Address poisoning is a phishing scam that can affect users who have received unwanted tokens and don’t check their addresses carefully when sending crypto.
According to an Apr. 10 post from Etherscan, the blockchain explorer has disabled the display of zero-value token transfers on its website by default. From now on, users must manually switch on the display from the website’s setting page. Etherscan says it made the update to deter “address poisoning” attacks that have phished and spammed unsuspecting users.
“Preventing scams and attacks in a neutral and scalable way is an infinite cat-and-mouse game… please feel free to share your feedback as we continue to improve.”
Address poisoning is a type of crypto scam where an attacker sends a token with near-zero or no value to a user’s address to “poison” it. Afterward, the transaction will be recorded in the soft or hard wallet’s history and can be selected when making transfers. The purpose of the scam is to trick the user into sending coins to the scam address by mistake. To do this, hackers use sophisticated software to create scam addresses that look very similar to “poisoned” addresses, with the same few beginning or ending characters.
That said, the scam is only classified as phishing. Neither the unwanted coins nor the addresses receiving such tokens can compromise users’ funds. However, unwanted nonfungible tokens, or NFTs, can potentially compromise an address through interactions, such as moving it to different accounts.
Blockchain hardware wallet firm Ledger suggests users hide their unsolicited NFT collections upon receipt. While address poisoning cannot be stopped, Ledger recommends users refrain from retrieving deposit or destination addresses from their transaction history and always double-check that each character of the destination address matches the input address when sending crypto.
Magazine: Here’s how to keep your crypto safe