Most cryptocurrency users believe their funds are safe if their private keys remain protected. However, a sophisticated scam known as address poisoning is proving this assumption wrong, stealing assets without ever touching a private key.
This tactic exploits user behavior, not cryptographic vulnerabilities. Attackers create wallet addresses that closely resemble ones a victim frequently uses, often matching the beginning and end characters. They then send a small, or zero-value, transaction to the victim's wallet. When the victim later copies an address from their transaction history to send funds, they inadvertently select the malicious lookalike address. This has led to significant losses, including a reported $50 million in USDT in 2025 and 3.5 wBTC, valued at over $264,000, in early 2026.
The success of address poisoning stems from several factors. Crypto addresses are long and difficult to read, leading users to rely on truncated displays and copy-paste functionalities. Wallets often show only a partial address, making it easy for scammers to craft deceptive duplicates. Furthermore, blockchains are permissionless, allowing anyone to send tokens. Wallets typically display all incoming transactions, including spam, which attackers exploit to seed their malicious entries into a user's history.
Private keys control transaction authorization but cannot validate the destination address. The scam relies on human error, routine habits, and the cognitive strain of verifying complex transaction details. Features like easy copy buttons, while convenient, become risky when paired with subtle address manipulations.
To stay safer, users should verify full addresses character by character, use a trusted address book or whitelist, and avoid copying addresses directly from recent transaction history. Wallet developers are urged to implement safeguards like similarity detection for recipient addresses and filtering low-value spam transactions.