Jameson Lopp, the Chief Security Officer at Casa, a Bitcoin custody firm, has issued a serious warning about a rising cyber threat targeting crypto users. Known as address poisoning, this scam manipulates users into sending Bitcoin to fraudulent addresses that closely resemble ones they’ve previously interacted with.
How Address Poisoning Works
In a blog post published on February 6, Lopp explained how scammers craft Bitcoin addresses that share the same beginning and ending characters as those found in a user’s transaction history. These deceptive addresses are then inserted into the target’s history through small, unsolicited transactions, tricking users into selecting the wrong address when sending funds.
Lopp’s deep dive into the blockchain revealed some troubling patterns:
- The first signs of this attack appeared in block 797570 on July 7, 2023, featuring 36 suspicious transactions.
- Activity resumed on December 12, 2023, in block 819455 and persisted through January 28, 2025, in block 881172.
- After a short pause, the attacks resumed again in 2025.
Over this period, nearly 48,000 transactions matched the profile of a potential address poisoning scam.
Millions Lost to Crypto Scams in 2025
The threat isn’t theoretical. In March 2025 alone, hackers used address poisoning tactics to steal over $1.2 million, according to cybersecurity firm Cyvers. In February, these scams claimed an additional $1.8 million.
But that’s only part of the picture. Blockchain security firm PeckShield estimates that crypto-related hacks have caused over $1.6 billion in losses in the first quarter of 2025. A staggering $1.4 billion of that total came from a single incident—the Bybit hack in February—making it the most damaging crypto breach to date.
Social Engineering Tactics on the Rise
Many of these attacks are tied to North Korean state-sponsored hacking groups, particularly the infamous Lazarus Group. These actors rely heavily on social engineering tactics, which can include:
- Fake job offers that trick developers into downloading malware
- Fraudulent Zoom calls with actors posing as venture capitalists
- Phishing messages sent through popular social media platforms
Lopp emphasized that users should always double-check addresses before confirming a transaction. He also called on wallet developers to improve user interfaces so that complete addresses are always visible, reducing the chance of error.
