TLDR
Attacker monitors victim's wallet activity, then generates a vanity address matching first 4 + last 4 chars of a counterparty victim sends to. Attacker sends a tiny ($0) transaction FROM the lookalike. Next time victim copies an address...
How it works
Attacker monitors victim's wallet activity, then generates a vanity address matching first 4 + last 4 chars of a counterparty victim sends to. Attacker sends a tiny ($0) transaction FROM the lookalike. Next time victim copies an address...
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1DO: NEVER copy addresses from transaction history — copy from verified source (signed message, scanned QR, ENS); verify FULL address; use ENS / SNS.
- 2IF VICTIM: funds rarely recoverable; report to exchanges where attacker might cash out; alert Chainalysis.
Source
Chainalysis-Address-Poisoning
Source reviewed by Mythos Forensic Team
https://www.chainalysis.com/blog/address-poisoning-scam/FAQ
Is Crypto address poisoning — copy paste attacker's lookalike address a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
DO: NEVER copy addresses from transaction history — copy from verified source (signed message, scanned QR, ENS); verify FULL address; use ENS / SNS.; IF VICTIM: funds rarely recoverable; report to exchanges where attacker might cash out; alert Chainalysis.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.