Laktawan at dumiretso sa pangunahing content

Address poisoning scams

What you need to know
  • Address poisoning is a scam where attackers send you a tiny transaction from an address that closely resembles one you've used before, hoping you'll copy it by mistake and send funds to them instead.
  • MetaMask now automatically detects when a destination address closely resembles a previously used one and shows a blocking warning before the transaction is sent.
  • If you're sending to a brand new address you've never interacted with, MetaMask will also alert you to this before you proceed.
  • Always verify the destination address carefully before sending — pay particular attention to the middle characters, not just the start and end.

Address poisoning is an attack vector that, in contrast to other scams — which often use methods that have served many scammers so well, such as unlimited token approvals, phishing for your Secret Recovery Phrase, etc. — relies on user carelessness and haste above all else.

On the one hand, this method is rather innocuous compared to other scam types. However, it can just as easily result in a loss of funds. Let's investigate how this scam is usually structured.

How does address poisoning work?

If you didn't know already, your wallet includes one or more accounts, each of which has its own cryptographically-generated address. These are long hexadecimal numbers, meaning they use both numerical and (a few) alphabetical characters. This is a trait that makes them unintelligible to most people, and — critically — very, very difficult to remember.

This is why, supported by most web3 software, you have most likely come to rely on copying and pasting addresses, rather than memorizing them and typing them out. This saves a lot of time and ensures, generally, you don't make any mistakes, and that your funds always go to the right address. MetaMask falls into this category of facilitating copy-and-paste: you can copy your address with one click/tap.

Address poisoning speculatively exploits this copy-and-paste tendency. Here's how:

  1. You send a regular, everyday, nothing-to-see-here transaction to a friend, or to another account you control.

  2. The scammer, who has software that monitors transfers of certain tokens (usually stablecoins), notices. They use a 'vanity' address generator (there are many accessible with a quick web search) to create an address that closely matches yours (sometimes, it'll match your friend's).

panganib

Since they're so long, crypto account addresses are typically shortened. You might see the first lot of characters only, or sometimes you may see the initial 5-10 or so and the final 5-10 or so, skipping the middle. This is how most people recognize addresses: not by knowing every single character, but by becoming familiar with the start and finish. This is the tendency that address poisoning preys on.



  1. The scammer sends you a transaction of negligible value from the dummy account they created — the 'vanity' address that mimics yours or that of your contact. Usually these are transfers of zero tokens. With this, they've poisoned that wallet. (Though, to be clear: this doesn't actually have any negative impacts in itself.)



  1. Since their dummy address looks so similar to yours, it's entirely possible that, the next time you need your address, you might inadvertently copy their address from your transaction history and paste it elsewhere. Naturally, if you paste their address by accident, you'll send funds to them and not yourself/the intended recipient. And since on-chain transactions like this are immutable (cannot be altered once confirmed), the lost funds will be irretrievable.


And that's it: all they're hoping for is that you copy the wrong address from your transaction history in your wallet.

How MetaMask protects you

MetaMask includes built-in detection for address poisoning attacks.

When you attempt to send funds, MetaMask compares the destination address against your transaction history. If the address you're sending to closely resembles one you've previously interacted with, for example if the first four and last four characters match but the middle characters differ, MetaMask will display a blocking warning before the transaction is submitted, giving you the opportunity to verify the address before proceeding.

In addition, if you're sending to an address you have never interacted with before, MetaMask will show a warning to alert you to this. This doesn't mean the address is malicious, but it's a prompt to double-check before sending.

These protections are designed to catch the moment of risk, when you're about to send, rather than relying solely on your own vigilance.

How can I protect myself?

There's no way of stopping scammers from sending transactions to your address — these are public blockchains. What matters is not copying the wrong address when you send. Here's what we recommend:

  • Always verify the destination address before you send, especially for high-value transactions. Pay close attention to the middle characters, not just the start and end — those are the ones a poisoned address is designed to disguise.
  • Avoid copying addresses from your transaction history. If you do, treat it with the same scrutiny as any other unknown source. This applies both to other people's addresses and to your own (e.g. when moving funds from a centralized exchange to MetaMask).
  • Add frequently used addresses to your address book. In MetaMask, go to the menu and select 'Contacts'. Addresses saved here are ones you've verified, so you won't need to copy from history.
  • Use a hardware wallet. Most hardware wallets require you to confirm the destination address on the device itself before a transaction goes through, adding another checkpoint.

If you have any questions about this subject, feel free to head to the MetaMask Community or get in touch with Support via the 'Contact Support' button on the homepage of this site.

Was this helpful?