Ethereum Address Poisoning Attack Escalates: After One Transfer, He Received 89 Alert Emails

Written by: etherscan.eth

Compiled by: AididiaoJP, Foresight News

A few weeks ago, an Etherscan user named Nima shared an unpleasant experience. After completing just two stablecoin transfers, he received over 89 address monitoring alert emails in a short period.

As Nima pointed out, these alerts were triggered by address poisoning transactions. The sole purpose of these transactions, created by attackers, is to implant highly similar fake addresses into the user's transaction history, intending to trick the user into mistakenly using these fake addresses when copying for their next transfer.

Address poisoning has existed on Ethereum for years. However, such incidents highlight that these attack campaigns have become highly automated and scaled. What was once sporadic spam is now executed on a massive scale, with attackers often implanting poisoning transfers within minutes of a legitimate transaction occurring.

To understand why such attacks have become more prevalent, we need to analyze two dimensions: the evolution of address poisoning attack methods, and the fundamental reasons why they can be easily operated at scale.

Additionally, this article will focus on explaining a core prevention principle to help users effectively defend against such attacks.

I. The Industrialization of Address Poisoning

Address poisoning was once considered a niche fraudulent tactic used by opportunistic attackers. However, today, its operational model increasingly exhibits industrial characteristics.

A study published in 2025, analyzing address poisoning activities between July 2022 and June 2024 (i.e., before the Fusaka upgrade), showed that there were approximately 17 million poisoning attempts on Ethereum, involving about 1.3 million users, with confirmed losses of at least $79.3 million.

The table below, based on results from the "Blockchain Address Poisoning Research," shows the scale of address poisoning activities on Ethereum and BSC between July 2022 and June 2024. The data indicates that on the BSC chain, where transaction fees are significantly lower, the frequency of poisoning transfers was 1355% higher.

Attackers typically identify potential targets by monitoring blockchain activity. Once a target user's transaction is detected, automated systems generate highly similar addresses that share the same starting and ending characters as the legitimate addresses the user has interacted with. The attackers then send poisoning transfers containing these fake addresses to the target address, causing them to appear in the user's transaction history.

Attackers tend to target addresses with higher profit potential. Addresses that frequently make transfers, hold large token balances, or participate in large-value transfers typically receive more poisoning attempts.

Competition Mechanism Enhances Attack Efficiency

The 2025 study revealed a noteworthy phenomenon: different attack groups often compete with each other. In many poisoning campaigns, multiple attackers send poisoning transfers to the same target address almost simultaneously.

Each attack group attempts to be the first to implant their fake address into the user's transaction history, hoping that their address will be selected first when the user copies an address later. The one who successfully implants first has an increased probability of having their fake address mistakenly copied by the user.

The case of the following address fully demonstrates the intensity of this competition. In this case, within minutes of a legitimate USDT transfer being completed, 13 poisoning transactions were implanted.

Note: Etherscan hides zero-value transfers by default; hidden items have been unhidden here for demonstration purposes

Common methods used in address poisoning attacks include: dust transfers, fake token transfers, and zero-value token transfers.

II. Reasons Why Address Poisoning Attacks Are Easy to Scale

At first glance, the success rate of address poisoning seems low. After all, most users are not fooled. However, from an economic perspective, the logic of such attacks is quite different.

The Logic of a Probability Game

Researchers found that the success rate of a single poisoning attempt on Ethereum is approximately 0.01%. In other words, out of every 10,000 poisoning transfers, only about 1 might lead to a user mistakenly sending funds to the attacker.

Given this, poisoning campaigns are no longer limited to a few addresses but tend to send thousands or even millions of poisoning transfers. When the attempt base is large enough, even a tiny success rate can accumulate to generate considerable illegal profits.

A single successful large-value transfer fraud can easily cover the costs of thousands of failed attempts.

Lower Transaction Costs Stimulate Increase in Poisoning Attempts

The Fusaka upgrade, activated on December 3, 2025, introduced scalability optimizations that effectively reduced transaction costs on Ethereum. While benefiting ordinary users and developers, this change also significantly lowered the cost for attackers to initiate a single poisoning transfer, enabling them to send poisoning attempts on an unprecedented scale.

After the Fusaka upgrade, Ethereum network activity increased markedly. In the 90 days post-upgrade, the average daily transaction processing volume increased by 30% compared to the 90 days pre-upgrade. During the same period, the average daily number of newly created addresses increased by about 78%.

Furthermore, we observed a significant increase in dust transfer activity. In these transfers, attackers send transactions involving the same token as in the user's history but for a very small amount.

The data below compares dust transfer activity for several major assets in the 90 days before and after the Fusaka upgrade. For stablecoins like USDT, USDC, and DAI, dust transfers refer to transactions below $0.01; for ETH, it refers to transfers below 0.00001 ETH.

USDT

• Pre-upgrade: 4.2 million
• Post-upgrade: 29.9 million
• Increase: +25.7 million (+612%)

USDC

• Pre-upgrade: 2.6 million
• Post-upgrade: 14.9 million
• Increase: +12.3 million (+473%)

DAI

• Pre-upgrade: 142,405
• Post-upgrade: 811,029
• Increase: +668,624 (+470%)

ETH

• Pre-upgrade: 104.5 million
• Post-upgrade: 169.7 million
• Increase: +65.2 million (+62%)

The data indicates that shortly after the Fusaka upgrade, dust transfer activity (below $0.01) surged sharply, peaked, and then declined somewhat, but remained significantly higher than pre-upgrade levels. In contrast, transfer activity above $0.01 remained relatively stable during the same period.

Chart: Comparison of dust transfer trends (<$0.01) for USDT, USDC, and DAI in the 90 days before and after the Fusaka upgrade

<极>

Chart: Comparison of regular transfer trends (>$0.01) for USDT, USDC, and DAI in the 90 days before and after the Fusaka upgrade

In many attack campaigns, attackers first bulk-send tokens and ETH to newly generated fake addresses, which then send dust transfers one by one to the target addresses. Since dust transfers involve extremely low amounts, with lower transaction costs, attackers can operate on a massive scale at very low cost.

Illustration: Address Fake_Phishing1688433 bulk-sending tokens and ETH to multiple different fake addresses in one transaction

It is important to clarify that not all dust transfers are poisoning acts. Dust transfers can also originate from legitimate activities, such as token airdrops or小额 interactions between addresses. However, after reviewing a large number of dust transfer records, it can be judged that a significant portion of them are highly likely to be poisoning attempts.

III. Core Prevention Principle

Always carefully verify the destination address before sending any funds.

Here are some practical suggestions for reducing risk when using Etherscan:

Use Identifiable Address Labels

For addresses you frequently interact with, set private name tags on Etherscan. This helps make legitimate addresses clearly distinguishable among many similar addresses.

Using domain name services like ENS can also improve the recognizability of addresses throughout the browser.

It is also recommended to use the wallet's address book feature to whitelist commonly used addresses, ensuring funds are always sent to the intended target.

Enable Address Highlighting

Etherscan's address highlighting feature helps users visually distinguish between visually similar addresses. If two addresses look almost identical but are highlighted differently, one is highly likely to be a poisoning address.

Always Double-Check Before Copying an Address

Etherscan proactively pops up提醒 windows when users copy addresses that may be associated with suspicious activity. This suspicious activity includes:

• Low-value token transfers
• Fake token transfers
• Tokens with poor reputation
• Tokens with outdated information

When you see such a reminder, be sure to pause and carefully verify whether the address you are copying is the target address you真正 intend to interact with.

Remember, there is no "undo" button in the crypto world. Once funds are sent to the wrong address, the possibility of recovery is minimal.

Summary

As lower costs make high-volume attack strategies more economical, address poisoning attacks on Ethereum are becoming increasingly rampant. Such attacks also negatively impact the user experience, with大量 poisoning spam cluttering transaction history interfaces面向 users.

Effectively preventing address poisoning attacks requires both users to improve their own security awareness and better interface design support. For users, the most crucial habit to develop is: always carefully verify the destination address before sending funds.

At the same time, related tools and user interfaces should play a greater role in helping users quickly identify suspicious activity.

Poisoning address label on Etherscan (https://etherscan.io/accounts/label/poisoning-address)

Etherscan is continuously committed to improving the browser interface and API services to help users more easily identify such attacks. We proactively label fake addresses, identify and hide zero-value token transfers, and label fake tokens. By providing this curated data, users can more easily spot potential address poisoning attempts without manually sifting through massive transaction records.

As poisoning attacks escalate with automation and high-volume dust transfer methods, clearly presenting these risk signals is crucial to helping users distinguish between suspicious activity and legitimate transactions.