Bitcoin Address Poisoning Attacks: How to Protect Yourself from This Growing Threat

Address poisoning is one of the more devious Bitcoin attacks because it exploits human psychology and normal user behavior rather than technical vulnerabilities. Attackers have stolen millions of dollars from Bitcoin users who simply copied the wrong address from their transaction history.

This guide explains exactly how address poisoning works, how to identify poisoned transactions, and the straightforward steps that prevent this attack.

What Is a Bitcoin Address Poisoning Attack?

Address poisoning (also called address spoofing or dust attacks in their early form) works by exploiting how users find addresses to send to.

Many Bitcoin users, when they need to send to a familiar address (like a personal wallet they regularly fund, or an exchange deposit address), do one of:

• Copy the address from their transaction history
• Copy from a saved note or contact
• Scan a QR code

Address poisoning targets the first behavior — copying from transaction history.

The attack flow:

1. Attacker monitors the blockchain for your wallet address (all transactions are public)
2. Attacker sends a tiny amount of Bitcoin (dust — a few satoshis) from an address that looks visually similar to one of your frequently used addresses
3. This dust transaction now appears in your wallet's transaction history
4. You need to send Bitcoin — you look at your transaction history, find what looks like "your" familiar address, and copy it
5. You actually copied the attacker's address (which looks nearly identical)
6. You send Bitcoin to the attacker

The attack works because Bitcoin addresses are long (34+ characters) and users typically verify only the first few and last few characters. Attackers generate addresses that match your target address's beginning and end — but differ in the middle.

Example: How Similar Addresses Look

Your real deposit address: bc1q4jkjh7...n83ks2

Attacker's spoofed address: bc1q4jkjh8...n83ks2

At a glance — especially in a truncated display — these look identical. The difference is one character near the beginning: h7 vs h8. Wallets often display truncated addresses like bc1q4jkjh...n83ks2 — hiding the differing characters entirely.

Attackers use address generation tools (vanitygen, etc.) to brute-force addresses with matching prefixes and suffixes. With GPU power, generating an address matching 6-8 characters at each end is feasible.

Real-World Incidents

Address poisoning has stolen significant amounts:

• A trader lost $1.2 million in May 2024 after copying a spoofed USDT address from their transaction history
• Multiple Ethereum address poisoning attacks have stolen $10M+ total
• Bitcoin address poisoning has similarly claimed numerous victims

The attack scaled significantly in 2023-2024 as attackers developed automated tools to systematically poison thousands of active wallets simultaneously.

How to Identify Poisoned Transactions

In your wallet, look for:

Transactions sending or receiving tiny amounts: A dust transaction of 547-1000 satoshis (about $0.50) from an unfamiliar address that looks like one of your familiar addresses is a poisoning attempt.

Addresses you do not recognize sending small amounts: You did not initiate the transaction, but Bitcoin arrived.

New "contacts" in history from addresses similar to your own: The attacker's address will appear as a transaction partner.

Most poisoning attempts can be identified by the tiny amount (dust). No legitimate sender sends exactly 546 satoshis — that is the minimum non-dust amount and the typical poisoning amount.

Prevention: The Only Protection Is Verification

Rule 1: Never Copy Addresses from Transaction History

If you want to send to a regular address (your own wallet, your favorite exchange), do not use transaction history as your address book. Use:

• The source directly: Log into the exchange, generate a fresh deposit address from their interface
• Your saved address book: Hardware wallets and some software wallets have address books that verify addresses
• Scan a QR code from the source: Generate the QR fresh from the recipient, do not re-scan old QR codes

Rule 2: Verify the Full Address Character by Character

When you must use an address from history, verify the ENTIRE address — not just the first 6 and last 6 characters. Compare character by character against a trusted source.

Many wallets display truncated addresses. Force display of the full address and verify it completely.

Rule 3: Use Address Book Features

Hardware wallets like Coldcard support address book features where frequently used addresses are verified and saved. Address book entries can be displayed on the hardware wallet's screen for verification.

Some software wallets (Sparrow, Bitcoin Core) support labeled addresses that remain constant and do not require copying from history.

Rule 4: Verify on Hardware Wallet Screen

When sending with a hardware wallet, always verify the destination address on the hardware wallet's own screen — not just in the software wallet interface on your computer. If your computer is compromised (malware that swaps clipboard addresses), the hardware wallet's screen shows the actual address your keys are signing for.

Rule 5: Send a Test Amount First

For large transactions to unfamiliar addresses or addresses you have not used recently: send a small test amount first. Verify it arrives at the correct destination before sending the full amount. Slightly more friction, but recoverable if you make a mistake.

Rule 6: Mark Dust Transactions as "Do Not Spend"

In wallets with coin control (Sparrow, Bitcoin Core), you can mark suspicious dust UTXOs as "do not spend." This prevents accidentally including the dust in future transactions where its origin might confuse you.

Clipboard Hijacking: A Related Attack

Address poisoning is distinct from clipboard hijacking, though both steal by getting you to send to the wrong address.

Clipboard hijacking: Malware on your computer monitors your clipboard. When it detects a Bitcoin address is copied, it replaces it with the attacker's address. You paste what you think is the right address but actually paste the attacker's address.

Defense against clipboard hijacking: Always verify the pasted address against a trusted source. Never rely solely on paste — visually confirm the address after pasting. Use hardware wallet verification to confirm what address is actually being signed.

Frequently Asked Questions

Can I get my Bitcoin back if I send to a poisoned address? No. Bitcoin transactions are irreversible. Once confirmed, there is no mechanism to recover sent Bitcoin from an attacker's address.

How do attackers generate addresses that match mine? Using vanitygen or similar tools, attackers can brute-force addresses matching specific prefixes and suffixes. Matching 6-8 characters on each end is computationally feasible with modern GPUs. Full address matching is not — that is why they only match the visible parts.

Does hardware wallet verification protect against address poisoning? Yes, if you verify the full address on the hardware wallet's screen. The hardware wallet shows the actual address your keys will sign, regardless of what your computer's software displays. If you are poisoned (sending to a wrong address), the hardware wallet's screen shows the wrong address — you catch it if you check carefully.

Should I be worried about dust in my wallet? Dust sent to your wallet does not harm you directly — you lose nothing by receiving it. The danger is if you later copy the sending address thinking it's familiar. Mark received dust UTXOs as "do not spend" in wallets with coin control.