Beware when copying crypto addresses: Etherscan reports massive “poisoning” attacks on Ethereum

Etherscan warns about the industrialization of address poisoning on Ethereum, with a 612% increase in tiny cryptocurrency transfers following the implementation of Fusaka.

The Etherscan platform has issued an alert about the evolution and exponential growth of attacks address poisoning, known as "address poisoning", within the Ethereum network. 

According to data provided by their analysts, this attack vector, previously considered a sporadic or opportunistic activity, has escalated to become a industrialized and highly automated operationAnd this change in the scale of criminal operations represents a growing challenge to the security of blockchain users. 

The platform's report highlights that attackers are leveraging Ethereum's technical infrastructure to run massive and systematic campaigns. The reduction in operating costs following the network upgrade has facilitated this expansion. Analysts emphasize the need for increased vigilance from users when making transactions, given the volume of phishing attempts detected in transaction histories.

Address poisoning: the invisible trap that lurks for crypto users

Address poisoning is a deception technique that seeks contaminate the transaction history from a user with addresses that visually resemble legitimate addresses with which the user has previously interacted. This attack, which consists of sending minuscule amounts of a cryptocurrency—called “dust” or dust— to personal wallet addresses, allowing the user to track movement from those wallets and link multiple addresses to the same person or entity. The ultimate goal is usually mislead the userso that you can copy and paste the attacker's address into a future funds transfer.

According to Etherscan analysts, the process begins with the automatic monitoring of blockchain activity. When the attackers' systems detect a legitimate transaction, they automatically generate a "mirror direction" o "direction aspect" (lookalike address)This fake address is designed to imitate the first and last characters of the actual address involved in the original transaction. 

Since many digital wallet interfaces and block explorers abbreviate long addresses, showing only the beginning and end, the user may perceive the fake address as legitimate at first glance.

Once the mirror address is generated, the attacker executes a "powder transfer" o dust transferThis is essentially a zero-value transfer to the target address. This operation inserts the fake address directly into the user's transaction history. 

Etherscan notes that these transfers are often made with popular tokens, such as stablecoins, citing the case of a user who received over 89 alert notifications from Etherscan shortly after making only two legitimate stablecoin transfers. This case illustrates the speed and volume of these attacks. The attackers are looking to "plant" their fake addresses as quickly as possible, often within minutes of the legitimate transaction, to increase the likelihood that it is the last address copied by the user.

Fusaka multiplied dust attacks on Ethereum

Attackers poisoning addresses on Ethereum have taken their operations to an industrial scale. In its analysis, Etherscan covered activity from July 2022 to June 2024 and found 17 million attempts against 1,3 million unique usersAnd, according to the report, those attacks caused losses of at least $79,3 million.

The Etherscan report underscores that attackers do not select their targets randomly, but rather They prioritize addresses that have certain characteristics which makes them more profitable. Addresses that frequently make transfers, hold significant token balances, or are involved in high-value transfers receive a higher volume of poisoning attempts. Furthermore, analysts have observed direct competition between different groups of attackers. In many poisoning campaigns, multiple attackers send dust transfers to the same target address almost simultaneously. 

Etherscan document One case involved 13 different fraudulent transfers to the same address within a couple of minutes of a legitimate stablecoin transfer. This demonstrates that each attacker competes to be the first to insert their mirror address into the user's history, hoping the user will copy it.

According to analysts, the industrialization of this attack vector is based on clear economic factors. Although the success rate of an individual poisoning attempt is extremely low—estimated at approximately 0,01%, or 1 success per 10.000 transfers—the enormous scale of the operations guarantees profitability. A single successful execution that manages to divert a high-value transfer can cover the operating costs of thousands of failed attempts. For example, in December 2025, a victim suffered a loss of $50 million due to an address poisoning attack.

Furthermore, a key factor that has recently driven this industrialization has been the Fusaka updateActivated on December 3, 2025, this scalability improvement introduced significant reductions in transaction costs on Ethereum. While this benefits legitimate users and developers, it also reduces the cost of each poisoning transferThis allowed attackers to send a much higher volume of attempts. Etherscan observed a notable increase in network activity after the upgrade: in the 90 days that followed, Ethereum processed an average of 30% more daily transactions, and the creation of new addresses increased by an average of 78% per day.

This increase in overall economic activity was also specifically reflected in powder transfers, which are the primary vehicle for these attacks. address poisoningThe platform analyzed activity for several major assets in the 90 days before and after Fusaka. For stablecoins like USDT, USDC, and DAI, transfers below $0,01 were considered; for ETH, below 0,00001 ETH. The data reveals massive increases: USDT dust transfers jumped from 4,2 million to 29,9 million, a 612% increase. For USDC, they rose from 2,6 million to 14,9 million, a 473% increase. DAI saw a 470% surge, jumping from 142.405 to 811.029 dust transfers during the analyzed period. 

In the case of ETH, the increase was 62%, from 104,5 million to 169,7 million. Data analysis shows a clear spike in dust transfer activity shortly after the Fusaka upgrade, which has remained at high levels to this day.

How to avoid falling victim to poisoning attacks? Check before sending

Given the rise and industrialization of address poisoning attacks, Etherscan emphasizes the importance of adopting rigorous and consistent security practices. The most fundamental and effective rule for protection is... thorough verification before making any shipment of digital assets.

So, the main advice is clear. Please review the full destination address before confirming a transaction. This can make all the difference. It's not enough to simply look at the first and last characters, as attackers exploit this very habit to insert addresses that are almost identical in their entirety. Etherscan has also incorporated automatic warnings that alert you when copying potentially dangerous addresses. These warnings usually appear when an account has issued small transfers, counterfeit tokens, or assets associated with known scams. These are signs that should prompt the user to stop and verify directly with the original source.

Another recommended practice is create a private list of trusted addresses within the wallet or in tools that allow it. This measure helps to more easily recognize regular contacts and avoids confusing a legitimate address with a nearly identical one. It is also useful Use domain names linked to the Ethereum Name Service, as they facilitate reading and reduce the margin of error when sending funds.

Analysts point out that blockchain transactions are final. Once the transaction is complete, There is no possibility of reversal or recovery mechanismsIn this scenario, constant verification becomes the best defense. Taking a few seconds to check can be the difference between preserving capital and losing it to an automated attack.