n May 2024, a single crypto user sent 1,155 wrapped Bitcoin to an attacker's address. That was about 68 million US dollars, and they meant to send it to themselves. The only difference between the right address and the wrong one was a handful of characters buried in the middle.
The scam that pulled this off is called address poisoning, and it targets a habit nearly every crypto user has picked up. This guide walks through how the trick works, why it keeps succeeding, and the five-second check that shuts it down for good.
Step one: the attacker watches the public blockchain for a wallet that has recently moved a large amount of crypto. Every transfer is visible on chain. Services like Etherscan make it trivial to scan for high-value wallets and the addresses they send to most often.
Step two: the attacker generates a new address that matches the target's frequent recipient at the first and last four or six characters. This is called a vanity address. It is computationally cheap now, and dedicated services can produce a lookalike for any target within minutes.
Step three: the attacker sends a tiny transaction, often zero dollars worth, from the lookalike to the target's wallet. This plants the poisoned address in the target's transaction history, where it sits quietly until the owner copies an address from that history to send a future payment. The one that matches the first and last characters feels right, so the approval happens on autopilot.
A real example: in a widely reported 2024 case tracked by Chainalysis, an attacker sent a tiny transfer to a target wallet using a lookalike that matched the first and last four characters of the target's most recent recipient. A couple of days later, the target sent the next large transfer from the poisoned history entry, and the funds were gone in a single block.
Crypto addresses are 34 to 42 characters long, and nobody reads all of them. The brain takes a shortcut and verifies three or four characters at the start and three or four at the end. If those match, the middle is assumed to match. That shortcut is the entire attack surface.
Wallet apps make the problem worse without meaning to. Most apps shorten long addresses to a readable form like 0xAb12...34Cd, showing only the first and last characters. That display format is the exact same thing the attacker is mimicking. The lookalike passes the visual check by design.
Picture the usual flow. You send 0.01 ETH to a friend on Tuesday. By Thursday, the attacker has already salted your history with a near-identical address. You go to send the next payment, you tap recent recipients, the top result looks right, and you approve. No malware, no phishing site, no leaked seed phrase. The wallet behaved exactly as designed. You just picked the wrong line.
Never trust the transaction history as a source of truth for an address. Always paste a full, known-good address from a trusted source, meaning the recipient told you the address in a signed message, a paper hand-off, or a QR code you scanned in person.
Verify the full address, not just the edges. Read the middle. Read the characters out loud if you have to. The US Federal Trade Commission's guidance on crypto scams makes the same point about the core rule: if you cannot verify the recipient, do not send.
If you are new to self-custody, our guide on hot wallets versus cold wallets covers where this habit should kick in and why every approval tap deserves a pause.
One habit that helps: send a small test transaction first, even one dollar worth. If it lands where you expected, send the real amount. The test adds a few minutes to the flow. It costs the price of a vending machine coffee. It saves the rest.
The last layer of defense sits on your hardware wallet itself. When you approve a transaction, the full destination address should render on the device's own screen, not just on your phone. If a piece of malware on your phone swapped the address at the last second, the on-device display is the only place the real destination is still true.
The example that drives this home: in 2023, researchers demonstrated a malware family that silently replaced clipboard contents whenever a user copied a wallet address on a compromised phone. Anyone relying only on their phone screen would never notice. Anyone verifying the full address on a separate hardware display would catch it before the approval tap.
The same principle underpins how seed phrase storage works in self-custody: the information that matters has to live somewhere your phone cannot touch. Verification is the other half of that story. If your hardware wallet shows the address on a cramped two-line display, that is a problem. If it shows a truncated version, that is a problem. The only version of the check that actually works is the full address rendered at a size you can read, on a device that cannot be tampered with from your phone.
Address poisoning is a trick that works because verification is a chore. The whole attack collapses the moment verifying the full address becomes easy. That is exactly what Ryder One is built to do, and it is the reason so much of the product sits on the device itself instead of your phone.
The 1.6-inch AMOLED display on Ryder One shows the full destination address before you approve. Not a shortened preview. Not a version your phone drew. The address the device is about to sign for, at a size you can read without squinting. If the phone was compromised between the copy and the approval, the on-device screen is where the swap becomes visible.
The rest of the setup is the part that makes people actually use the device. No seed phrase to write down, because Ryder One replaces that whole step with TapSafe Recovery, a seedless backup split across battery-free tags and your phone. Setup takes about a minute. Sending, swapping, and recovering are one tap each. The security is the best in the category, and the friction is gone.
If you hold enough crypto that an address poisoning attack would hurt, the answer is not another sticky note on the monitor. It is a device that shows you the truth before you sign. Ryder One is that device, and the reason the last tap is also the safe one.
The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: