New Scam Targets Wallet Behavior
Jameson Lopp, co-founder and CSO of Bitcoin storage firm Casa, is warning the crypto community about a rise in “address poisoning” attacks — a social engineering scam that tricks users into sending funds to lookalike addresses.
The attacker sends a transaction from a wallet that mimics the first and last few characters of the user’s wallet history. If a user unknowingly copies the wrong address from their transaction history, they may end up sending funds to the attacker.
Thousands of Attacks Logged
Lopp’s analysis identified 48,000 suspected poisoning attempts on Bitcoin since 2023. These attacks are made possible by the current low-fee environment, allowing malicious actors to cheaply send thousands of deceptive transactions.
In one likely successful case, a victim sent 0.1 BTC to a fraudulent address, then another 0.1 BTC to what was likely the intended address hours later. The compromised address held 8 BTC at the time — making the potential loss much higher if the attacker had stolen more.
Not Limited to Bitcoin
Address poisoning has already affected other blockchains. In May 2024, an Ethereum user lost $71 million in a similar attack. Although the funds were eventually recovered, the incident highlights how widespread and serious this threat can be.
Solutions and Warnings
Lopp emphasized that wallet software should help mitigate these risks by alerting users when addresses closely resemble others in their history. “Wallets could throw up a red flag and say: ‘Do not interact,’” Lopp said during a presentation at MIT Bitcoin Expo.
The rise in these scams serves as another reminder that even experienced users can fall prey to low-tech but high-impact attacks — and that wallet security design plays a crucial role in safeguarding user funds.
