Address Poisoning in Crypto: What It Is, How It Works, and Why You Should Care

When you’re moving funds on-chain, one wrong character in an address can mean the difference between a successful transaction—and a complete loss.

Scammers know this.
And that’s exactly why address poisoning is becoming a go-to tactic in their playbook.

It’s subtle, it’s clever, and for the untrained eye… it can be incredibly costly.

What is Address Poisoning?

Address poisoning is a type of scam where bad actors create lookalike wallet addresses—ones that closely resemble those you’ve recently interacted with.

They then send tiny amounts of tokens (like ETH, USDT, or USDC) to your wallet, using these copycat addresses. The idea? Their fake address now shows up in your transaction history. So next time you go to copy-paste an address you “recognize,” you might accidentally send funds to the scammer instead.

It’s a simple trick—but it works.

How Scorechain Detects Address Poisoning (In Near Real-Time)

At Scorechain, we’ve built a dedicated Address Poisoning Detector to flag these malicious addresses and help VASPs, compliance teams, and investigators stay ahead.

Here’s how it works under the hood:

1. Monitoring suspicious transactions: We continuously scan all value transfers on-chain to detect transactions sending very small amounts of well-known tokens like ETH, USDT, USDC, or LINK.
   
   
2. Reviewing the victim's recent activity: We analyze the wallet’s previous transaction history to identify legitimate interactions.
   
   
3. Flagging honeypots: If we find a recent address in the wallet’s history that shares the same starting/ending characters as the suspicious one, we flag it as a “honeypot”—a trap designed to exploit copy-paste habits.
   
   

To do this effectively, we’ve had to solve some tough challenges:

• Index every transaction across multiple chains and evaluate every value transfer.
  
  
• Maintain a curated list of legitimate tokens, and fetch metadata for unknown ERC-20s.
  
  
• Normalize token symbols to catch trickery with special characters (e.g., Cyrillic letters).
  
  
• Filter out burn/mint addresses and known exceptions.
  
  
• Optimize everything with robust caching for real-time detection.
  
  

It’s a complex process—but the results speak for themselves.

Two Real-World Examples of Poisoning

Example 1: ETH Dust Attack

‍

• Legitimate transaction (~$320 in ETH):
  🔗 View on Etherscan

from 0x11D867b268B969393E30194263777DcAD54de1a3 

to 0xc07c50EE9B308344ADB21b04aBB5eD7556307EDB

• Scammer's follow-up (20 mins later):
  🔗 View on Etherscan

from 0xC07c16aDf2fDa8f6aD7A9122DE19d770Ff4e7EDb 

to 0x11D867b268B969393E30194263777DcAD54de1a3

💡 What’s happening here?
The scammer creates a wallet address visually similar to the original recipient’s and sends a tiny amount of ETH back to the sender. This fake address now appears in the wallet’s history, waiting to be mistaken for the real one.

‍

Example 2: Fake USDT Contract

• Legitimate transaction (~$1,100 in USDT):
  🔗 View on Etherscan

from 0x85A0bee4659ECef2e256dC98239dE17Fb5CAE822

to 0xBc66860E3e2758575b086FFaFE61e2d8de46bbf2

• Scammer’s imitation (1 block later):
  🔗 View on Etherscan

from 0x85A0bee4659ECef2e256dC98239dE17Fb5CAE822

to 0xBC66BE4d1FE956c99e91833E34c918D951f7bbf2
Token: Fake USDT

💡 Here, the scammer replicates the transaction, using a fake USDT token contract and an address that looks almost identical to the original recipient’s. The result? A misleading entry in the transaction history that could trick the user next time they send funds.

‍

What We’ve Found (So Far) In terms of Data.

After running the Poisoning Detector across four EVM-compatible chains (Ethereum, BSC, Base, and Polygon) for just one month, here’s what we uncovered:

• 4,249 poisoning entities identified
  
  
• 1.37 million addresses linked to poisoning attacks:
  
  
  
  • 1,369,603 honeypot addresses
    
    
  • 2,588 scammer-controlled addresses
    
    
  • 747 fake tokens detected
    
    
• One single entity was responsible for 10% of all poisoning attempts
  
  
• Chain breakdown:
  
  
  
  • Ethereum: 50% of activity
    
    
  • BSC: 45%
    
    
  • Polygon: 3%
    
    
  • Base: 2%
    
    
• Most spoofed tokens:
  
  
  
  • USDT + USDC: 35%
    
    
  • ETH: 13%
    
    

✅ How to Stay Ahead

Address poisoning is easy to overlook—but dangerous if ignored. Especially for platforms and teams managing high volumes of transactions or user funds, the risk is very real.

Scorechain’s Address Poisoning Detector makes it possible to:

• Automatically flag and trace scam addresses
  
  
• Link attackers across multiple transactions and chains
  
  
• Keep users, funds, and reputations safe
  
  

Copy-paste traps are real. Our MetaMask SafeTransfer plugin helps you spot poisoned addresses before it's too late. 

https://snaps.metamask.io/snap/npm/scorechain-safetransfer/

‍