Address poisoning is a scam technique where an attacker attempts to make a malicious blockchain address appear familiar or legitimate.
The attacker may send a small or zero-value transaction involving an address that looks similar to a genuine address previously used by the target. The aim is to influence a future transaction, so that a user copies or selects the attacker’s address instead of the intended destination.
Why address poisoning matters
Address poisoning is an operational risk because blockchain addresses are long and difficult to compare quickly.
Attackers may create addresses that resemble legitimate addresses, especially at the beginning and end of the address. If a user only checks the first and last characters, they may mistake the attacker’s address for a trusted destination.
This can lead to assets being sent to the wrong address. Blockchain transactions are generally irreversible once confirmed.
How address poisoning works
A typical address poisoning attempt may involve:
- Sending a small or zero-value transaction involving the target wallet
- Using an address that visually resembles a legitimate address
- Creating transaction history that includes the attacker-controlled address
- Relying on users copying addresses from transaction history
- Relying on partial address checks rather than full verification
The attacker’s objective is not always to move assets immediately. The objective may be to create confusion and increase the chance that a malicious address is used in a later transaction.
Are my assets at risk if I receive a spam or zero-value transaction?
Receiving an unexpected spam or zero-value transaction does not necessarily mean that assets have moved out of your wallet.
However, it should still be treated carefully because the transaction may be intended to manipulate address history or create confusion during future address selection.
Users should not copy destination addresses from unverified transaction history.
What should I check before using an address?
Before submitting or approving a transaction, check:
- The full destination address
- The asset and network
- The intended recipient
- The address book entry, where applicable
- The internal instruction, ticket, or approval record
- Whether the address was obtained from an approved source
- Whether the transaction is expected and authorised
Do not rely only on the first and last characters of an address.
How can organisations reduce the risk?
Organisations can reduce address poisoning risk by using controlled address verification processes.
This may include:
- Using approved address book workflows
- Verifying new addresses through trusted internal records
- Avoiding copied addresses from transaction history
- Reviewing the full address before submission or approval
- Applying maker-checker or quorum approval processes
- Escalating unexpected or unfamiliar destination addresses
- Training users to recognise address poisoning attempts
What should I avoid?
Do not:
- Copy destination addresses from unverified transaction history
- Rely only on address labels or partial address matches
- Approve transactions involving unfamiliar addresses
- Use addresses received through informal or unverified channels
- Ignore unexpected zero-value or spam transactions if they appear in an operational workflow
What should I do if I suspect address poisoning?
If you suspect address poisoning, do not submit or approve any related transaction.
Follow your organisation’s internal escalation process. If support is required, contact Bitpanda Enterprise Custody Support through the approved support channel and include relevant wallet, address, asset, network, transaction, and timing details.
Do not include passwords, PINs, private keys, seed phrases, API keys, API secrets, access tokens, or other sensitive authentication information in a support request.