A new wave of malicious activity has been highlighted by Jameson Lopp, chief security officer at the Bitcoin custody firm Casa, who has drawn attention to what he describes as “address poisoning attacks” on the Bitcoin blockchain. In his April 6 article, Lopp labels this activity a form of social engineering that relies on users’ reliance upon partial address matches.
As he states, “An address poisoning attack is a form of social engineering in which a malicious actor tries to trick users into sending cryptocurrency to the wrong address (controlled by the attacker) by exploiting how wallet interfaces display and store addresses.” These scams often use nearly identical addresses to those that appear in a victim’s transaction history, taking advantage of humans’ tendency to focus on only the beginning and end of an address when verifying recipients.
Bitcoin Address Poisoning
Lopp explains that attackers generate addresses that closely resemble the victim’s recently used addresses, deposit a small amount of Bitcoin into this similar-looking address, then “poison” the target’s transaction history by sending a negligible quantity of Bitcoin from the fake address back to the victim’s wallet. When victims later look into their transaction history to send funds, they may unthinkingly copy the spoofed address, thereby transferring cryptocurrency to the attacker.
The result, says Lopp, is that “the victim voluntarily sends funds to the attacker’s address by mistake, and the attacker keeps the stolen funds.” He attributes a large part of this successful trickery to human error, wallet interface design that abbreviates addresses, and the practice of reusing addresses or relying on the last-used entry in the transaction history.
Lopp reveals that the first recorded examples of this scheme, based on his scanning of the entire blockchain for one-input-one-output transactions where the first and last four characters of both addresses match, emerged in block 797570 on July 7, 2023. The next instances surfaced on December 12, 2023 in block 819455, continuing until block 881172 on January 28, 2025, after which activity halted for two months before picking up again. In total, he detected almost 48,000 transactions that fit this pattern, taking up 6,654,534 virtual bytes of block space—an expenditure of about 0.22305335 BTC in fees and 0.06840502 BTC in dust outputs, for a collective total of 0.29145837 BTC, or roughly $25,000 at the current exchange rate.
Lopp points out that the so-called “spray and pray” dusting nature of these attacks is economically viable primarily in the sort of low-fee environments that have characterized the Bitcoin network in recent times.
While scouring the blockchain, Lopp identified evidence of at least one successful ruse, in which the malicious address bc1qr9wuw4zkjflet80lr9cr5ec8620c4fg52wua0h fooled the targeted address bc1qr9xkxanfstzqpfd5ce0t3evwc45pnmsr2wua0h into sending 0.1 BTC to the attacker. “Here we can see the transactions involving the malicious address,” writes Lopp, referencing the poisoning transaction, the victim’s subsequent deposit to the fraudulent address, and the attacker’s final sweep of the funds into a different wallet.
Only 12 hours after the victim sent 0.1 BTC to the attacker, Lopp notes that this same victim address completed another 0.1 BTC transaction, presumably to the originally intended recipient. Although the gain for the attacker in this instance was relatively modest, Lopp observes that the address from which the 0.1 BTC was sent held nearly 8 BTC, meaning the losses could have been far more significant and thus potentially profitable for the malicious operator.
Lopp also remarks on reports suggesting that address poisoning might have been combined with key theft to dupe a multisig cosigner into transferring 4,503 BTC from an exchange to an attacker. While he acknowledges that this scenario is speculative and falls outside the scope of his own research, he notes that the possibility underscores the seriousness of address poisoning as a vector for deception.
His analysis indicates that the targets of these transactions were addresses with moderate to high balances, or addresses that had demonstrated recent activity, in hopes the owners would be more likely to reuse addresses. Nevertheless, Lopp found that a surprising 12,199 targeted addresses never spent any funds at all, an oversight on the part of scammers who presumably gain no benefit from inactive addresses.
In terms of preventive measures, Lopp explicitly advises Bitcoin users to “double check the entire address before sending bitcoin,” instead of relying on truncated visible segments. He also emphasizes the importance of creating and labeling contacts within wallets, while urging the practice of avoiding address reuse altogether. “Don’t trust addresses just because they appear in your transaction history—even from deposits!” he warns.
At press time, BTC traded at $77,093.
