Jameson Lopp, co-founder and chief security officer at Bitcoin storage company Casa, has raised alarms over a troubling increase in Bitcoin address “poisoning” attacks, urging Bitcoin users to be cautious. In a blog post published Sunday, Lopp highlighted the growing number of attacks where fraudsters mimic wallet addresses to deceive victims into sending funds to a malicious address.
Lopp’s findings come from an 18-month study of Bitcoin blockchain transactions, which uncovered nearly 48,000 suspicious transactions. Some of these incidents have led to substantial financial losses for victims. He pointed out that such attacks thrive in Bitcoin’s current low-fee environment, making them economically viable for attackers. The lower transaction costs on the Bitcoin network allow these scams to be carried out more easily.
The Mechanics of Address Poisoning Attacks
Bitcoin address poisoning is similar to social engineering, according to Lopp. These attacks involve the perpetrator creating a Bitcoin address that closely mimics one the victim has previously used. The scammer then uses trial and error or brute force to try to guess or crack the secret keys to the address. Once successful, the attacker funds the similar-looking address with a modest sum of cryptocurrency.
From there, the attacker “poisons” the victim’s transaction history by sending these funds from the counterfeit address to the real victim’s address. Victims may inadvertently copy the fraudulent address from their transaction history, believing it to be legitimate. This can lead to the accidental transfer of funds to the attacker’s wallet.
In January 2025, pseudonymous Bitcoin developer Mononaut also warned of the “address poisoning dust attack,” advising users to refrain from copying addresses directly from their transaction history to avoid falling victim to this scam.
Attack Patterns and Rising Frequency
According to Lopp, 36 such transactions were logged in block 797570 on July 7, 2023, marking the first instances of these poisoning transactions. After a lull, the attacks resumed in December 2023 and continued intermittently through January 2025, especially until January 28 2025. The attacks returned after a two-month break, exhibiting a pattern of sporadic increases.
However, Lopp emphasized that the attacks do not follow a specific pattern. While some of the targeted addresses had recent activity, a significant number—over 12,000—had never been used to spend funds. Additionally, most addresses targeted in the attacks had received fewer than 10 deposits. Surprisingly, the attackers tended to avoid addresses with balances under 1 BTC, according to Lopp’s research.
Protecting Against Address Poisoning
Lopp urged Bitcoin holders to take precautions, advising them not to trust addresses simply because they appear in their transaction history. He stressed that relying on memory or recent transactions could lead to costly mistakes. “Don’t reuse addresses, period! This remains a Bitcoin best practice for a multitude of reasons,” Lopp said.
The Casa executive’s warning serves as a crucial reminder for Bitcoin users to remain vigilant and adopt safer practices to protect their assets from increasingly sophisticated attacks.
