Simple Base SwapSimple Base SwapOpen app
← All articles
Jul 18, 2026·5 min read

Address poisoning: how a fake transaction can plant a scam address in your wallet history

securitybasescamsguides
security

You open your wallet's activity list to copy an address you have sent to before, maybe an exchange deposit address or a friend's wallet. You spot a transaction that matches, first few letters and last few letters look right, so you copy it and send your funds. A little while later you realize the address was not the one you meant to use at all. The funds are gone, and there is no support desk to call.

This is address poisoning, and it does not rely on hacking your wallet, tricking you into signing anything, or getting you to click a bad link. It relies on how people actually read addresses, and it is worth understanding even if you never plan to fall for it, because the setup happens quietly, before the actual theft attempt.

What an address actually looks like

A wallet address on Base, like on any EVM network, is a long string such as 0x8f3a...9c21. Nobody memorizes the whole thing. In practice, people recognize an address by its first four to six characters and its last four to six characters, since that is what most wallets and block explorers show by default when space is tight. The full string in between is effectively invisible to a quick glance.

That shortcut is convenient and, most of the time, harmless. Address poisoning exists specifically because it is not always harmless.

How the poisoning happens

Vanity address generators can produce a wallet address that starts and ends with whatever characters someone chooses, given enough computing time. A scammer picks a real address you interact with, for example one you send to regularly, and generates a lookalike address that shares its leading and trailing characters. The middle of the address is completely different, but the middle is the part nobody checks.

Once the lookalike address exists, the scammer sends a transaction from it to your wallet. It is often for a tiny amount, sometimes literally zero value. You did not ask for this transaction and it costs you nothing to receive it, so there is no reason to be alarmed. Its only job is to leave a trace: a new entry in your transaction history that has the lookalike address sitting right next to the real one you actually use.

Now the trap is set. Weeks later, when you go to send funds again and open your history to copy the address instead of typing it out or scanning a QR code, the two entries look almost the same. Grab the wrong one, and the transfer goes straight to the scammer with no way to undo it.

Some versions of this scam go a step further and copy an address from your own wallet's send history, then poison it back to you, hoping that seeing "your own" address pattern reflected back builds false confidence. The mechanics stay the same either way: the attacker never touches your keys or your approvals. They only need you to trust a shortcut.

Why this is easy to miss

Address poisoning works precisely because none of the usual warning signs apply. There is no phishing site, no signature request, no urgent message pushing you to act fast. The poisoning transaction itself does nothing to you. The actual loss happens later, in a completely ordinary moment, when you are the one initiating a transfer you meant to make anyway.

It also blends into an already crowded transaction history. Wallets that interact with a lot of contracts, tokens, and approvals tend to have long activity lists, and a single extra zero-value entry rarely stands out.

How to protect yourself

A few habits close off this attack almost entirely:

  • Never copy an address straight from your transaction history. Use a saved contacts list or address book inside your wallet, paste from a source you control, or scan a QR code for addresses you use often.
  • Check the full address, not just the ends. Before confirming a transfer, compare several segments in the middle of the address too, not only the first and last few characters.
  • Save addresses you use regularly. Most wallets support labeled contacts. Add the addresses you send to often once, verified carefully, and reuse the saved entry instead of the history.
  • Treat unexpected incoming transactions as informational only, never as a reference. A transaction you did not request, especially for zero or a trivial amount, should never be a source you copy an address from.
  • Send a small test amount first for any new or high-value transfer. For a first-time transfer or a larger amount, send a small amount first and confirm it arrived before sending the rest.

The bigger picture

Address poisoning is a good reminder that not every crypto risk involves your private keys, a malicious contract, or a signature you were tricked into approving. Some risks are much simpler: they exploit the fact that a long string of characters is hard for a human to verify at a glance, and they wait patiently for you to take a shortcut you have taken a hundred times before without any problem.

None of this requires new software or a different wallet. It just means treating your transaction history as a record, not a source of truth for where to send money, and giving the full address one real look before you confirm a transfer.

Sources: MetaMask Help Center on address poisoning scams, Chainalysis, Anatomy of an Address Poisoning Scam

Ready to try it yourself?

Create a non-custodial wallet on Base in seconds. No account, no sign-up.

Open the web app