Skip to main content
Address poisoning is an attack where a malicious actor injects zero-value transactions into a victim’s history using an address that closely resembles a trusted one (same first and last few bytes). The goal is to trick the victim into copy-pasting the poisoned address for their next real transfer.
This attack is particularly dangerous because most wallet UIs only show the first and last 4–6 characters of an address. Always verify the full address before sending funds.

How it works

1

Build a whale address dataset

The detector continuously builds and updates a dataset of “whale” addresses — addresses holding token balances above a configurable threshold (e.g. $100K across native + ERC-20 tokens).
2

Monitor for look-alike injection

Every transaction and ERC-20 transfer event is scanned for addresses where the first and last 2–4 bytes match a whale address. This is the fingerprint of a poisoning attempt.
3

Fire an alert

When a match is found, an alert is raised containing the whale victim address, the phishing initiator address, and full transaction metadata.

Use cases

Whale protection

Identify when a whale address is being mimicked in transaction history, preventing operators from accidentally copying a poisoned address for withdrawals or transfers.

Exchange & custodian compliance

Exchanges managing large user funds can cross-check all outbound transactions for similarity-based poisoning attempts in real time.

Threat intelligence

Map and share poisoned address attempts across chains. Detected addresses are stored in the labels database tagged as whale, enriched with poisoning metadata.

Configuration

FieldDescription
NameDescriptive label for this detector instance
PastHow far back in history to scan on initial activation
HistoryDepth of transaction history to maintain for matching
PatternsSimilarity pattern rules (byte prefix/suffix length to match)