CyLab study uncovers 270 million crypto phishing attempts

A new study by researchers at Carnegie Mellon University published at the 34th USENIX Security Symposium reveals that a little-known but highly effective cryptocurrency scam known as “blockchain address poisoning” has quietly become one of the largest phishing schemes operating on public blockchains today.

By analyzing more than two years of transaction data on the Ethereum and Binance Smart Chain (BSC) networks, the researchers identified approximately 270 million attack attempts targeting 17 million victims, with confirmed losses totaling at least $83.8 million from July 2022 to June 2024. The findings show that what appears to be a simple trick exploits a fundamental usability problem in how cryptocurrency wallets work.

“In practice, this is really a usability problem,” said Taro Tsuchiya, Carnegie Mellon Ph.D. student and leading author on the paper. “Wallet addresses are long, hexadecimal strings that are impossible to remember. So people copy and paste from their transaction history, and that behavior creates a vulnerability.”

As Tsuchiya points out, on many popular blockchains, wallet addresses consist of 40-character hexadecimal strings. Because they are difficult to distinguish, most wallets and blockchain explorers display only the first and last few characters. Attackers exploit this by generating lookalike addresses that closely resemble a legitimate one.

To carry out an attack, a scammer sends a small amount of cryptocurrency, or sometimes even a zero-value transaction, to a victim from a lookalike address. This “poisons” the victim’s transaction history.

Later, when the victim initiates a new transfer and selects an address from that history, they may mistakenly send funds to the attacker instead of the intended recipient.

“The important issue here is that blockchain transactions are not reversible,” said Tsuchiya. “Once you make a mistake, you won’t be able to recover anything.”

Although address poisoning has been discussed in online forums, this study is the first to scientifically measure its scale across multiple blockchains and over a long period of time. The researchers found 13 times more attacks than had been reported in prior work.

“What really surprised me was how successful this turned out to be,” said Nicolas Christin, a co-author of the paper and head of CMU’s Software and Societal Systems Department. “I initially thought this was a very simple attack that wouldn’t work very often. But when the students came back with the data, I realized that this is happening all the time.”

While only a small fraction of attacks succeed, roughly one in 10,000, the volume of attacks is such that attackers still profit. According to the study, some organized groups earn 10 to 20 times what they spend on transaction fees and infrastructure.

“It’s a numbers game,” Christin explained. “You’re essentially buying lottery tickets that cost pennies. If you send millions of transactions, eventually you hit pay dirt.”

Rather than isolated individuals, many attacks are carried out by large, coordinated groups that invest heavily in automation. The researchers identified several major attacker entities and found evidence that at least one group likely uses GPU-based systems to rapidly generate highly similar wallet addresses.

 

This isn’t theoretical. It’s happening every day.

Taro Tsuchiya, Ph.D. student, Carnegie Mellon University

“They invested millions of dollars to conduct attacks,” said Tsuchiya. “Despite the cost, they’re very profitable. That tells you how effective this attack is.”

The study also found that attackers often target “high-value” users: accounts with large balances or frequent transactions. Attackers sometimes even repeatedly exploit the same victims.

Because Ethereum, BSC, and many related networks use the same address format, attackers can reuse their infrastructure across multiple blockchains. The researchers observed attackers launching cross-chain campaigns with the same lookalike addresses.

Defending against address poisoning is challenging, and wallet providers are cautious about filtering small transactions.

“From a wallet operator’s perspective, you need to be nearly perfect,” said Christin. “If you hide transactions that turn out to be legitimate, users get angry. But if you don’t filter them, attackers take advantage.”

As part of the research, the team developed a live monitoring system called Toxin Tagger (@toxin_tagger on X) that tracks address-poisoning incidents in real time and publicly reports new victim losses and the number of attack attempts every day.

“We wanted people to see how bad it is right now,” said Tsuchiya. “Someone lost $50 million in one transaction just last week. This isn’t theoretical. It’s happening every day.”

For individual users, the researchers recommend simple but critical precautions: carefully verifying addresses before sending funds, being wary of unexpected small or zero-value transactions, and whitelisting trusted addresses when possible.

“This really comes down to human factors,” said Tsuchiya. “Double-check before you send, especially for large amounts.”

Looking ahead, the research team plans to extend their analysis to additional blockchains, including Solana and other low-fee networks, where similar attacks may be even easier to carry out. They also hope future research will explore wallet interface designs that make these scams harder to pull off.

“This is not just a technical problem,” said Christin. “It’s about how people interact with systems. If we can design better interfaces, we can reduce the number of costly mistakes.”