Criminals conducting address poisoning attacks exploit the common habit of users copying addresses from transaction histories and the UI limitation of "shortened addresses."
Using vanity address generators, attackers create addresses that mimic the first and last few characters of victims’ frequent contacts; in the next step, they use fake tokens, zero-value transfers, or even small real amounts to bypass wallet filters and pollute your history.
Use smart wallets like Binance Wallet that filter spam and alert for similarity addresses, utilize address books, and never rely solely on the first/last characters of an address when making a transaction.
The cryptocurrency ecosystem continues to face evolving security challenges. Among these, address poisoning attacks have become a serious threat, aiming to trick users into sending funds to malicious or incorrect addresses. For Binance, safeguarding your assets is a top priority. Read on to learn more about how these attacks unfold, how Binance Wallet proactively protects you from them, and what best practices will help you not to fall for this type of malicious scheme.
Most Web3 users, or humans generally, don't memorize 42-character hexadecimal strings. Instead, they rely on visual shortcuts. Because of UI constraints in block explorers (like Etherscan) and wallet interfaces, addresses are often displayed in a shortened way as: 0x1234...abcd.
Attackers leverage this by using services called vanity address generators – tools that create custom wallet addresses with chosen starting and ending characters – to produce a malicious string that matches your legitimate recipient's prefix and suffix. Since generating addresses costs almost nothing, they can brute-force a match that looks identical to the untrained eye.
When you initiate a new transaction to a recipient that you know you have transacted with recently, you might look at your recent history, see an address that starts and ends correctly, and click "copy." At that moment, you’ve unknowingly copied the attacker's address.
To get their malicious address into your transaction history, attackers rely on three primary techniques.
Here, attackers deploy a non-standard token contract (e.g., a fake token named "U5DT"). These contracts are coded to trigger "Transfer" events that look like they came from your address to their malicious address.
They can even spoof the exact amount of your last legitimate transfer. If you just sent 1,000 USDT, they can make a record appear in your history showing you "sent" 1,000 U5DT to their poisoned address.
Some major token contracts (including certain versions of USDT) allow a "Transfer From" function with a zero amount without requiring a private key signature from the sender.
The attacker can initiate a 0 USDT transfer from your wallet to their vanity address. Because it is a "real" interaction on the USDT contract, it appears in your transaction history as a legitimate (though $0) entry, ready to be copied.
To bypass modern wallets that have started filtering out 0-value transactions, attackers have begun "investing" in their attacks.
They can send a tiny amount of actual crypto (e.g., 0.01 USDT) to your wallet. Because this is a genuine transfer with value, it often bypasses spam filters and sits at the very top of your "Received" or "Recent" list.
While you cannot stop someone from sending you "dust" or spoofing a transaction to your address on-chain, you can control how you interact with that data.
Your first line of defense is your wallet interface. Binance Wallet is designed to mitigate address poisoning risks by default:
Advanced Spam & Dust Filtering: Binance Wallet automatically identifies and suppresses records from malicious or non-standard contracts. Crucially, this includes a robust filtering system for zero-amount transfers and ultra-low-value "dust" transactions that are specifically crafted to poison your history. By ensuring your UI only displays meaningful and legitimate activity, we remove the threat at its source before you even have a chance to copy a malicious address.
Similarity Alerts: If you attempt to send funds to an address that looks suspiciously similar to a frequent contact but isn't an exact match, Binance Wallet will trigger a high-risk warning.
Stop copying from transaction histories.
For any address you interact with more than once (exchanges, friends, or your own cold storage), save it to your wallet’s address book and give it a clear alias.
When sending, select the contact by name rather than copying a string of characters.
Never verify an address by just the first 4 and last 4 characters.
Check the first 4, the middle 4, and the last 4.
Attackers almost never match the middle of the string because the computational power required to match the entire 42-character string currently makes it too burdensome.
For significant sums, always send a small "test" amount first. Verify the receipt on the other end, and only then proceed with the full amount using the exact same confirmed address.
In Web3, there’s no “undo” button, and attackers are betting you’ll trust a familiar-looking fragment instead of verifying the full destination. The good news is that address poisoning is a habit-driven attack, which means it’s also preventable: treat transaction history as untrusted, rely on an address book or verified contacts, and use a security-first wallet like Binance Wallet that filters spam and flags lookalike addresses. Slow down, confirm the full address (including the middle), and when the amount matters, send a test transfer first – because a few extra seconds of verification can save you from an irreversible loss.
