Zero Value Transfer Scam

A zero-value transfer scam is an address poisoning attack where a bad actor sends a transaction of zero tokens to your wallet, with no financial value attached. The goal is not to steal funds directly. It is to insert a fraudulent address into your wallet's transaction history so you accidentally copy and use it the next time you send crypto.

How the Attack Works

Every blockchain transaction you make gets recorded in your wallet's history. Most wallets display recent sending and receiving addresses so you can quickly reuse them. Attackers exploit this convenience.

The scammer creates a wallet address that closely resembles one you have already transacted with, usually matching the first and last several characters. They then send a 0-token transaction from that address to your wallet. The fake address now appears in your history, sitting right next to the real one. When you go to send crypto again and copy from your history without checking every character, you send funds directly to the attacker.

This attack became widespread on Ethereum and BNB Chain networks in 2022 and continued to grow. Security firm Cyvers reported that address poisoning attacks resulted in over $1.2 million in losses in a single month in early 2024. The attack requires no hacking and no malware. It relies entirely on your own inattention.

Why It Is Difficult to Spot

Crypto addresses are long strings of characters, typically 42 characters for Ethereum. Most wallets and block explorers truncate them in the middle for display purposes, showing only the first six and last four characters. A scammer only needs those to match.

Attackers generate thousands of vanity addresses programmatically until they find one close enough to your legitimate counterparty's address. The matching first and last characters make the fake address look identical at a glance. If you copy from history instead of your contacts or clipboard, the attack works exactly as intended.

How to Protect Yourself

A few practices eliminate almost all risk from this attack.

• Never copy addresses from your transaction history. Always use your saved contacts list or request a fresh address from the recipient directly.
• Verify every character before sending. Check the full address, not just the first and last few characters. Zoom in or copy it into a text editor if needed.
• Use address book features. Most hardware wallets and software wallets let you save verified addresses with labels. Use this feature consistently.
• Send a small test transaction first. For any large transfer, send a small amount first and confirm it arrives at the correct destination before sending the full sum.
• Ignore unknown incoming transactions. If you receive a zero-value or dust transaction from an unfamiliar address, do not interact with it and do not add it to your contacts.

Who Is Most at Risk

Traders who move funds frequently between wallets are the most common victims. The more often you transact, the more addresses accumulate in your history, and the harder it becomes to distinguish a poisoned address from a legitimate one.

Businesses running treasury operations or paying staff in crypto face elevated risk because they handle larger transactions and may use multiple signers who each rely on transaction history shortcuts. Implementing a verified address register shared across all signers is the most effective defense in a team setting.

Sources

https://www.coindesk.com/tech/2023/01/17/address-poisoning-attacks-are-on-the-rise-heres-what-you-need-to-know
https://cointelegraph.com/news/address-poisoning-scam-what-it-is-and-how-to-avoid-it
https://www.chainalysis.com/blog/address-poisoning-attacks