MetaMask Security Guide: Protect Yourself from “Address Poisoning” Scams

Wallet Address Poisoning Scam: What You Need to Know

MetaMask warned crypto users of a new scam that is running rampant called “address poisoning”. This scam involves malicious actors copying and pasting wallet addresses in order to steal funds from unsuspecting users. In this article, we will discuss how address poisoning works and what users can do to protect themselves. Also, check out Gemmy’s video for more information on how to secure your MetaMask contacts!

How Does Wallet Address Poisoning Work?

Address poisoning is a scam that exploits copy-and-paste tendency of most crypto wallet users. Since wallet accounts have cryptographically-generated address with long hexadecimal numbers, users tend to only remember the first and last few characters of their address. As a result, users rely on copying and pasting their addresses to save time. MetaMask addressed this in their blog post, and here’s how it essentially works:

Attackers usually has softwares that monitor token transfers. If they pick up on your address, they can use vanity address generators to create an address that looks very similar to yours. The attacker then sends you worthless tokens to “poison” your transaction history. If you are not careful, you might copy and paste their address from your transaction history, sending funds to the attacker’s address.

This method is rather amateurish, compared to other scam types, blockchain attacks, or smart contract exploits. While this would not give the attacker access to user wallets, it relies on user carelessness and haste — something that is common in Web3 when users want to send funds quickly to capitalize on DeFi opportunities.

The Increasing Cases of Wallet Address Poisoning

According to an article jointly published by crypto analysts X-explore and Wu Blockchain on 2nd December 2022, over 340,000 addresses have been poisoned on-chain, resulting in $1.64 million stolen from unsuspecting victims. The cases began spiking at the end of November, and is still a prevalent issue now.

The article suggested that MetaMask should improve its UI features to prevent such attacks from happening, such as letting users identify trusted wallet addresses in transaction history using color markers or other prompts.

How to Protect Yourself from Address Poisoning

Metamask recommends users to always double-check the address before sending funds, making sure every single character is correct. As the attacks are still ongoing, users are also advised to avoid copying addresses from transaction histories and block explorers. Users can also add trusted wallet addresses in Settings > Contacts.

More importantly, it is much safer to use hardware wallets when transferring funds, as users are required to check and confirm any address they are sending funds to before the transaction is authorized. If you are interested in getting a hardware wallet, feel free to check these out:

Click here to purchase a Ledger wallet!

buy now

Or a Trezor wallet!

buy now

The information provided in this article is intended for general guidance and information purposes only. Contents of this article are under no circumstances intended to be considered as investment, business, legal or tax advice. We do not accept any responsibility for individual decisions made based on this article and we strongly encourage you to do your own research before taking any action. Although best efforts are made to ensure that all information provided herein is accurate and up to date, omissions, errors, or mistakes may occur. 
Disclosure: Authors are invested in cryptocurrency projects and have cryptocurrency holdings - including those covered on this website. 

Stay Connected

15,500FollowersFollow
156,664FollowersFollow
268,000SubscribersSubscribe

Latest Articles