Address poisoning, also known as address spoofing, is a type of cryptocurrency attack in which an attacker sends a small amount of worthless tokens to a victim. The attacker’s wallet has an address that resembles a wallet used by a trusted source (such as cryptocurrency exchange, or the victim’s wallet).
The attacker’s goal is to get the victim to confuse the scam wallet with a legitimate wallet and send funds directly to the attacker. Like many attack vectors, address poisoning takes advantage of human errors in judgment — and while it’s a simple technique, it’s extraordinarily effective.
To recap, here’s a brief example of how an address poisoning attack might work:
- The attacker watches the blockchain, looking for wallets that handle a large number of transactions. Ideally, the target will send funds regularly to a certain address.
- The attacker creates a wallet that mimics that address. Usually, the first characters and final characters of the scam wallet’s address will be identical to the source wallet.
- Because of the way that wallets truncate addresses, the user might not notice the differences. The user might send crypto, tokens, or NFTs to the scam address.
In some cases, the attacker might contact the victim directly to try to enforce the scam. The FBI issued a warning in April 2024 that detailed an especially significant case:
A Colorado-based individual unknowingly fell victim to a $2.1 million stable coin investment scam. After the initial investment, the victim received a notification that their account was locked for “malicious arbitrage” and was being fined $1.5 million. Upon investigation, the tokens involved were identified as impersonation tokens.
Unfortunately, when funds are sent to the wrong source, there’s not much that victims can do.
Are address poisoning attacks illegal?
Given that the FBI is warning about “cryptocurrency token impersonation scams,” it’s safe to say that address poisoning attacks fall under the generally accepted legal definition of fraud — but prosecuting the crime probably isn’t a high priority for authorities.
Tracking down fraudulent wallets isn’t especially easy, and given the enormous rise in ransomware attacks, cybersecurity experts have other priorities at the moment.
How can I protect myself against cryptocurrency address poisoning attacks?
The best way to protect yourself is to double-check addresses before transferring any funds. Don’t rely on your judgment, and don’t use the “resend” option provided by your software wallet or cryptocurrency exchange — copy and paste the recipient’s address from a trusted source every single time.
We also recommend taking steps to avoid other common scams:
- Never share your wallet password or BIP39 passphrase with anyone. Keep your passphrase somewhere safe (ideally, offline).
- When using cryptocurrency exchanges, enable two-factor authentication (2FA).
- Never click on suspicious links in emails or download attachments of any kind from unknown sources.
- Verify all transactions and addresses. Be cautious when prompted for cryptocurrency credentials or personally identifiable information (PII).
- Wherever possible, use a hardware wallet instead of storing funds in online exchanges. Learn why crypto wallets are generally safer than exchanges.
Don’t lose sleep over lost crypto.
Datarecovery.com can help you explore options for regaining access to lost digital assets. With our no data, no charge guarantee, you only pay if we successfully recover your funds.
Call us at 1-800-237-4200 or submit a case online to connect with a data recovery specialist.