I see two addresses in my wallet with the same first and last characters. Which is real?

Open both in a block explorer. The real one will have your actual prior transactions. The poisoned one will have a single zero-value transfer or a single tiny unknown-token transfer in its history, possibly plus similar transfers to other victims. Delete the poisoned one if it is in your address book. Never send to either until you re-verify the real one with your counterparty out-of-band.

Crypto address poisoning scam: how attackers trick you into sending USDT to the wrong wallet

Q: Why do wallets allow zero-value transfers in the first place?

Zero-value ERC-20 transfers are valid by the standard. Many legitimate dApps use them for state changes, event emissions, and contract testing. Banning them at protocol level would break too many integrations. The fix has to happen at the wallet UI layer (hide unsolicited zero-value events) and at the user behavior layer (never copy from history).

Q: Does using ENS or Solana name service prevent address poisoning?

It helps but does not eliminate the risk. ENS resolution happens on-chain and a name like example.eth is harder to lookalike-spoof than a 42-character hex address. But the underlying address still has to resolve correctly, and if you copy an ENS name from transaction history you could still copy an attacker-registered name. The defense is still: verify on hardware wallet display, send from contact book, never from history.

What address poisoning actually is

Crypto address poisoning is a two-stage attack on the visual heuristic users apply when reading wallet addresses. An Ethereum address is a 42-character hex string starting with 0x. A Tron address is 34 base58 characters starting with T. None of these are memorable, so users developed a shortcut: verify the first four to six and last four to six characters, trust that the middle is correct. Vanity address generators let an attacker brute-force a wallet whose visual prefix and suffix match a target address exactly, while every character in the middle is different.

Generating a 4-character prefix and suffix match on Ethereum takes minutes on a consumer GPU using tools like profanity2 or vanity-eth. A 6-character match on each end takes hours on a cluster, still cheap for an attack expected to net six figures.

The second stage is delivery. The attacker sends 0 USDT (or 0 of any token) from the lookalike address to the victim's wallet. Zero-value ERC-20 transfers are permitted by the standard, so the transfer succeeds and shows up in the victim's transaction history. Now the lookalike address is sitting in the victim's wallet UI, looking like a wallet the victim has interacted with before.

The trap moment: how the loss happens

The loss happens days or weeks after the poisoning. The victim opens their wallet to send funds to a recipient they actually do use - often a centralized exchange deposit address, a hardware wallet they own, or a business counterparty. The legitimate recipient is in the transaction history because the victim has sent to it before. The poisoned lookalike is also in the history because of the zero-value transfer.

The victim taps the address field, scrolls transaction history, and sees what looks like the right address: same first 4 to 6 characters, same last 4 to 6 characters. They copy it. They paste it into the send field. They glance at the truncated display in the send confirmation, which matches what they expected. They confirm. The money goes to the attacker.

The middle characters were always different. The wallet UI showed the full address somewhere on the page, but truncation hid the difference. The user verified what they could see, and what they could see matched. The transaction is final the moment it confirms on-chain.

Real cases: where it has cost real money

Public on-chain forensics has documented address poisoning losses in the eight and nine figures. ZachXBT's threads tag specific drainer addresses and trace funds across mixers. Chainabuse and SlowMist's annual reports both track address poisoning as a distinct category.

The largest publicly documented case involved a single victim who sent 1,155 WBTC (approximately $68 million at the time) to a poisoned address in May 2024, after meaning to send to a different address used minutes earlier. The attacker had front-run that earlier outbound transfer with a zero-value poisoning. Most of the funds were eventually returned, an unusual outcome researchers attribute to the attacker fearing prosecution heat from a $68M target. Most victims do not get a refund.

Smaller-but-systematic losses are constant. ScamSniffer's monthly threat reports through 2024 and 2025 tracked address poisoning as one of the top three crypto theft categories by transaction count, with hundreds of victims per week. Bitfinex, OKX, and Binance hot wallet flows have all been targeted. Trezor and Ledger have both issued user warnings - Trezor in a March 2024 security blog post, Ledger in in-app notifications across 2024 and 2025.

Why it works (the visual heuristic problem)

Wallets display addresses truncated because the full string is too long for a list view. Users adapt by treating the truncated form as canonical. They verify the truncated form when comparing addresses. They mentally store it when deciding an address is "their" exchange deposit. The middle characters never enter working memory and the wallet UI does not highlight them.

Rabby Wallet added an address-poisoning detection feature in 2024 that flags addresses appearing in zero-value transfers with no other activity. MetaMask added a similar warning in late 2024 for partial-match recipients. These help, but they are opt-in or buried in advanced settings on most wallets, and attackers iterate around them by using small non-zero amounts of unknown tokens to bypass the "zero-value" filter.

The 7 red flags

An address in your history you do not remember interacting with, especially one that received or sent zero-value or odd-amount transfers. Open the transaction in a block explorer to verify whether you initiated it.
Two addresses in your history matching the same first 4 to 6 and last 4 to 6 characters. One is real. One is a vanity lookalike. The middle characters are different.
Zero-value transfers from unknown source addresses. No legitimate counterparty sends you 0 USDT for no reason. The transfer exists only to inject the source address into your history.
Unsolicited transfers of unknown or worthless tokens. Attackers sometimes use tiny amounts of obscure ERC-20 tokens to bypass zero-value filters. Treat unknown incoming tokens from unknown senders as untrusted.
Middle characters differ on the confirmation screen. Many wallets show the full address before final confirm. Any single different character means a different wallet. Abort.
You are copying recipient addresses from transaction history. This is the habit address poisoning exploits. Presence in history does not mean an address is safe. Your contact book is the only trusted source.
Hardware wallet device screen disagrees with the computer screen. The device screen is the ground truth. If they differ, the dApp UI is compromised. Reject the transaction.

Defense: the habits that stop address poisoning cold

Verify the full address on a hardware wallet display, every time. Ledger Nano, Ledger Stax, Trezor Model T, Trezor Safe 5, and Keystone all show the destination address on the device screen during signing. The device screen cannot be spoofed by malware or by the dApp UI. Verify character by character on the device, not on your laptop or phone screen. This is the single best defense.
Use an address book with labels. Save your exchange deposits, your other wallets, and any counterparties with a human-readable name. Send by selecting the label, not by copying from history. MetaMask, Rabby, Trust Wallet, Phantom, and Trezor Suite all support contact labels natively.
Never copy a recipient address from transaction history. The history contains every address that has ever interacted with your wallet, including attacker-planted ones. The contact book contains only addresses you have explicitly trusted. Train yourself to reach for the contact book, never the history.
Send a small test transaction first for any new address. If you are about to send a large amount, send a $5 to $20 test transfer first. Confirm receipt at the destination (or that the exchange credits the deposit) before sending the full amount.
Use ENS, SNS, or Basenames where available. An ENS name like vitalik.eth resolves on-chain and is short enough to verify visually. Human-readable names do not eliminate the need for verification, but they reduce the surface area for visual lookalikes.
Turn on address-poisoning warnings if your wallet supports them. Rabby has this feature on by default. MetaMask has a similar warning that triggers on partial address matches. Check settings for any option labeled "address poisoning," "lookalike address," or "similar address warning" and enable it.
Pre-check addresses in a block explorer before large sends. Paste the destination into Etherscan, Tronscan, BscScan, Basescan, or Solscan. If the explorer shows no history except a single zero-value transfer to your wallet, that is the poisoning. A real exchange deposit or counterparty wallet has visible activity.

What to do if you already sent to a poisoned address

Honest version: in almost every case the funds are gone. On-chain transactions are final. No chargeback exists. The rare exception is a very large public victim where the attacker returns funds to avoid prosecution. That is not a plan. Still, do the following within the first hour:

Capture evidence. Save the transaction hash, destination, source, token, amount, and timestamp. Screenshot the wallet view.
Track the destination in a block explorer. If funds move, follow the trail one hop at a time to see whether they land at a centralized exchange.
If funds land at a centralized exchange, contact compliance immediately. Binance, Coinbase, Kraken, OKX, Bybit, and Bitfinex can freeze suspicious deposits if you reach them fast. Provide the transaction hash, destination address, your ID, and a brief description.
File reports with Chainabuse and the relevant authority. Chainabuse is read by exchange compliance teams. US: IC3. UK: Action Fraud. EU: national cybercrime units.
Post the attacker address publicly. Tag on Etherscan, submit to SlowMist, GoPlus, ScamSniffer. The faster the address is tagged, the harder cash-out becomes.
Accept the emotional reality. Telegram "recovery experts" who DM you after a loss are either the original attacker or a follow-on scammer. Block and move on.

How browser-layer defense fits into this

Address poisoning is an on-chain attack: the malicious address arrives via a blockchain transaction, not a phishing page. Browser extensions cannot block the zero-value transfer that delivers the poison. But the human-factors layers around address poisoning - the fake exchange-deposit page, the fake "support" chat that walks the user through copying an address from history, the malicious dApp that swaps destination addresses mid-transaction, the fake-wallet browser extension that rewrites clipboard contents - are all browser-layer attacks. SafeBrowz catches those before the page renders, and blocks the install pages for fake wallet software as part of its 550+ brand impersonation database. Install SafeBrowz free as a second line of defense.

Frequently asked questions

Can I get my money back if I sent to a poisoned address?

Almost never. Crypto transactions are final on confirmation. No chargeback exists. The only realistic recovery paths are a very large public loss where the attacker returns funds to avoid prosecution, funds traced to a centralized exchange where you reached compliance fast enough for a freeze, or a years-long civil case after attribution. Plan for zero recovery and act fast on the small chance.

How is address poisoning different from a Permit2 signature attack?

Permit2 attacks need you to sign a malicious signature on a phishing page. Address poisoning needs nothing - no signature, no phishing page, no contact with the attacker. They only send a zero-value transfer to your wallet, which costs them gas but no permission from you.

Why do wallets allow zero-value transfers in the first place?

Zero-value ERC-20 transfers are valid by the standard and many legitimate dApps use them for state changes, events, and contract testing. Banning them at protocol level would break too many integrations. The fix has to happen at the wallet UI layer and at the user behavior layer.

Does using ENS or Solana name service prevent address poisoning?

It helps but does not eliminate the risk. An ENS name is harder to lookalike-spoof than a 42-character hex address, but copying an ENS name from a transaction history could still capture an attacker-registered name. The defense is still: verify on hardware wallet, send from contact book, never from history.

I see two addresses with the same first and last characters. Which is real?

Open both in a block explorer. The real one has your actual prior transactions. The poisoned one has a single zero-value transfer or a single tiny unknown-token transfer, possibly plus similar transfers to other victims. Never send to either until you re-verify with your counterparty out-of-band.

Are hardware wallets immune to address poisoning?

Hardware wallets do not stop the attacker from putting a lookalike in your transaction history, but they stop the consequences if you compare the full destination address on the device screen against the address your counterparty actually gave you. The mistake is glancing at the device screen and accepting the truncated prefix-and-suffix view. Read every character on the device, every time.