imToken Wallet Website | When Hackers Target Your “Habits”: Reducing Address Poisoning Risk at the Source | World-renowned digital asset management tool, supporting Bitcoin, Ethereum, DOGE, Vaulta, Cosmos, Litecoin, TRON, BCH, Nervos, TON and other blockchains.

In the Web3 world, many people’s first instinct when it comes to security is to protect their private keys, mnemonic phrases, and authorization permissions.

These are essential—but in practice, there is another category of risk that doesn’t stem from private key leaks or smart contract vulnerabilities. Instead, it arises from something as routine as copying an address.

Address poisoning exploits exactly this. Rather than breaking systems, attackers rely on disguise, interference, and manipulation—tricking users into sending assets to the wrong address during what appears to be a normal transfer.

What makes this attack difficult to prevent is not its technical complexity, but how precisely it exploits users’ visual habits and behavioral inertia.

What Is Address Poisoning?

Address poisoning is a method where attackers generate a spoofed address that closely resembles a user’s commonly used address. They then insert this address into the user’s transaction history through zero-value or very small transactions.

When the user later needs to make a transfer, if they casually copy an address from their transaction history without verifying every character, they may accidentally send assets to the attacker’s spoofed address.

These attacks are far from rare. Over the past two years, multiple on-chain cases have shown that address poisoning can lead to real financial losses. Even the common habit of sending a small test transaction before a larger one does not reliably eliminate the risk.

The situation is becoming more serious. Following the Fusaka upgrade, lower gas fees have reduced the cost of launching such attacks. According to Blockaid, there were 3.4 million address poisoning attempts in January 2026—up 5.5× from 628,000 in November of the previous year—showing a sharp surge in activity.

Why Do Users Fall for Address Poisoning?

From a technical perspective, address poisoning is relatively simple. What makes it hard to defend against is exploiting inherent weaknesses in user behavior.

1. Addresses Are Not Practical to Verify Manually

A typical blockchain address consists of 42 characters. For most users, verifying every character is impractical.

Instead, people tend to check only the first and last few characters—confirming it “looks right”—and move on. Attackers design their spoofed addresses around this exact habit.

2. Malicious Transactions Blend into Normal Activity

Poisoning transactions often involve zero or negligible amounts and look no different from regular transfers.

Once mixed into transaction history, it becomes difficult for users to distinguish legitimate transactions from malicious noise at a glance.

3. Warnings Often Come Too Late

Most security alerts appear right before transaction confirmation.

However, the key risk moment in address poisoning occurs earlier—when the user decides to copy an address from transaction history.

If detection and warnings only appear at the final step, the user has already committed to a risky path.

Address Poisoning Requires More Than Just “Reminders”

Address poisoning cannot be mitigated by user vigilance alone.

As the primary interface between users and the blockchain, wallets should take on more proactive responsibility—shifting risk detection and prevention earlier in the user journey, instead of placing the entire burden on users.

In imToken 2.19.0, security capabilities have been upgraded specifically to address poisoning risks. The goal is not to add isolated warnings, but to integrate detection, filtering, alerts, and validation at the right points throughout the user flow.

A Three-Layer Defense Against Address Poisoning

1. Hide High-Risk Transactions to Reduce History Pollution

To prevent malicious low- or zero-value transactions from polluting transaction history, the new version enables “Hide risky transactions” by default.

When a high-risk poisoning transaction is detected, it is filtered from transaction records and notifications—keeping these entries out of the user’s view.

This not only improves interface clarity, but more importantly reduces the chance that users will copy a risky address from their history.

2. Move Alerts to the Moment of Copying

The key risk point in address poisoning is not the transfer itself, but the act of copying the address.

When users copy an address from transaction details, the system now provides clearer prompts, encouraging full verification rather than relying on partial visual matching.

Compared to alerts shown only before transfers, this approach aligns with the real moment of risk and helps interrupt habitual “copy-and-go” behavior.

3. Continuously Flag Risks at Key Touchpoints

In addition to transaction lists and copy actions, the system highlights suspicious addresses across key touchpoints—such as transaction details and pre-transfer checks.

This is not meant to create friction, but to provide timely and consistent risk signals before users take the next step.

Technical Perspective: Why Address Poisoning Requires Dynamic Risk Awareness

Address poisoning does not exploit protocol vulnerabilities—it exploits user behavior and visual inertia. Attackers create highly similar addresses and inject them into transaction histories using low-value transfers, luring users into mis-copying and mis-transferring in future actions.

One of the main challenges is that, from an on-chain perspective, these transactions often appear completely normal. There are no obvious anomalies or traditional attack signatures, making static blacklists or post-event alerts insufficient.

imToken does not label addresses as permanently “safe” or “unsafe.” Instead, it performs dynamic risk assessment at key interaction points—such as refreshing transaction history, viewing details, copying addresses, and initiating transfers. This assessment combines real-time on-chain data with user context to trigger actions such as filtering, tagging, strong warnings, and pre-validation.

Risk Detection Goes Beyond Simple Similarity

Effective detection is not just about whether addresses look alike. It requires combining multiple signals in a noisy environment.

Similarity Signals

For an attack to work, the spoofed address must look sufficiently similar to a trusted one.
The system analyzes structural similarities to identify such risks.

Transaction Cost Patterns

To scale cheaply, attackers often follow consistent patterns in transaction amounts and structures. While not decisive on their own, these signals improve accuracy when combined with others.

Behavioral Timing Signals

Some poisoning transactions closely follow legitimate user transfers, attempting to exploit user inertia immediately after activity. The system evaluates such behavior within specific time windows and contextual conditions.

Why Unified Risk Decisions Matter

No single signal is enough for high-confidence detection. The system combines multiple signals into a unified risk decision and applies consistent handling across different touchpoints. This approach provides three key benefits:

Reduced false positives: Weak signals alone do not trigger high-severity actions
Consistent experience: The same transaction is evaluated consistently across views
Continuous improvement: Each detection can be analyzed and refined over time

For non-custodial wallets, this type of risk control is especially challenging.

Address poisoning targets user behavior rather than clear on-chain anomalies. Meanwhile, attack patterns continue to evolve across chains, assets, timing, and disguise methods.

Without centralized control points, protection depends on coordination across detection accuracy, product design, and iterative strategy updates.

imToken treats this as an evolving security system—supporting strategy updates, version management, monitoring, and post-analysis to keep pace with changing attack patterns.

How to Upgrade Your Protection

If you are already using imToken, it is recommended to upgrade to version 2.19.0 as soon as possible.

Protection against address poisoning is enabled by default in the new version. No additional setup is required to benefit from earlier detection and more proactive alerts.

Final Thoughts

Address poisoning shows that Web3 risks don’t only occur at obvious “high-risk” moments—they can also hide in routine, familiar actions.

As attackers increasingly exploit human habits, security must evolve from result-based warnings to process-level protection. For wallets, the goal is not just to execute transactions, but to help users reduce errors and avoid mistakes at critical moments.

This is why imToken continues to invest in its security capabilities—so users can stay in control while benefiting from more timely and practical protection.