Crypto Address Safety — Frequently Asked Questions

Address poisoning is an attack where a scammer sends a zero-value transaction from an address that visually resembles one of your trusted contacts — same first and last characters, different middle. The fake address appears in your transaction history. When you copy an address from history to reuse it, you may copy the fake one and send funds to the attacker.

Clipboard hijacking is a malware technique where software on your computer monitors your clipboard and silently replaces any crypto address you copy with an attacker's address — before you paste. The replacement is invisible. The hijacked address is the same length and format as a real address.

Address poisoning manipulates your transaction history — the attacker plants a lookalike address so you copy the wrong one yourself. Clipboard hijacking uses malware to replace the correct address you copied with a malicious one. Both attacks result in you pasting the wrong address. Both exploit the exact same window: the moment between copy and paste.

Attackers use vanity address generators — tools that brute-force millions of addresses per second until they find one matching a target prefix and suffix. For EVM addresses, matching the first 6 and last 4 characters typically takes minutes on a GPU. This is why checking only the start and end of an address is not enough protection.

In January 2026 alone, there were 3.4 million address poisoning attempts on Ethereum and $300 million lost to phishing. Browser-based clipboard attacks drained an estimated $713 million in 2025. These attacks scale with no marginal cost to attackers — generating 10,000 poisoning transactions costs pennies in gas on cheap L2s.

To verify a crypto address before sending: (1) Compare every character, not just the first and last few. (2) Check it against a scam blocklist. (3) Verify it against your own history — if it appeared as an unsolicited incoming transaction with no value, it may be a poisoning attempt. (4) Use a tool like Zafu that automates all these checks at paste time, before the address reaches your wallet.

No. Address poisoning attacks specifically exploit this habit. Attackers generate addresses that share the same first 6 and last 4 characters as your trusted contacts using vanity address tools. The only safe approach is to compare the full address character-by-character, or use a tool that does it automatically.

A hardware wallet prompts you to verify the destination address on the physical device screen. This can protect against clipboard hijacking if you carefully read the full address on-device. However, it does not protect against address poisoning — if you already copied the wrong address from your history, you would see the poisoned address on the device screen and likely confirm it.

No. Cryptocurrency transactions are irreversible. Once confirmed on-chain, funds cannot be recovered without the recipient's cooperation. This is why prevention — catching the wrong address before you send — is the only effective protection.

Zafu is a free Chrome extension that intercepts crypto-address pastes on wallet and exchange pages before the address reaches the input field. It runs a 9-step detection pipeline: clipboard hijacking detection, your address history check, a curated malicious blocklist, community-reported addresses, and GoPlus real-time threat data. It never touches your wallet, private keys, or signing process.

Zafu works with any web-based wallet or exchange — MetaMask, Rabby, Phantom, Coinbase Wallet, Binance, Kraken, Uniswap, Aave, and hundreds more. Zafu operates at the browser level, intercepting paste events regardless of which wallet or dApp you use. It does not require wallet integration or any special permissions from your wallet.

Zafu sends pasted EVM addresses to GoPlus for real-time threat checks, public wallet addresses to Etherscan or Solscan only when you fetch history, and suspected attacker addresses to Zafu community signals if you report them or opt in to automatic threat signals. Labels, notes, trusted contacts, private keys, seed phrases, and wallet credentials stay on your device.

When Zafu users report a suspected attacker address, the report is added to a community signal pool. Once an address accumulates enough independent signal weight, Zafu can warn other users. Community-reported means high risk; team-reviewed or trusted external confirmation is required before stronger "confirmed malicious" language is used. Read the Community Signals methodology for the current label states.

The Chrome extension source is public and auditable at github.com/jimozo/zafu. Zafu's private operating repo also contains website, backend, launch, and automation work that is not part of the public extension release. No bundler, no CDN scripts, no npm dependencies in the extension — the release source is readable. Zafu also ships a verifiable install fingerprint you can compare in Settings to confirm your install matches the published release.

Yes. Zafu detects clipboard hijacking, address poisoning, and scam addresses for both EVM addresses (Ethereum, Arbitrum, Base, Polygon, and all EVM-compatible chains) and Solana addresses (including system program impersonation detection). ENS name resolution is also supported for EVM.