Written by: etherscan.eth

Compiled by: AididiaoJP, Foresight News

A few weeks ago, an Etherscan user named Nima shared an unpleasant experience. After completing just two stablecoin transfers, he received over 89 address monitoring alert emails in a short period.

As pointed out by Nima, these alerts were triggered by address poisoning transactions. The sole purpose of these transactions created by attackers is to insert highly similar fake addresses into users' transaction histories, intending to deceive users into mistakenly copying and using these fake addresses for their next transfer.

Address poisoning has existed on Ethereum for years. However, such incidents highlight that these attack activities have become highly automated and scaled. Once sporadic spam, now these can be implemented on a large scale, with attackers often completing the injection of poisoned transfers just minutes after legitimate transactions occur.

To understand why such attacks have become more common, we need to analyze from two dimensions: the evolution of address poisoning attack techniques and the fundamental reasons for their ease of scaling.

In addition, this article will focus on one core prevention principle to help users effectively guard against such attacks.

1. The Industrial Development of Address Poisoning

Address poisoning was once considered a niche fraud method adopted by opportunistic attackers. However, today, its operational model increasingly shows industrial characteristics.

A study released in 2025 analyzed address poisoning activities from July 2022 to June 2024 (before the Fusaka upgrade). The study revealed that approximately 17 million poisoning attempts occurred on Ethereum, involving about 1.3 million users, with confirmed losses of at least 79.3 million dollars.

The table below is based on the results of the "Blockchain Address Poisoning Study," showcasing the scale of address poisoning activities on Ethereum and BSC from July 2022 to June 2024. The data indicates that on the BSC chain, where transaction fees are significantly lower, the frequency of poisoning transfers is 1355% higher.

Attackers typically identify potential targets by monitoring blockchain activity. Once a target user's transaction is detected, an automated system generates highly similar addresses that share the same starting and ending characters as the legitimate addresses they have interacted with. Subsequently, attackers send poisoned transfers containing these fake addresses to the target address, making them appear in the user's transaction history.

Attackers tend to target addresses with higher profit potential. Addresses that frequently conduct transfers, hold large token balances, or participate in significant transfers typically receive more poisoning attempts.

Competitive Mechanism Enhances Attack Efficiency

The 2025 study revealed a noteworthy phenomenon: there is often competition among different attacking groups. In many poisoning activities, multiple attackers may send poisoned transfers to the same target address almost simultaneously.

Each attack group attempts to be the first to insert its fake addresses into the user's transaction history, hoping that when the user copies an address later, their fake address will be prioritized. The first one to succeed in insertion sees an increased probability that their address will be mistakenly copied by the user.

The following address case fully demonstrates the intensity of this competition. In this case, just minutes after a legitimate USDT transfer was completed, 13 poisoned transactions were injected.

Note: Etherscan hides zero-value transfers by default; this has been unhidden for demonstration purposes

Common tactics employed in address poisoning attacks include: dust transfers, forged token transfers, and zero-value token transfers.

2. Reasons Address Poisoning Attacks Are Easy to Scale

At first glance, the success rate of address poisoning seems low. After all, most users do not fall for it. However, from an economic perspective, the logic of these attacks is drastically different.

The Logic of Probability Games

Researchers found that on Ethereum, the success rate of a single poisoning attempt is about 0.01%. In other words, on average, only about 1 in 10,000 poisoning transfers may lead to a user mistakenly sending funds to the attacker.

In light of this, poisoning attack activities are no longer limited to a few addresses but tend to send thousands or even millions of poisoning transfers. When the attempt base is large enough, even a tiny success rate can accumulate to produce substantial illegal gains.

A single successful large transfer fraud can yield profits enough to easily cover the costs of thousands of failed attempts.

Lower Transaction Costs Stimulate Increased Poisoning Attempts

The Fusaka upgrade, activated on December 3, 2025, introduced scalability optimizations that effectively reduced transaction costs on Ethereum. This change not only benefits ordinary users and developers but also significantly lowers the cost for attackers to initiate single poisoning transfers, enabling them to send poisoning attempts on an unprecedented scale.

After the Fusaka upgrade, Ethereum network activity significantly increased. In the 90 days following the upgrade, the daily average transaction processing volume rose by 30% compared to the 90 days before the upgrade. During the same period, the daily number of new addresses created saw an average increase of around 78%.

Furthermore, we observed a significant rise in dust transfer activities. In these transfers, attackers send transactions with the same tokens as the user's historical transfers, but for a very small amount.

The following data compares dust transfer activities for several major assets in the 90 days before and after the Fusaka upgrade. For stablecoins like USDT, USDC, and DAI, dust transfers refer to transactions valued below 0.01 USD; for ETH, it refers to transfers of less than 0.00001 ETH.

USDT

• Before the upgrade: 4.2 million
• After the upgrade: 29.9 million
• Increase: +25.7 million (+612%)

USDC

• Before the upgrade: 2.6 million
• After the upgrade: 14.9 million
• Increase: +12.3 million (+473%)

DAI

• Before the upgrade: 142,405
• After the upgrade: 811,029
• Increase: +668,624 (+470%)

ETH

• Before the upgrade: 104.5 million
• After the upgrade: 169.7 million
• Increase: +65.2 million (+62%)

The data indicates that shortly after the Fusaka upgrade, dust transfer (below 0.01 USD) activities surged, peaking before declining, yet remaining significantly higher than pre-upgrade levels. In contrast, transfer activities above 0.01 USD remained relatively stable during the same period.

Chart: Comparison of dust transfers (0.01 USD) for USDT, USDC, and DAI in the 90 days before and after the Fusaka upgrade

Chart: Comparison of regular transfers (>0.01 USD) for USDT, USDC, and DAI in the 90 days before and after the Fusaka upgrade

In many attack activities, attackers first distribute tokens and ETH in bulk to newly created fake addresses, which then send dust transfers one by one to the target address. Because dust transfers involve very low amounts, as transaction costs decline, attackers can conduct large-scale operations at extremely low costs.

Illustration: Address Fake_Phishing1688433 sends tokens and ETH in bulk to multiple different fake addresses in a single transaction

It should be clarified that not all dust transfers are acts of poisoning. Dust transfers can also arise from legitimate activities, such as token exchanges or small interactions between addresses. However, after reviewing a large number of dust transfer records, it can be determined that a significant portion is likely to be poisoning attempts.

3. Core Prevention Principles

Before sending any funds, be sure to carefully verify the target address.

Here are some practical tips to reduce risk when using Etherscan:

Use Recognizable Address Labels

For addresses you frequently interact with, set private name tags on Etherscan. This helps to clearly distinguish legitimate addresses among numerous similar addresses.

Using domain name services like ENS can also enhance the recognizability of addresses across the entire browser.

Additionally, it is recommended to utilize the address book feature of wallets to whitelist commonly used addresses, ensuring that funds are always sent to the intended targets.

Enable Address Highlighting Feature

Etherscan's address highlighting feature helps users visually distinguish visually similar addresses. If two addresses look nearly identical but have different highlighting styles, one of them is likely a poisoning address.

Double-Check Before Copying Addresses

Etherscan proactively displays a reminder window when users copy addresses that may be related to suspicious activities. These suspicious activities include:

• Low-value token transfers
• Forged token transfers
• Poorly reputed tokens
• Tokens with outdated information

When you see such reminders, be sure to pause and carefully verify whether the address you copied is indeed the target address you intend to interact with.

Remember, the encrypted world does not have a "cancel" button. Once funds are sent to the wrong address, the chances of recovery are minimal.

Conclusion

As reduced transaction costs make high-volume attack strategies more economically viable, address poisoning attacks are becoming increasingly rampant on Ethereum. These attacks also negatively impact user experience, flooding various user-facing transaction history interfaces with numerous poisoning spam.

Effectively preventing address poisoning attacks requires users to enhance their security awareness, supported by better interface design. For users, the core habit to develop is to carefully verify the target address before sending funds.

At the same time, relevant tools and user interfaces should play a more significant role in helping users quickly identify suspicious activities.

Poisoning address labels on Etherscan (https://etherscan.io/accounts/label/poisoning-address)

Etherscan continues to improve the browser interface and API services to assist users in recognizing these attacks more conveniently. We actively label forged addresses, identify and hide zero-value token transfers, and flag forged tokens. By providing this organized data, users can more easily identify potential address poisoning attempts without manually sifting through massive transaction records.

As poisoning attacks continue to upgrade through automation and high-volume dust transfer methods, clearly presenting these risk signals is crucial for helping users distinguish suspicious activities from legitimate transactions.