What Are Address Poisoning Attacks?

By Enos Mwangi
16 Min Read

Despite hacks and scams regularly hogging the spotlight for the bigger part of the past few years, overzealous fraudsters came up with a new method to steal money from crypto wallets.

Address poisoning attack is a new phishing attack that involves changing the Secret Recovery Phrase and then modifying the transaction history. The main difference between address poisoning and the usual scamming technique is that address poisoning strongly relies on the user’s carelessness.

How Address Poisoning Works

The leading Defi Crypto wallet provider MetaMask penned a long blog post warning crypto enthusiasts around the globe to double-check the crypto wallet addresses, which are made up of distinct alphanumeric strings, and spread the word about address poisoning to prevent money loss. The first step normally used during these address poisoning attacks is when the culprit exploits the victim’s transaction history. For address poisoning to work effectively, the fraudster generates similar unreal addresses to a user.

Crypto wallet addresses are very hard to remember because of the cryptographically generated hexadecimal numbers, and therefore, hackers instill these new unreal addresses in counterfeit transaction history. Usually, it’s very difficult to differentiate visually between the actual crypto wallet address and the fake crypto wallet address.

The next method is a fraudster creates a similarly-looking crypto wallet address. They send a small value transaction to the newly created crypto wallet address. After this happens, the user’s crypto wallet is ‘poisoned.’ This is because the transaction history on MetaMask or any other DeFi wallet shows the hacker’s new address, which is visually unidentifiable as different. Most crypto enthusiasts visually indicate their wallet by the starting and ending characters, while the middle part of the address is rarely remembered or almost not remembered at all.

This kind of merge allows the hacker to contaminate the wallet dummy addresses. The next time the unsuspecting user tries to copy the crypto wallet address from the transaction history, the funds, on many occasions, end up in the almost identically-looking hacker’s wallet.

Methods of address poisoning attacks.

MAC (Media Access Control) Address Spoofing.

This refers to a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address, hard-coded on a network interface controller (NIC), cannot be changed. However, many drivers allow the MAC address to be changed.MAC address spoofing occurs when a fraudster impersonates another device on the network using its MAC address. When this is done, it can be used to gain prohibited access to a network or impersonate a legitimate device.

Address Resolution Protocol (ARP) 

This communication protocol is used for discovering the link-layer address, such as a Media access control  (MAC)  address, associated with a given internet layer address, typically an IPV4 address. In the Internet protocol suite, this mapping is a vital function. This poisoning attack involves sending harmful ARP packets to a Local area network to associate a deceitful MAC address with a valid IP address. This causes network traffic to be redirected through the fraudster’s systems and, therefore, being able to perform Man-in-the-Middle attacks.

Domain Name System (DNS)  Poisoning

This cache poisoning happens when false information is entered into the DNS cache of a domain name server, resulting in DNS queries producing an incorrect reply, resolving domain names to incorrect IP addresses, and sending users to the wrong websites, and their private data is compromised.

Rogue Dynamic Host Configuration Protocol (DHCP) Servers

This is a DHCP server on a network that is not under the administrative control of the legitimate network workforce. A network device such as a router or modem is connected to the network by a fraudster. Fraudsters set up rogue DHCP servers on a network to assign IP addresses and other network configuration settings to unsuspecting devices. This, therefore, leads to data interception and traffic redirection.

BGP (Border Gateway Protocol) Hijacking

This is a routing protocol used in the Internet. The Internet is a global network that enables any connected host, identified by its unique IP address, to link to any other, anywhere in the world. This is achieved by passing data from one router to another, repeatedly moving each packet closer to its destination until it is hopefully delivered. BGP hijacking involves an attacker maliciously rerouting internet traffic. They falsely announce ownership of IP prefixes they do not own or control.

DNS Tunneling

DNS tunneling works by encoding data the fraudster wants to exfiltrate from a compromised network into DNS requests and responses, bypassing network security measures. The fraudster establishes a command and control server to receive and decode DNS traffic. They then set up a DNS tunnel using an encoding data tool into DNS queries and responses. The data is divided into small packets and sent in multiple queries or responses, which the C&C server reassembles into the original data.

Consequences of address poisoning attacks

Address poisoning attacks can have highly destructive effects on both individual users of the cryptocurrency network and the stability of the entire blockchain network. Because Fraudsters may steal crypto holdings or alter transactions to reroute money to their wallets, these assaults frequently cause huge financial losses for their victims. Beyond financial losses, these attacks may also result in declining confidence among cryptocurrency network users. Users’ trust in the security and dependability of blockchain networks and related services may be damaged if they fall victim to fraudulent schemes or have their valuables stolen.

Additionally, some address poisoning assaults, such as Sybil attacks or the abuse of smart contract flaws, can prevent blockchain networks from operating normally, leading to congestion, delays, or unforeseen consequences that affect the entire ecosystem. These effects highlight the need for strong security controls and user awareness in the crypto ecosystem to reduce the risks of address poisoning attacks.

How to Prevent Address Poisoning Attacks

Fortunately, there are several go-to methods to prevent crypto fraudsters from stealing your digital assets. Naturally, the easiest solution to this problem is double-checking the crypto wallet addresses before sending the funds. Here are two more advanced workarounds for crypto enthusiasts fearing getting contaminated with address poisoning.

Use of cold wallet

An effective way of rescuing oneself from the hassle of retrieving lost crypto funds is through cold wallets. As it is known, having a cold hardware wallet reduces the chances of getting hacked. Therefore, a self-custody wallet not connected to the internet is less susceptible to fraudulent phishing attacks by evil computer geniuses. In addition to that, cold hardware wallets form a habit of checking and confirming every transaction sent.

More security is guaranteed by the use of cold wallets because there’s a second layer of security in such a case, which is ‘test transactions.’ These transactions are carried out by sending a nominal amount of money and then waiting for the confirmation that the recipient’s address is indeed the correct one. However, test transactions are unpopular among the crypto community, as it requires double the gas fees.

As much as there are ways to stop scammers from sending money from your crypto wallet to theirs, it is advised to be extra careful and that you should build a habit of continuous scrutiny of your crypto wallets regularly.

We recommend you to read our exclusive guide on Cryptocurrency Wallets: Explained to have a broader understanding of what cold Wallets are.

Use an address book

Regarding most address poisoning attacks, having an address book rather than copying crypto wallet addresses from personal transaction history should be the best and safest thing to do. This feature, which can be accessed on MetaMask by going to Settings > Contacts, can guarantee the safety of your digital assets in the crypto network wallet

Through this simple way, you get to fix two issues immediately. One fixed issue is that the wallet owner won’t have to copy-paste the addresses, erasing the possibility of copy-pasting the bogus address. Moreover, the address book requires an extra security detail through confirmation before putting addresses on it. Through this, the scammers have a tough time changing the addresses submitted by the wallet owner.

Use a name service 

Name service addresses such as those provided by the Ethereum Name Service (ENS), or BSC Name Service (BNS) can provide an additional protection layer since they are impossible to duplicate, and their short length makes them much harder to spoof.

Use a trusted source

Using trusted sources can be a step further away from being involved in a fraudulent scheme of scammers and act as a  safe decision to acquire the real recipient’s wallet address. These trusted wallets could include using social media platforms to scrutinize user accounts or verified user accounts, official websites, or any other form of verified communication channel. Therefore, 

avoid clicking on links or using addresses obtained from untrusted sources, and never use previous transactions to identify the recipient’s address without double-checking first before making a move further.

Set up transaction alerts

This era of digital assets comes with digital tools that make the digital network easier and user-friendly. For example, some tools enable users to set up alerts that notify them whenever their address makes a transaction or links with specific smart contracts. With these alerts, users can confirm their usual transactions, flag any doubtful transaction linked to their wallet address, and ignore any other link to their address.

We recommend you read this article to learn more on how to protect your crypto investments How To Protect Yourself From Phishing Scams. 

Regular system and software updates

Having secure and updated software is essential at a time like this when there are fraudsters in every corner of the cryptocurrency ecosystem. As much as our primary target through this action of regularly updating software, a variety of advantages come along with having updated software besides keeping fraudsters away,  which include improvement in the overall performance and ensuring your system is running at its best, data protection, latest features and improvements, software compatibility with latest technology amongst many others.

Set Intrusion detection systems (IDS)

Because address poisoning attacks work by tricking a user into sending funds to a wallet they think is their own or somebody they transact with regularly, setting up intrusion detection systems and linking them to your digital wallets can completely do away with the risk of falling victim to this attack. This is an easy setup to do because most cryptocurrency wallets now come along with these intrusion detection systems.

Set up secure network configuration

As mentioned earlier, this era of digital assets comes with digital tools that make the digital network easier and user-friendly. In the fight to ensure fraudsters do not get in contact with your high-end network, you need to safeguard your network, and this may be made possible by the use of digital tools like setting firewalls, encryption, use of virtual private networks, strong methods of authentication and leaning on advanced endpoint detection. Through this, your digital assets and any other data are kept safe because cybercriminals and unauthorized users cannot access your network without your consent.

To gain an in-depth understanding of safety precautions, read our article on; Mastering Peer-to-Peer Trading Safety: Top Strategies for Secure P2P Trading.

Education and training

In this era of cybersecurity, having the knowledge needed to handle activities in the crypto ecosystem is top-tier and inevitable. This includes training and offering adequate education to your team on identifying and addressing poisoning attacks, risks involved in the entire network, and how not to be victims of such attacks. There are varieties of vital and key actions to undertake to ensure the prevention of these malware attacks. They include strong password practices avoiding clicking on suspicious links and downloading attachments, which can go a long way in preventing these attacks.


Address poisoning attack is just one among the many challenges and threats crypto network users face almost all the time.  Knowledge is power in this era of address poisoning attacks, and staying informed about these threats and how to prevent them is the best weapon to stay ahead of fraudsters. By staying informed, crypto network users can remain safe against these attacks and other risks involved in the digital space.

Enos is a distinguished writer and a leading authority in the realms of Crypto, Web 3.0, Metaverse and Blockchain Technology. With insightful narratives shaping the future of Decentralized Finance, virtual worlds and the digital age's limitless possibilities, Enos is a trusted and influential figure in the industry dedicated to enlightening and empowering the Cryptocurrency community.