MetaMask Alerts Crypto Users About Address Poisoning Scam

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 13, 2023 01:35 am PST

MetaMask, a cryptocurrency wallet provider, is alerting customers about a new fraud known as ‘Address Poisoning,’ which involves tricking users into sending payments to a scammer rather than the intended receiver.

When MetaMask users send or receive cryptocurrency, the transaction is recorded in the wallet’s history. When you click the transaction, you’ll see further information, such as the token, the amount paid or received, and a short form of the third party’s address.

While these wallet addresses appear identical in their short form, they could be completely different, causing MetaMask users to become confused. In a new post, MetaMask developers warn of a new scam called ‘Address Poisoning,’ which involves poisoning the wallet’s transaction history with scammer’s addresses that are strikingly similar to addresses with which a user previously transacted.

Scammers Contaminate Your MetaMask Transactions.

To carry out the scam, the threat actor checks the blockchain for new transactions. After deciding on a target, they employ a vanity address generator to generate an address that is very similar, if not identical, to the one involved in the recent transaction.

It should be noted that constructing an address that matches the prefix or suffix of a target address can take less than a minute. However, targeting both will take much longer (perhaps too long) to generate. The threat actor then transfers a sizeable or minimal amount of cryptocurrency, or even a $0 token transaction, from this new address to the targeted sender’s address so that the transaction shows in their wallet’s history.

The address of the threat actor is remarkably similar to a user’s past transaction, and because MetaMask shortens the addresses in the transaction history, it appears to be from the same individual. This strategy effectively taints the transaction history with multiple entries that appear to be between the same addresses but are actually utilizing different ones — one for the genuine, legitimate transaction and the newer one from the attacker using a copycat wallet address.

When a user needs to send bitcoin to someone they previously sent to, the attacker hopes that they would identify the most recent transaction, which in this case is from the attacker, and instead send the cryptocurrency to the scammer’s address.

Here’s How Address Poisoning Works On Copy-And-Paste Context

  • You send a mundane, nothing-to-see-here transaction to a pal.
  • The scammer notices because he has software that tracks transfers of specific tokens (typically stablecoins). 
  • They use a ‘vanity’ address generator (which can be found with a fast web search) to generate an address that closely matches yours (and sometimes your friend’s).
  • Crypto wallet addresses are frequently shortened due to their length. You might only see the first few characters, or you might see the first 5-10 or so and the last 5-10 or so, missing the middle. 
  • Most individuals recognize addresses in this way: not by knowing every single character but by being comfortable with the beginning and end. Address poisoning takes use of this tendency.
  • The scammer sends a transaction of nominal value from another account to a dummy account that closely resembles yours. Typically, these are zero-token transactions. 
  • They’ve poisoned your wallet with this.
  • Because their dummy address seems so close to yours, it’s entirely likely that the next time you require your address, you’ll unintentionally copy and paste their address from your transaction history. 
  • Naturally, if you accidentally copy and paste their address, you will transfer payments to them rather than yourself. And because on-chain transactions like this are immutable (cannot be changed once verified), the cash will be lost forever.
  • Even for insignificant amounts, the attacker must incur additional charges known as “gas” as the transaction is registered on the blockchain.
  • That’s all they’re hoping for: that you copy the erroneous address from your wallet’s transaction history.

Ways To Staying Safe On MetaMasks 

  • Always look through your transaction list for a known genuine transaction and obtain the complete address from a blockchain explorer like as EtherScan.
  • Double-check addresses before sending. This goes without saying. Although this is true for any transaction, it is essential if the assets you are shipping are of significant worth to you. The only way to be absolutely safe is to check every single character.
  • Avoid copying addresses from your transaction history, and if you must, double-check them thoroughly. This applies to both transaction history in your wallet, such as MetaMask, and the history displayed on the block explorer.
  • Make use of a hardware wallet. Before you can execute a transaction, most hardware wallets require you to check and confirm the address you’re sending to. Though you can still fall prey to this scam even with this feature, this prompt may help you create a habit of constantly scrutinizing each address you use.
  • One way MetaMask could avoid attacks is to offer a new option that requires the display of complete Send and From addresses in transaction histories.
  • Fill up your address book with regularly used addresses. This may be found under MetaMask’s Settings > Contacts. If you save a contact’s address here, you can be sure it’s correct and won’t have to rely on copying and pasting every time.
  • Consider testing transactions. This entails sending a small quantity of money to an address to check its validity before proceeding with a more significant transaction. Naturally, this necessitates paying gas fees for two transactions, which may or may not be appealing depending on the current gas price.
  • MetaMask also suggests that you use the Address Book option in ‘Settings Contacts’ to record recognized, genuine bitcoin addresses for people or services to which you frequently send transactions.


The scammers will employ vanity address generators to generate wallet addresses that match the first and final characters of their victim’s wallet address. According to the MetaMask team, a new type of crypto wallet address fraud that takes advantage of user inattention is on the rise. MetaMask, a digital wallet provider, issued a warning to consumers about an “address poisoning scam,” in which attackers “poison” transaction records by sending users tokens worth $0 to their wallets. The scammers will employ vanity address generators to generate wallet addresses that match the first and final characters of their victim’s wallet address. As a result, unknowing individuals transfer their payments to the incorrect imitation address.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x