destination. The attacker generated a lookalike address matching the beginning and ending characters of the intended address, then repeatedly sent dust transactions to make it appear in history.

The psychology behind the scam

Address poisoning succeeds because it leverages normal human behavior:

• We trust what we have used before.
• We reuse addresses and recipients.
• We scan only the first few characters.
• We are faster on mobile.
• We rely on wallet UI that truncates addresses.

Attackers are betting that you will do what feels “safe” and familiar: copy an address you already see in your history.

How to spot an address poisoning attempt

Watch for these signals:

• A tiny incoming transfer you do not recognize.
• A new address in your history that looks similar to a known address.
• A token transfer record with near-zero value.
• Repeated dust transfers from multiple similar addresses.

Important: even if the dust value is small, the goal is not to steal the dust. The goal is to plant a lookalike address into your “recent” list.

How to protect yourself with a practical checklist

You do not need paranoia. You need a repeatable process.

Before every send

• Never copy the recipient from transaction history if the amount is meaningful.
• Use an address book (trusted contacts) in your wallet when possible.
• Verify more than the first 4 and last 4 characters. Check a larger chunk, or compare the full address.
• Confirm on the hardware wallet screen if you use one. That screen is your best “ground truth.”

For large transfers

• Use a two-step verification:
  1. paste the address, then compare it to a trusted source
  2. verify again right before signing
• Send a small test transfer only if you will use the same trusted address source again, not your recent list.
• Avoid rushing. Most large losses happen when people are “just doing a quick send.”

Clean your workflow

• If you see a poisoned lookalike address in your history, treat your history as contaminated:
  • do not reuse it as a source for recipients
  • rely on saved contacts or direct sources

Why this matters for inheritance and long-term self-custody

Address poisoning is not only a “trader problem.”

It matters for long-term holders and inheritance planning because:

• Heirs may be under stress and more likely to make mistakes.
• Families may move funds rarely, so they have less practice.
• A single wrong send can permanently destroy a legacy plan.

A good inheritance setup should reduce the chance of “one fatal manual step.”

That is one reason BitInPeace focuses on structured, non-custodial planning that keeps control with the owner while reducing risky improvisation later.

Key takeaway

Address poisoning attacks do not hack blockchains. They hack habits.

If you self-custody, one rule to remember:

Never trust your recent transaction history as a source of truth for addresses.