What Is Address Poisoning and How to Avoid It in 2026

In 2024, a single address poisoning attack stole roughly $71 million in WBTC from one wallet. They avoided the obvious traps: no malicious link, no seed phrase leak. They copied an address from their transaction history, the way most people do, and sent the funds to a hacker's address. That's what makes this attack different. It doesn't require any technical error on the victim's part. It exploits habit.

Address poisoning crypto attacks exploit public transaction history, fake-looking addresses, and the tendency to copy from history. This article explains how the attack works at a mechanical level, who's most at risk, and what you can do, starting today, to make sure you're not the next victim. To avoid address poisoning, never copy from transaction history; use a saved address book, verify the full destination address, and send a small test transaction before moving large amounts.

How Address Poisoning Works

The attack has three distinct stages. Understanding each one is the fastest way to build immunity.

The Setup: Vanity Addresses

A vanity address is a standard blockchain address that's been generated repeatedly until it starts with a specific prefix. The generation process is purely cosmetic: run a key-generation loop, derive the address, check if it matches the desired prefix, repeat until it does. The result looks almost identical to a real address at a glance.

Attackers use this to create a fake crypto address that matches the first and last several characters of an address you've already sent funds to. A real address might read 0xA3f9...7c82. The attacker's lookalike might read 0xA3f1...7c82. Spot the difference? Most people don't, especially when a wallet UI truncates the middle.

The Poison Transaction

Once the lookalike address exists, the attacker sends a zero-value transfer (or a dust amount worth fractions of a cent) from that fake address to your wallet. This is the step for the zero-value transfer attack. Transaction costs are almost negligible on most chains. It requires no interaction from you whatsoever.

The poisoned entry now sits in your transaction history, right next to the legitimate transfer you made earlier.

The Trap Closes

The next time you need to send funds to the same recipient, you open your transaction history and copy the address. You copied the wrong one. The funds go to the attacker.

This is the transaction history attack crypto relies on: your own habit of trusting your history as a shortcut. The attack requires zero technical sophistication from the victim, only habit.

Real-world scale: Multiple victims have lost $100,000 or more by copying from transaction history. In 2024, a single address poisoning attack stole roughly $71 million in WBTC from one wallet.

You Are at Higher Risk If

Not everyone faces equal exposure. Attackers specifically analyze on-chain behavior to identify high-value targets.

You're at higher risk if you regularly send to the same addresses. Predictable transfer patterns are exactly what attackers look for. They monitor on-chain activity, identify "frequently used destination addresses," and time the poisoning transaction to appear right after a legitimate transfer.

You're at higher risk if you use copy-paste from transaction history instead of a saved address book. This is the single most common way victims fall for the attack. The history tab looks trustworthy. It isn't.

You're at higher risk if you don't verify the full address before sending. Attackers craft lookalike addresses that match only the first and last characters. If you check six characters at each end and nothing else, you'll miss the substitution.

You're at higher risk if you use multiple wallets and frequently move funds between them. Multiple-wallet workflows mean more transaction history entries, more opportunities for a poisoned address to blend in, and more cognitive load during transfers. The common thread: crypto address spoofing works because it exploits the gap between what users check and what they assume they've checked.

How to Apply It: 5 Prevention Rules

These five rules, applied consistently, break the attack at every stage.

Rule 1: Never copy from transaction history.

Use your wallet's address book or contacts, not the history tab. The history tab shows you what addresses have appeared in your transaction record. That's not the same as showing you verified addresses. An attacker can inject a fake address into your history without your knowledge or consent. Your address book contains only what you deliberately saved.

Rule 2: Verify the FULL address.

Check every character, not just the first and last six. Use a block explorer to paste the destination address and confirm its transaction history matches the recipient you expect. Blockchain explorers provide a permanent, timestamped record of all activity tied to an address, enabling verification of a recipient before committing funds. Each blockchain has its own explorer, so confirm you're using the correct one for the network you're transacting on.

Rule 3: Send a test transaction first.

For large transfers, send $1 first. Confirm the recipient receives it. Then send the full amount. This adds one extra step and a few minutes. It's worth it. A confirmed blockchain transaction is final. If a transaction is still pending, replacement options may be available on some chains, but the safer practice is to verify the recipient address before the first confirmation lands.

Rule 4: Use an address book in your wallet.

Save verified addresses with labels. Once an address is in your address book and confirmed correct, use the label to select it. You're no longer copying from history; you're selecting from a verified list. Never retype or re-copy an address for a recipient you've already saved.

Rule 5: Check the source of any dust.

If you receive an unexpected micro-transaction, anything unsolicited and tiny, do not use that sending address for anything. Leave it alone. Never send funds back to it. The dust is the bait. Interacting with it completes the trap.

How Tangem Protects Against Address Poisoning

No wallet, including Tangem, can stop attackers from sending dust transactions on public blockchains. Anyone can send a zero-value transfer to any address. That's a protocol-level reality, not a product limitation. What Tangem can do is make it structurally harder to fall for the attack.

Tangem's Hardware Wallet Architecture Provides Multiple Layers of Protection

Address Verification on Every Transaction

Before any transaction is signed, the Tangem app displays the full destination address for visual confirmation. The physical card tap requirement adds a deliberate pause, a moment to verify, that software wallets don't force. In Tangem's transaction signing flow, the user initiates a transaction in the app, the app generates unsigned transaction data, the user taps the card, the secure element signs the transaction internally, and the app broadcasts the signed transaction. At no point does the private key come into contact with an internet-connected device. But the relevant protection here is less about key isolation and more about the mandatory human checkpoint before the tap.

Address Book Integration

Tangem's address book lets users save frequently used addresses with quick recipient selection. Once you save a verified address, you select it by label, not by copying from history. The verified address is always used, regardless of what appears in the transaction history tab. Tangem transaction sending also supports manual entry of recipient addresses and QR code scanning as alternatives to history-based copying.

Hardware-Enforced Confirmation

Even if a poisoned address somehow appeared in your workflow, the physical card tap is a final human checkpoint. You see the address in the app, you verify, you tap. No transaction executes without this physical confirmation. Tangem Mobile Wallet also includes long-press confirmation for transaction signing (added in v5.35) to prevent accidental taps.

One honest limitation: the app's UI serves as the verification layer. Reading the full address in the app before tapping is not optional. That step is the protection.

Using Tangem to Avoid Address Poisoning

• Use the Tangem address book for all regular recipients.
• Before tapping your card, read the full address shown in the app, every character.
• If an address in your history doesn't match the one in your saved contact, stop and investigate before proceeding.

What to Do After Sending to a Poisoned Address

Speed matters here, but there's an important truth to accept first.

Confirmed Crypto Transactions Cannot Be Undone

Once confirmed, a blockchain transaction cannot be canceled. On Bitcoin, most services treat 3 to 6 confirmations as final, which takes roughly one hour at the standard 10-minute block time. On Ethereum, comparable confirmation counts can arrive in minutes, given the roughly 12-second block time. If your transaction is already confirmed, the funds are gone from a technical standpoint.

That said, there are steps worth taking.

Document the transaction hash immediately. A TXID is public, permanent, and unique to a single transfer on a specific chain. It records the transfer amount, sender, recipient, fees, and status without exposing your wallet access. Copy it from your wallet or block explorer and store it somewhere safe. Sharing a TXID is safe because it's public lookup data. Your private keys and seed phrase are what must be protected.

Report to your exchange if the destination was an exchange address. This is rare, since most attackers use non-custodial addresses, but if the receiving address is associated with a known exchange, contact that exchange's compliance or abuse team immediately with the transaction hash, timestamps, and any relevant account details.

File a report with your local cybercrime authority. In the US, that's the FBI's Internet Crime Complaint Center (IC3). In the UK, Action Fraud. These reports rarely result in direct fund recovery, but they contribute to investigation databases that help track larger campaigns.

The honest answer: recovery is extremely rare. Prevention is everything.

The Safer Habit: Verify Before You Tap

Address poisoning crypto attacks don't require a sophisticated hacker or a careless victim. They require one moment of habit, copying from history instead of a verified source. The $71 million WBTC loss in 2024 happened that way. Multiple victims have lost $100,000 or more by copying from transaction history. The fix is behavioral and structural. Use an address book. Verify the full address before every transaction. Treat unsolicited dust as a warning, not a curiosity. Send a test transaction before moving large amounts.

Tangem's hardware wallet is built with these protections by design: an address book that removes history-copying from your workflow, a full-address display before every tap, and a physical confirmation step that forces a pause. It doesn't make the attack impossible at the protocol level, nothing does, but it removes the habits the attack depends on. If you want a wallet that structures your behavior around verification rather than assuming you'll remember to do it yourself, Tangem is built for exactly that. Order at tangem.com.