What is address poisoning, and how does its attack logic work? The core is a simple yet effective psychological trap. The attacker first finds a record of you having transferred to an address (easy to find on a public blockchain), then generates a fake address that looks almost identical — typically the first few and last few characters are exactly the same, with only some middle characters replaced. The attacker then sends a zero-value dust transaction to your wallet from this fake address, which gets recorded in your on-chain history. The trap is set. The next time you transfer and habitually copy the previous address from transaction history without carefully reading all 42 characters, you very likely copy the fake one and send your funds to the attacker. The attacker needs none of your private keys — just your carelessness.
Why does this attack succeed — which habits does it exploit? Address poisoning's effectiveness rests on two structural realities. First, human visual habits: an Ethereum address has 42 characters; the human brain doesn't read all of them carefully, typically checking only the first and last few and deciding it looks right. Attackers exploit this precisely by changing only the middle positions no one looks at closely. Second, wallet interface habits: many users habitually copy addresses from transaction history rather than fetching them each time from a contact book, whitelist, or original source. As long as this habit exists, the conditions for the attack are met. Combined with the irreversibility of blockchain transfers and the average user's unlikelihood of checking 42 hexadecimal characters character by character, the attacker's success rate is actually quite high. This is social engineering, not technical hacking.
How do you identify and defend against address poisoning? A few effective defense approaches. First and most important: never copy an address from transaction history — this is the fundamental trigger for the attack. Instead, save frequently used recipient addresses in your wallet's contact book or whitelist and call from there each time; don't pull from history directly. Second, if you genuinely must copy an address from somewhere, verify by expanding and comparing all 42 characters in full, not just the first and last. Third, develop the habit of sending a small test amount before large transfers — if the address is wrong, the loss is only that small amount. Fourth, be wary of unknown dust transactions received in your wallet: if you see an unfamiliar zero-value (or tiny-value) incoming transaction, the odds are high it's the attacker setting a trap; don't click into that address out of curiosity, and above all don't copy an address from that transaction.
Understanding address poisoning, what practical changes should I make to daily on-chain operations? The most direct habit change: starting today, build your own frequently-used address book — save the addresses you often transfer to (exchange withdrawal addresses, friends' addresses, commonly used contract addresses, etc.) in one shot, and from now on fetch them from the contact book for every transfer, not from history. This takes a few minutes but prevents the vast majority of address poisoning attacks. Another important recognition: on the blockchain, there's no customer service to help you recover a mistaken transfer. Once confirmed and on-chain, no mechanism can reverse it — this is the real cost of crypto's self-custody model. Any large transfer: spending thirty extra seconds verifying the address is far more useful than regret after the fact. Especially in high-excitement markets with impulsive fast operations — this is the most common scenario for address poisoning victims.
Feel the danger of address poisoning through a realistic scenario. You work heavily in DeFi, transferring ETH from your self-custody wallet to an exchange every week. One day, an unfamiliar zero-value incoming transaction appears in your wallet — the sender is 0x71C7...76F, nearly identical to your frequently-used exchange withdrawal address 0x71C7...86F, differing only in the fourth-last character. The amount is zero and you don't pay much attention, nor look closely.
Three days later, you prepare to transfer 5 ETH to the exchange. You habitually open your transaction history, see the address 0x71C7...76F, glance at the first and last few characters — looks right — copy, paste, confirm and send.
Five minutes later, you open the exchange to check for the deposit. Nothing. You open a block explorer with the TX Hash and find the funds arrived at 0x71C7...76F — the attacker's address, not your exchange. On-chain confirmation is already past 20 blocks; no way to recover them.
What's truly lost isn't just those 5 ETH. Every habitual operation you assumed was safe before it was a potential crisis waiting to be triggered. Address poisoning turns your safety habits into a vulnerability — the cost to defend against it is low; the cost of ignoring it could be every frequently-used address in your entire operating history.
Address poisoning as an attack vector reveals a deeper trade-off: blockchain transparency is simultaneously its advantage and its attack surface. On-chain data being completely public lets anyone verify, trace, and audit — the core promise of decentralization. But that transparency also lets attackers scan all active addresses, analyze transfer patterns, and precisely craft look-alike addresses for specific targets. Maintaining public verifiability while protecting privacy is a contradiction public blockchain design still has no perfect answer for. The current practical response is simply users building stricter operational discipline for themselves — at root, address poisoning is a reminder that in a system where transactions can't be recalled, the cost of carelessness is much higher and much faster than in traditional finance.