Jameson Lopp sounds alarm on Bitcoin address poisoning attacks

Jameson Lopp, the chief security officer at Bitcoin (BTC) custody company Casa, sounded the alarm on Bitcoin address poisoning attacks, a social engineering scam that uses similar addresses from a victim’s transaction history to fool them into sending funds to the malicious address.

According to Lopp’s Feb 6 article, the threat actors generate BTC addresses that match the first and last digits of addresses from the victim’s transaction history. Lopp analyzed the Bitcoin blockchain history for this type of attack and found:

“The first such transactions did not appear until block 797570, July 7, 2023, which had 36 such transactions. Then, all was quiet until block 819455, December 12, 2023, after which we can find regular bursts of these transactions up until block 881172, January 28, 2025, then there was a 2-month break before they started up again.”

“Over these 18 months, just shy of 48,000 transactions were sent that match this profile of potential address poisoning,” Lopp added.

The executive urged Bitcoin holders to thoroughly check addresses before sending funds and called for better wallet interfaces that fully display addresses. Lopp’s warning highlights the emerging cybersecurity exploits and fraudulent schemes plaguing the industry.  

Related: Crypto exploit, scam losses drop to $28.8M in March after February spike

Address poisoning scams and exploits claim billions in stolen user funds

According to cybersecurity firm Cyvers, over $1.2 million was stolen through address poisoning attacks in March 2025. Cyvers CEO Deddy Lavid said these types of attacks cost users $1.8 million in February.

Blockchain security firm PeckShield estimates the total amount lost to crypto hacks in Q1 2025 to be over $1.6 billion, with the Bybit hack accounting for the vast majority of the stolen funds.

The Bybit hack in February was responsible for $1.4 billion in losses and represents the biggest crypto hack in history.

Cybersecurity experts have tied the attacks to North Korean state-affiliated hackers that use complex and evolving social engineering schemes to steal cryptocurrencies and sensitive data from targets.

Common Lazarus Group social engineering scams include fraudulent job offers, zoom meetings with fake venture capitalists, and phishing scams on social media.

Magazine: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug: Crypto-Sec