Understanding Address-Poisoning Attacks in Cryptocurrency

In an alarming incident within the cryptocurrency sector, a trader suffered a loss of over $12 million in Ethereum (ETH) after inadvertently sending funds to a fraudulent wallet. This event is suspected to be a successful case of an address-poisoning attack based on blockchain data analysis.

Analysis of the Incident

The affected wallet, identified as 0xd674, had a history of sending large Ethereum transfers to a Galaxy Digital deposit account. This pattern was detailed in a report by Lookonchain, dated January 31, 2026. The victim’s wallet was observed to frequently interact with a specific Galaxy Digital address, 0x6D90CC…dD2E48.

Advertisement Banner

The Attack Strategy

Exploiting this predictable behavior, the attacker created a fake wallet address that mirrored Galaxy Digital’s legitimate deposit address. The malicious address matched the initial and concluding characters of the genuine address, making it visually deceptive.

Through a series of small transactions, known as dusting, the attacker inserted the poisoned address into the victim’s transaction history. This tactic increased the chance of the trader mistakenly selecting the fraudulent address during future transactions.

Critical Mistake: Neglecting Address Verification

On one occasion, around 11 hours before the loss was recognized, the trader attempted another Ethereum transfer meant for Galaxy Digital. Instead of verifying the destination address manually, the trader relied on copying and pasting from previous transactions. Consequently, 4,556 ETH, equivalent to approximately $12.4 million at that time, ended up in the attacker’s wallet.

The entire transaction was completed in one outbound transfer, with immediate withdrawal of funds from the victim’s wallet. No corrective actions or fund retrieval attempts were recorded, underscoring the irreversible nature of blockchain transactions.

Implications of Address-Poisoning Attacks

This incident underscores the increasing threat of address-poisoning attacks, where malicious entities exploit address similarities instead of targeting smart contract vulnerabilities. Such attacks capitalize on human error, posing risks even to seasoned traders managing significant sums.

The case serves as a crucial reminder of the importance of thorough verification of wallet addresses, especially when dealing with substantial cryptocurrency transfers. Simple mistakes can lead to irreversible financial losses, emphasizing the need for vigilance and caution in digital asset management.