Two routine copy-and-paste actions erased $62 million in crypto over December and January, exposing how basic wallet habits are becoming one of Ethereum’s biggest security risks.
ScamSniffer said in a post on X on Feb. 8 that one victim lost about $50 million in December 2025 after sending funds to a fake address copied from transaction history. In January 2026, another user lost roughly $12.25 million, equal to about 4,556 ETH at the time, through the same mistake.
“Two victims. $62M gone,” the firm wrote.
Both incidents followed the same pattern. Funds were sent to look-alike addresses that had been quietly planted inside the victims’ recent activity records.
Address poisoning works by exploiting how most users interact with their wallets.
Attackers monitor transactions, generate vanity addresses that resemble real ones, and send tiny “dust” transfers to potential targets. These near-zero transactions place the fake addresses into transaction histories.
Later, when users copy an address from past activity instead of verifying the full string, money is sent directly to the scammer.
Security firms say this tactic has expanded rapidly since Ethereum’s (ETH) Fusaka upgrade in late 2025 lowered transaction fees. What was once expensive to run at scale has become cheap and efficient.
Millions of dust transactions are now being sent daily, according to blockchain security researchers. Many are designed only to prepare future thefts.
This activity has also distorted network data. Rising transaction counts and active wallet numbers increasingly include spam rather than genuine usage, making it harder to separate real demand from noise.
Several recent investigations have linked address poisoning campaigns to organized groups that recycle the same infrastructure across thousands of wallets.
Alongside address poisoning, ScamSniffer recorded a sharp rise in signature-based phishing in January.
The firm reported $6.27 million in losses across 4,741 victims during the month, up 207% from December in value terms. Two wallets were responsible for about 65% of the total damage.
The largest cases included $3.02 million stolen from SLVon and XAUt tokens through malicious permit and increaseAllowance approvals, and $1.08 million taken from aEthLBTC using similar techniques.
These attacks rely on deceptive transaction prompts that appear routine. Once users sign them, scammers gain long-term access to tokens and can drain funds without further approval.
Security analysts say these schemes succeed because they target habits formed during everyday trading, not technical weaknesses in protocols.
“Most victims are not careless,” one researcher said privately. “They are doing what they’ve done hundreds of times before.”
ScamSniffer and other firms have urged users to avoid copying addresses from transaction history, verify full wallet strings manually, and use saved contacts for frequent transfers.
As transaction costs stay low and automation improves, analysts expect address poisoning and signature phishing to remain persistent threats. Until better tools and habits take hold, basic operational mistakes are likely to keep producing outsized losses.
