How Address Poisoning Works — And Why It's So Hard to Spot
Attackers don't need to hack your wallet. They don't need your seed phrase. They just need you to copy from your own transaction history. Address poisoning exploits one of the most human behaviors in crypto: trusting addresses you've seen before.
What is address poisoning?
Address poisoning is an attack where a bad actor sends a zero-value transaction to your wallet from an address that looks nearly identical to one of your trusted contacts or recent recipients. The goal is to contaminate your transaction history so that next time you go to send, you copy the fake address instead of the real one.
The attacker doesn't need to interact with your wallet software. They don't need an exploit. They just need to know your wallet address — which is public on-chain — and generate a lookalike address.
How attackers build a fake address
Ethereum addresses are 42 characters long (including the 0x prefix).
Most users check only the first 6 and last 4 characters when scanning — partly because wallets
display addresses in truncated form, and partly because reading 40 hex characters is inhuman.
Attackers exploit this. They use vanity address generators to brute-force addresses that match the first 6–8 and last 4–6 characters of a target address. The middle 24–28 characters are completely different, but nobody looks there.
Notice: same start, same middle section visible in most UI displays, different end. A user glancing at the last 4 characters thinks they're looking at the real address. The attacker only needs to match what you actually read.
The attack sequence, step by step
- Reconnaissance. Attacker scans blockchain for wallets with active transaction history to a specific exchange or contact address. These are public. No hacking required.
- Vanity generation. Attacker runs a vanity address generator to produce an address that shares the same first N and last M characters as the victim's frequent recipient. Modern GPUs can generate millions of candidate addresses per second.
-
Zero-value poisoning transaction. Attacker sends a
$0transfer (or a token transfer worth fractions of a cent) from the fake address to the victim's wallet. This transaction appears in the victim's history. - Victim copies from history. Next time the victim wants to send to their trusted contact, they scroll through recent transactions, recognize the "familiar" address, and copy it. They're copying the fake.
- Funds sent to attacker. The victim pastes, confirms, and sends. By the time they notice, the transaction is irreversible.
Clipboard hijacking: the other half of the threat
Address poisoning is a social engineering attack. Clipboard hijacking is a malware attack. They're often conflated, but they're distinct.
Clipboard hijacking malware monitors your system clipboard and replaces any crypto address you copy with an attacker-controlled address — silently, in the milliseconds between you pressing Ctrl+C and Ctrl+V. You copy the right address. You paste a different one.
The attack is invisible. The malware doesn't announce itself. Your clipboard looks normal when you inspect it — the substitution happens at paste time, not at copy time. Some variants even restore the original address after the paste to avoid detection.
Why existing tools don't help
Your wallet doesn't check the clipboard
MetaMask, Rabby, Coinbase Wallet — none of them compare what you copied against what you pasted. By the time the address reaches the wallet's input field, the attack has already succeeded. The wallet sees a valid Ethereum address and has no reason to flag it.
Truncated address displays
Most wallet interfaces display 0x71C7...a0f1 — first 6, last 4. This is exactly the format
that makes poisoned addresses indistinguishable from real ones. The differing middle is hidden.
Transaction history is trusted by default
When you scroll your transaction history and see an address you've "dealt with before," your threat model doesn't include "this might be a planted fake." Your own history feels safe. That's the exploit.
How Zafu stops it
Zafu runs a nine-state detection pipeline on every crypto-address paste into a crypto interface, operating between copy and paste — the exact window both attacks exploit.
For clipboard hijacking
Zafu stores the last address you copied (in chrome.storage.session, tab-scoped).
When you paste, it compares the pasted address against the stored copy.
If they don't match, it fires a HIJACKED warning before the address reaches any input field.
For address poisoning
Zafu builds a local trusted address index from your Etherscan transaction history — a map of addresses you've actually sent value to. When you paste, it checks the pasted address against this index using two criteria:
- Prefix/suffix match: Shared first 6 + last 6 characters with a trusted address
- Hamming distance: Differs in ≤ 2 positions from a trusted address (catches single-character swaps)
A match triggers a POISONED warning with a segmented visual diff showing exactly which 4-character chunks differ between the pasted address and your real trusted address. The full address is shown — all 40 hex characters — making it possible to actually verify.
What you can do right now
- Always verify the full address. Not just first 6 and last 4. Every character. Use a tool that shows the full address in readable segments, not truncated.
- Verify before first send. The first time you send to any address, check it on Etherscan. Zero-value inbound transactions from unknown addresses are a red flag.
- Check your browser extensions. Malicious extensions are the primary clipboard hijacking vector. Remove anything you installed but don't actively use. Disable extensions on financial sites.
- Use paste-time protection. Zafu catches both attack types automatically at paste time, before any wallet or exchange sees the address.
Protect your next paste
Zafu runs the detection in the background. Free, no wallet access, public extension source.
Add to Chrome — Free