Bitcoin Address Poisoning Attacks

An address poisoning attack is a form of social engineering in which a malicious actor tries to trick users into sending cryptocurrency to the wrong address (controlled by the attacker) by exploiting how wallet interfaces display and store addresses.
My interest in this subject was piqued back in January when mononaut pointed out this odd transaction:

How it Works
The attacker generates a bitcoin address that looks very similar to the victim’s recently used addresses - especially the beginning and end of the address, which are often the only parts visible in many wallets. How is this accomplished? Via brute force, by generating and throwing away vast quantities of private keys. There are plenty of free vanity address generator tools available to accomplish this task.
Next, the attacker deposits a small amount of cryptocurrency into this address, usually less than a dollar's worth.
Then they "poison" the target's transaction history by sending the funds from this similar-looking address to the victim's address. Here are some example poisoning transactions:

When the victim later wants to send funds, they may naively copy a previously used address from their transaction history without realizing it's the attacker’s spoofed address.
Result: the victim voluntarily sends funds to the attacker's address by mistake, and the attacker keeps the stolen funds.
Why it Works
Human error: people often rely on partial address matches, not checking the full string.
Wallet UX: many wallet interfaces shorten addresses, making visual confirmation unreliable.
Transaction history shortcuts: some users copy addresses directly from past transaction lists without verifying them.
Real World Attacks
I wrote a script that scanned the entire blockchain history for transactions with 1 input and 1 output where the first and last 4 characters of both the input and the output address match.
The first such transactions don't appear until block 797570 (July 7, 2023) which had 36 such transactions in it. Then all was quiet until block 819455 (December 12 2023) after which we can find regular bursts of these transactions up until block 881172 (January 28 2025). Then there was a 2 month break before they started up again.
Over this 18 month period just shy of 48,000 transactions were sent that match this profile of potential address poisoning.
Each transaction is only 100 to 200 virtual bytes. A grand total of 6,654,534 virtual bytes of block space. About 4 blocks worth of space.
0.06840502 BTC spent in dust outputs
0.22305335 BTC spent in fees
Total of 0.29145837 BTC = $25,000 at today's exchange rate.
I think it's also worth noting that this type of "spray and pray" dusting attack is only economically feasible during low fee environments, such as what we've seen lately. It can make sense at 1 sat/vb fees but at 100 sat/vb it becomes egregiously expensive.
Script Types
I observed the attacker(s) sending to P2PKH, P2SH, and P2WKH addresses, though no P2TR addresses were seen receiving deposits.

Attack Success Rate
I wrote a script to check every malicious "poison" address I found to see if any of them had received deposits after the initial deposit and withdrawal for the attack transaction.
It looks like malicious address bc1qr9wuw4zkjflet80lr9cr5ec8620c4fg52wua0h successfully fooled target victim address bc1qr9xkxanfstzqpfd5ce0t3evwc45pnmsr2wua0h into sending them 0.1 BTC. Here we can see the transactions involving the malicious address:
- Initial "poisoning" transaction.
- Receipt of funds from fooled victim
- Sweeping of funds to a different wallet

Then we can see additional evidence that it does look like the target address was actually tricked. We can see they sent 0.1 BTC to the malicious address, then 12 hours later they sent 0.1 BTC to a different address, presumably to where they originally intended.

Total successful address poisoning attacks:
bc1qr9wuw4zkjflet80lr9cr5ec8620c4fg52wua0h for 0.1 BTC
Not a great rate of return, at least not yet! That's nearly 0.3 BTC spent in order to earn 0.1 BTC. Of course, another way to look at it is a 1 in 48,000 success rate. That one successful trickery could have easily resulted in a much higher ROI because the address from which the funds were spent held nearly 8 BTC, which could have made the entire project profitable.
It's noteworthy that address poisoning might have been combined with key theft in order to trick a multisig cosigner into sending 4,503 BTC from an exchange into an attacker's hands, though this is somewhat speculative and outside the scope of my research. Relevant thread:
Japanese exchange DMM Bitcoin recently lost 4503 BTC, worth over $300m.
— mononaut (@mononautical) June 1, 2024
So what happened? Did North Korea hack their mainframe? Perhaps a team of elite thieves executed a series of elaborate heists to exfiltrate multisig keys from DMM's vaults?
Let's investigate... 🧵 https://t.co/pLq4CbNfx9
Victim Profiling
What were the characteristics of addresses that were targeted for poisoning? It's hard to see any particular pattern, though I suspect the attackers were only looking at addresses with recent activity in the past year or so.
The biggest surprise I came across is that 12,199 targeted addresses never spent funds! This seems like a pretty foolish oversight - if I was conducting such an attack I'd prefer to target addresses that are making many spends, preferably spends to the same addresses, in order to increase the likelihood of a human spender getting tricked.

Unsurprisingly, most targeted addresses that were spending funds were sending less than 10 BTC per transaction.

Most targeted addresses had fewer than 10 deposits.

In general the distribution of balances is not surprising. The only thing that's clear is that the attackers are generally ignored addresses with balances under 1 BTC.

How to Protect Yourself
Double check the entire address before sending bitcoin.
Use address labels or contacts in your wallet to avoid relying on memory or recent transactions.
Don't trust addresses just because they appear in your transaction history - even from deposits!
Don't re-use addresses, period! This remains a Bitcoin best practice for a multitude of reasons.
Potential Future Research
If anyone is interested in extending this research, my scripts and data are available here. A few lines of investigation could be:
- Cluster analysis on the attacker funds to determine if it's one entity or multiple distinct entities.
- Searching for more complex poisoning transactions that aren't simply 1 input, 1 output.
- Further analysis of targeted wallets to try to fingerprint which wallet software they're using to see if there are any commonalities.
- UX research of different wallet software to see which wallets are more susceptible to poisoning attacks.