Skip to main content
T TON Adoption
RU
← Glossary
NODE/03 · Term

Address poisoning

Attack where an adversary generates an address that looks similar to one the victim regularly uses and sends them a micro-transaction, hoping the victim will later copy the lookalike from history and send funds to the wrong place.

Aliases: lookalike address attack, address spoofing

Address poisoning is an attack on the user’s habit of copying addresses from transaction history. The attacker generates a TON address whose first and last characters match an address the victim already uses — their own second wallet, an exchange deposit, a partner’s wallet — and sends a tiny amount of TON or jetton “dust” to it. The lookalike address now appears in history on Tonscan, Tonkeeper, or MyTonWallet alongside the real one.

The next time the user wants to send funds to “their” address, they copy from history and hit the attacker’s wallet.

Why it works

TON addresses in EQ… or UQ… form are 48 characters. Most UIs show a truncated form — first and last 4-6 chars: EQAB…f9DG. If the attacker has mined an address with the same six leading and trailing characters, visually it looks identical to the real one. The full address differs, but nobody verifies all 48 characters.

Mining matching prefixes and suffixes is a “vanity-address” search through seed phrases. Six characters (~36 bits) take a few hours on a modern GPU.

How to spot it

  • An unexpected micro-transaction in history. Receiving 0.001 TON or 0.00001 jetton from an address that looks suspiciously like your own is a warning sign.
  • A near-twin in the address list. History shows two very similar addresses; one is fake.
  • Repeated dusting. Attackers send dust periodically so the fake address stays at the top of recent activity.

Defence

  • Never copy addresses from transaction history. Golden rule. Save the addresses you actually use in your wallet’s address book — Tonkeeper and MyTonWallet support this.
  • Verify fully. Before signing a meaningful transfer, read all 48 characters, or at minimum the first 8 and the last 8.
  • Use .ton domains. A mywallet.ton style address is shorter, reads in full, and is much harder to spoof.
  • Hardware wallet. A Ledger shows the recipient address on its own screen — this lets you “see what you sign” but you still have to compare.
  • Labelled TON Connect dApps. When you work through a DEX or marketplace, the domain and transaction type are shown explicitly.

Address poisoning hits hardest for users who routinely move funds between several of their own wallets — they have trained themselves to copy quickly without checking.

Related terms