Address poisoning is an attack where a malicious actor injects zero-value transactions into a victim’s history using an address that closely resembles a trusted one (same first and last few bytes). The goal is to trick the victim into copy-pasting the poisoned address for their next real transfer.Documentation Index
Fetch the complete documentation index at: https://docs.extractor.live/llms.txt
Use this file to discover all available pages before exploring further.
How it works
Build a whale address dataset
The detector continuously builds and updates a dataset of “whale” addresses — addresses holding token balances above a configurable threshold (e.g. $100K across native + ERC-20 tokens).
Monitor for look-alike injection
Every transaction and ERC-20 transfer event is scanned for addresses where the first and last 2–4 bytes match a whale address. This is the fingerprint of a poisoning attempt.
Use cases
Whale protection
Identify when a whale address is being mimicked in transaction history, preventing operators from accidentally copying a poisoned address for withdrawals or transfers.
Exchange & custodian compliance
Exchanges managing large user funds can cross-check all outbound transactions for similarity-based poisoning attempts in real time.
Threat intelligence
Map and share poisoned address attempts across chains. Detected addresses are stored in the labels database tagged as
whale, enriched with poisoning metadata.Configuration
| Field | Description |
|---|---|
| Name | Descriptive label for this detector instance |
| Past | How far back in history to scan on initial activation |
| History | Depth of transaction history to maintain for matching |
| Patterns | Similarity pattern rules (byte prefix/suffix length to match) |