Bitcoin Address Poisoning Attacks Cost Users $1.8 Million in February

Jameson Lopp, the chief security officer at Bitcoin (BTC) custody company Casa, has raised concerns about Bitcoin address poisoning attacks. These attacks are a form of social engineering scam where threat actors generate BTC addresses that closely resemble those in a victim's transaction history, aiming to deceive them into sending funds to the malicious address.

In his article published on February 6, Lopp detailed how these attacks work. He explained that the threat actors create addresses that match the first and last digits of addresses from the victim's transaction history. Lopp's analysis of the Bitcoin blockchain history revealed that the first such transactions appeared in block 797570 on July 7, 2023, with 36 transactions. After a period of inactivity, these transactions resurfaced in block 819455 on December 12, 2023, and continued intermittently until block 881172 on January 28, 2025. There was a two-month break before the attacks resumed.

Over an 18-month period, nearly 48,000 transactions matching the profile of potential address poisoning were identified. Lopp emphasized the importance of thoroughly checking addresses before sending funds and advocated for better wallet interfaces that fully display addresses to mitigate these risks.

Address poisoning scams and exploits have resulted in significant financial losses. According to cybersecurity firm Cyvers, over $1.2 million was stolen through address poisoning attacks in March 2025. The firm's CEO, Deddy Lavid, reported that these attacks cost users $1.8 million in February. Blockchain security firm PeckShield estimated the total amount lost to crypto hacks in the first quarter of 2025 to be over $1.6 billion, with the Bybit hack in February accounting for the majority of the stolen funds, totaling $1.4 billion.

Cybersecurity experts have linked these attacks to North Korean state-affiliated hackers, who employ complex and evolving social engineering schemes to steal cryptocurrencies and sensitive data. Common tactics used by the Lazarus Group include fraudulent job offers, fake zoom meetings with venture capitalists, and phishing scams on social media.