Bitcoin 'address poisoning' attacks on the rise, warns Casa CSO Jameson Lopp

A Bitcoin security expert is warning that "address poisoning" attacks are on the rise on the blockchain, as low transaction fees allow threat actors to target a large number of addresses at a relatively low cost. 

In an address poisoning attack, an attacker sends its target a transaction from a newly-generated wallet whose first and last characters match the target wallet, or a wallet the target has recently interacted with. The next time the target wants to send money to that wallet, they might mistakenly copy the lookalike address from their transaction history and send money directly to the hacker instead of their intended recipient.

Jameson Lopp, co-founder and chief security officer of Bitcoin secure storage firm Casa, conducted an analysis of address poisoning attacks on Bitcoin, scanning the entire blockchain and identifying 48,000 suspected attacks since 2023. Lopp identified transactions with one input and one output consisting of two different wallets with the same first four and last four characters, a strong signal of an address poisoning attack. 

Lopp identified at least one likely successful attack, in which a victim sent 0.1 BTC to a malicious address, then 12 hours later, sent .1 BTC to an address that was probably the intended target. "That one successful trickery could have easily resulted in a much higher ROI because the address from which the funds were spent held nearly 8 BTC," Lopp noted in his analysis . 

While the odds of one attack succeeding are relatively low, low transaction fees enable thousands of attacks to be carried out in a relatively short period. Average Bitcoin transaction fees have been relatively low since July 2024, according to The Block's data.

"[The attacks are] a result of the fact that we're in a very low-fee environment," Lopp said when presenting his findings at the MIT Bitcoin Expo. "If we had [high] fees going on, I think that would greatly disincentivize people from doing a lot of these dusting attacks, unless they figured out other ways to increase their attack success rate." 

Address poisoning attacks are known to target wallets on other blockchains; in May 2024, an Ethereum user lost $71 million to an attack, though it was later recovered following negotiations. A similar strategy was identified as part of the hack of Japanese crypto exchange DMM Bitcoin. 

Lopp said wallet software developers could implement warnings for users that could mitigate the risks from address poisoning attacks. "I think it would be easy for wallets to say 'Oh, this came from a similar looking address,' and throw up a big red flag: do not interact," Lopp said.