Bitcoin Address Poisoning Attacks Cost Users $1.8 Million in February
1min read Jameson Lopp, the chief security officer at Bitcoin (BTC) custody company Casa, has raised concerns about Bitcoin address poisoning attacks. These attacks are a form of social engineering scam where threat actors generate BTC addresses that closely resemble those in a victim's transaction history, aiming to deceive them into sending funds to the malicious address.
In his article published on February 6, Lopp detailed how these attacks work. He explained that the threat actors create addresses that match the first and last digits of addresses from the victim's transaction history. Lopp's analysis of the Bitcoin blockchain history revealed that the first such transactions appeared in block 797570 on July 7, 2023, with 36 transactions. After a period of inactivity, these transactions resurfaced in block 819455 on December 12, 2023, and continued intermittently until block 881172 on January 28, 2025. There was a two-month break before the attacks resumed.
Over an 18-month period, nearly 48,000 transactions matching the profile of potential address poisoning were identified. Lopp emphasized the importance of thoroughly checking addresses before sending funds and advocated for better wallet interfaces that fully display addresses to mitigate these risks.
Address poisoning scams and exploits have resulted in significant financial losses. According to cybersecurity firm Cyvers, over $1.2 million was stolen through address poisoning attacks in March 2025. The firm's CEO, Deddy Lavid, reported that these attacks cost users $1.8 million in February. Blockchain security firm PeckShield estimated the total amount lost to crypto hacks in the first quarter of 2025 to be over $1.6 billion, with the Bybit hack in February accounting for the majority of the stolen funds, totaling $1.4 billion.
Cybersecurity experts have linked these attacks to North Korean state-affiliated hackers, who employ complex and evolving social engineering schemes to steal cryptocurrencies and sensitive data. Common tactics used by the Lazarus Group include fraudulent job offers, fake zoom meetings with venture capitalists, and phishing scams on social media.
๐ถ๐๐ก๐๐๐๐๐๐ ๐ธ. ๐ ๐ข๐ ๐ ๐๐๐, ๐ก๐๐๐๐ ๐ ๐ก๐๐๐ข๐๐๐ก๐๐ข๐, ๐๐๐๐ ๐๐๐๐๐๐ง๐๐ ๐๐๐๐๐๐๐๐ ๐ก๐ ๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐ ๐๐๐ฃ๐๐ ๐ก๐๐๐๐ก ๐ ๐ก๐๐๐ก๐๐๐ฆ, ๐๐๐ ๐ข๐๐๐๐ ๐ก๐๐๐ก ๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐ก๐๐๐ ๐๐๐๐๐๐ ๐ค๐๐ก๐ ๐ก๐๐ ๐๐๐๐๐๐ก'๐ ๐๐๐๐๐ , ๐๐๐ ๐ ๐ก๐๐๐๐๐๐๐๐, ๐๐๐ ๐๐๐๐-๐ก๐๐๐ ๐ฃ๐๐ ๐๐๐. ๐บ๐๐ก ๐ก๐๐ ๐๐๐๐ ๐๐ ๐๐๐ฆ๐๐ก๐ ๐ก๐๐๐๐๐๐ ๐๐๐๐ก ๐ฅ๐น๐๐๐๐๐๐๐ ๐๐๐๐, ๐๐๐ญ๐ก๐๐ซ๐ข๐ง๐ ๐. ๐๐ฎ๐ฌ๐ฌ๐๐ฅ๐ฅ ๐๐๐๐๐๐๐~๐ฃ๐๐๐ค.
๐๐๐๐ก ๐ ๐๐ก๐ ๐๐๐ ๐๐๐๐๐ก ๐๐ ๐๐๐ก ๐๐๐๐ฆ ๐ ๐ ๐ก๐๐๐๐ ๐ก๐๐๐๐ ๐๐๐๐๐๐ ๐๐ ๐ ๐๐ข๐๐ ๐๐๐๐๐๐๐๐๐ ๐๐ข๐๐๐๐๐๐ ๐๐ข๐ก ๐๐๐ ๐ ๐ก๐๐ ๐๐๐๐๐๐ก๐ฆ ๐ก๐ ๐๐๐๐๐ข๐๐๐๐๐ก๐ ๐๐๐๐๐๐๐ฅ ๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐ก๐ ๐๐ ๐ ๐๐๐๐๐, ๐๐๐๐๐ ๐ ๐๐๐๐ ๐ค๐๐ฆ. ๐