Why does Address Poisoning matter for Bitcoin security?

Address poisoning exploits the human tendency to copy addresses from transaction history rather than from the original source. A moment of carelessness can send bitcoin to an attacker's address with no possibility of reversal. Always verify addresses from the original source, never from transaction history.

Privacy

Address Poisoning

Address poisoning is an attack where an adversary sends tiny transactions to your wallet from addresses that closely resemble your own or your intended recipient's address. When you later copy an address from your transaction history, you may accidentally select the attacker's look-alike address instead.

How It Works

The attacker monitors the blockchain for your transactions and identifies addresses you frequently interact with. They then generate vanity addresses that match the first and last several characters of those addresses. Bitcoin addresses are long and complex, so most people verify only the first few and last few characters. The attacker sends a tiny amount (dust) to your wallet from their look-alike address, which then appears in your transaction history.

The trap is sprung when you later want to send bitcoin and, instead of getting the address fresh from the recipient, you scroll through your transaction history and copy what appears to be a familiar address. If you grab the attacker's poisoned address instead of the legitimate one, your funds go to the attacker. On networks without Bitcoin's UTXO model, this attack is even more prevalent, but it remains a real threat for Bitcoin users who rely on transaction history for addresses.

Defense is straightforward but requires discipline. Never copy addresses from your transaction history. Always get the current address directly from the intended recipient. Verify the complete address, not just the first and last characters. Use address book features in your wallet software to save verified addresses. When sending significant amounts, send a small test transaction first and confirm receipt with the other party before sending the full amount. Hardware wallet verification of the full destination address provides another layer of protection against both address poisoning and clipboard malware.

Key Points

Attackers send dust from addresses that visually resemble your frequently-used addresses
Never copy addresses from transaction history — always get them fresh from the recipient
Verify the complete address character by character, not just the first and last few characters
Use your wallet's address book feature to save and reuse verified addresses safely
Send a small test transaction before large payments and confirm receipt with the other party