An executive regularly transfers funds between the corporate wallet and that of their usual supplier. Out of habit, they copy-paste the last used address from their transaction history. A few hours later, they discover that 200,000 euros in USDC have vanished. The address was correct—or so it seemed: the first six and last four characters matched perfectly.
This attack technique, known as address poisoning, exploits a behavioral vulnerability rather than a technical one. Attackers create addresses nearly identical to ones you use regularly, then insert them into your transaction history by sending you tiny amounts. The goal: trick you into copying the wrong address during your next transfer.
The phenomenon is becoming industrialized. According to data from the Chainalysis platform, Ethereum address poisoning attacks generated over 58 million dollars in losses in 2023, with notable acceleration in the second half of the year. For companies managing part of their treasury in crypto-assets, this cyber threat deserves particular attention, much like the sophisticated attacks conducted by state-sponsored actors.
How address poisoning actually works
The mechanism relies on three elements: the length of Ethereum addresses (42 hexadecimal characters), user habits of partial verification, and the computing power now accessible to generate similar addresses.

A standard Ethereum address looks like this: 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb4. In practice, no one verifies this entire string character by character. People typically check the first six and the last four or five characters. Attackers know this and exploit the behavior.
Using address generation algorithms (called vanity address generators), they create millions of addresses until they achieve a match on these visible segments. An operation that required several days of computation years ago can now be done in hours with standard hardware.
Once the malicious address is generated, the attacker sends a transaction of a few cents (sometimes even zero ether with worthless tokens) to your wallet. This transaction appears in your history. When you check your recent transfers to find the address of a regular recipient, you see this fake address that looks identical to the real one.
The trap closes at the moment you copy and paste. You select what appears to be the correct address, initiate the transfer, and the funds go permanently to the attacker's wallet. On the Ethereum blockchain, transactions are irreversible. There's no recourse once validation is complete.
Why this crypto security threat particularly affects corporate treasurers
Address poisoning attacks primarily target active wallets that conduct regular transactions with significant amounts. In other words, exactly the profile of a company managing part of its treasury in stablecoins or paying suppliers in crypto-assets.
Let's consider a concrete case. A tech SME holds 500,000 euros equivalent in USDC on a multi-signature wallet. It makes monthly transfers to three international service providers, with amounts ranging from 15,000 to 80,000 euros. The CFO or administrator managing these operations naturally uses transaction history to quickly find the addresses of regular recipients.
This routine, perfectly logical from an operational standpoint, becomes a vulnerability. An attacker monitoring the blockchain (all Ethereum transactions are public) identifies this active wallet, spots the frequent recipient addresses, and generates corresponding poisoned addresses. They only need to send a few dummy transactions to pollute the history.
The risk intensifies in a business context for two reasons. First, operational pressure: a CFO simultaneously managing traditional and crypto treasury, reporting, and supplier deadlines has less time to meticulously verify each character of an address. Second, delegation: when multiple people can initiate transactions (accountant, CFO, executive), Ethereum security practices become diluted.
The regulatory and accounting dimension
A loss from an address poisoning attack raises delicate accounting and governance questions. Unlike a centralized platform hack where the operator bears responsibility, here the transaction was initiated from the company's wallet with authorized private keys.
From an accounting standpoint, it's an asset loss. The accounting treatment will depend on how crypto-assets are taxed in your jurisdiction, but in France, for a corporation under standard tax, it constitutes a non-deductible expense if the tax authorities deem there was negligence in risk management.
Regarding governance, the audit committee or external auditor may legitimately question internal control procedures. How does the company document its crypto transaction validation processes? Is there double verification? A register of approved addresses? The absence of clear answers can weaken the situation in case of audit.
Effective preventive measures for corporate treasury
Protection against address poisoning rests on three pillars: systematic verification, process organization, and appropriate tools.
First absolute rule: never trust transaction history to copy an address. This reflex, perfectly legitimate in traditional banking where credentials are verified by institutions, becomes dangerous on blockchain. History can be polluted, and no institution validates addresses for you.
Establish a controlled address book. Concretely, this is a document (secure spreadsheet, professional wallet management software, or ENS – Ethereum Name Service) where you record recipient addresses only once, after complete verification. For each new address to add, impose a process: character-by-character verification, validation by a second person, test with a minimal amount (5 or 10 euros equivalent), and only after confirmation of receipt, transfer the main amount.
This approach transforms the risk. Instead of verifying a long hexadecimal string at each transaction, you do it once when adding to the address book. Then, you systematically copy from this trusted source, never from blockchain history.
Technical protection tools
Several technical solutions strengthen Ethereum security. Multi-signature wallets (like Gnosis Safe, now Safe) natively integrate an address book feature with the ability to add labels. Each address can be named ("Supplier X", "Service Provider Y"), limiting the need to copy from history.
Ethereum Name Service (ENS) provides another layer of protection against address phishing on blockchain. An ENS name (for example company.eth) replaces the hexadecimal address with a readable name. If your supplier has an ENS name, you transfer to that name rather than the raw address. Address poisoning then becomes ineffective: an attacker cannot create an identical ENS name, as each name is unique in the registry.
For companies managing large volumes, certain institutional wallets (Fireblocks, Copper, BitGo) offer mandatory whitelist mechanisms. Any new recipient address must be approved by multiple signatories and respect a security delay (timelock) before activation. This operational constraint may seem burdensome, but it eliminates the risk of human error under pressure.
Training and procedure documentation
Technology alone isn't enough. Address poisoning exploits the human factor above all. In an organization, this means precisely documenting procedures and training authorized personnel to conduct transactions.
Your procedure should include at minimum: a formal ban on copying addresses from history, the obligation to use the validated address book, the double-check rule (one person prepares the transaction, another verifies the address before signing), and systematic testing with a minimal amount for any new address.
This documentation has a dual benefit. First, it actually protects against the risk. Second, it serves as proof of due diligence in case of external review (audit, external auditor, regulatory verification). You demonstrate that the company has implemented safeguards appropriate to the nature of assets managed.
The pragmatic approach for an SME
Implementing these measures doesn't require a massive budget or complete organizational overhaul. An SME can start with a few simple measures rigorously applied.
Start by creating a secure spreadsheet (stored in a password manager or the company's encrypted drive) listing all Ethereum addresses you interact with regularly. For each address, note the recipient's name, date added, name of the person who verified the address, and optionally a link to the first test transaction.
Impose a three-step verification rule: compare the first ten characters, compare the last ten characters, compare at least five characters in the middle of the address (for example between the 20th and 25th character). This method forces you to scan the entire address without verifying all 42 characters one by one, which would be too time-consuming.
If your transaction volume justifies it (beyond about ten transfers per month), invest in a professional multi-signature wallet. The annual cost (a few thousand euros depending on solutions) is well justified given the risk. These tools natively integrate address book functionality, validation workflows, and operation logging.
Finally, systematically include a testing step. Before any significant transfer (set a threshold, for example 5,000 euros), send a symbolic amount first (10 or 20 euros equivalent). Wait for confirmation of receipt by the recipient (via email, phone, or another channel independent of the blockchain), then proceed with the main transfer. This delay of a few minutes may seem constraining, but it prevents irreversible errors.
What this means for crypto treasury management
The industrialization of address poisoning attacks reveals a reality: managing crypto-assets in business requires specific skills and processes. You cannot directly transpose traditional banking practices.
For a CFO or executive considering allocating part of the treasury to stablecoins or crypto-assets, this operational dimension must be anticipated. Before even considering potential returns or risk diversification, ask yourself about processes: who in the company will be authorized to conduct transactions? How do you organize double verification? Which wallet do you use and what security features does it offer?
These questions are not technical details, but genuine operational risk management. A loss from an address poisoning attack is not covered by standard insurance (crypto policies remain rare and expensive), it directly impacts the company's bottom line and can undermine stakeholder confidence. As with any exposure of keys or sensitive information, prevention remains the best strategy.
The good news: solutions exist and don't require advanced cryptographic expertise. They require rigor, documentation, and minimal training of those involved. Exactly as you did when your company adopted SEPA transfers or electronic document signatures.
The mistake would be to dismiss these measures as unnecessary or excessively cautious. The numbers speak for themselves: 58 million dollars lost in 2023, with continuous growth. Professional criminals are professionalizing their methods, automating malicious address generation, and methodically targeting active wallets. Your company can protect itself effectively, provided you integrate this dimension into your crypto strategy from the start.
```


