Scene reconstruction · Character is fictional; the methods are real and in active use

Marcus had been sending USDT to his own on-chain wallet for months. The routine was automatic: open transfer history, find the last entry, copy the receiving address, paste, check the first four characters and the last four — they matched — confirm.

This time was no different. The start looked right. The end looked right. He glanced at it twice and hit Send. The blockchain confirmed almost immediately. But the balance in his wallet stayed at zero.

When he scrolled back through his records he finally saw it: the entry he'd copied wasn't an outgoing transfer he'd made — it was a zero-value incoming transaction from a few days earlier. The sender's address shared the exact same opening and closing characters as his own wallet. Only the long middle section was different. Someone had already planted a "twin" address in his history and was simply waiting for the day he lazily grabbed it.

That technique is called address poisoning. It works alongside an older attack called clipboard hijacking, and both target the same moment: the split second between copying and pasting. On-chain transfers are irreversible. Once either of these scams lands, there's almost no coming back. This guide explains how they work and how to stop them.

Address Poisoning: How a Fake Address Gets Into Your History

Start with one fact: generating a blockchain address is free, and you can generate as many as you like. Attackers run scripts to batch-generate addresses, hunting for ones whose first few characters and last few characters match a known target address. Given enough computing time, a match is always possible.

Once they have a twin address, they send you a transaction — either zero-value or a tiny "dust" amount. This doesn't harm you directly. Its only purpose is to claim a slot in your wallet history or your exchange deposit records. From that day on, your transfer history contains a familiar-looking address that's actually controlled by someone else.

The rest depends on habit. Most people, when sending crypto, pull the address from their history. Two entries look identical at the beginning and end; which one you pick is basically random. On some chains the attacker can even make the poisoning entry appear as though it originated from your address, making it look like your own past transfer — one more layer of deception.

Don't assume being a small fish keeps you safe. These attacks are broad-net operations. Scripts continuously scan for active addresses; anyone who transacts frequently or holds a meaningful balance gets a custom twin generated for them. The cost to the attacker is nearly zero, so the net gets cast wide. Any time you casually grab an address from history, you might be picking up the planted one.

Clipboard Hijacking: The Swap Happens While You Paste

Address poisoning works in your "past." Clipboard hijacking works in your "now."

It's a category of malware that runs silently in the background doing exactly one thing: watching the clipboard. The moment you copy something that looks like a blockchain address — 34 characters starting with T, or 42 characters starting with 0x — the malware immediately replaces the clipboard contents with an attacker-controlled address. You copied the right address. You paste the wrong one. No pop-up, no warning, nothing.

Where does this malware come from? Cracked software, pirated tools, sketchy browser extensions, and fake wallet apps are the usual sources. What makes it nastier: some variants hold a whole pool of addresses with varying first and last characters, specifically choosing a replacement that matches the opening and closing characters of whatever you just copied. Just like address poisoning, it's deliberately aimed at people who only check the beginning and end.

There's a quick ten-second self-check worth knowing: after copying an address, don't go straight to the transfer form — open a plain text editor and paste there first. Compare the pasted string against the original character by character. If they don't match, your clipboard has been tampered with, and that device should never be used for transfers until it's been cleaned. But be clear-eyed about the limits: this check only catches the swap at that exact moment; malware can easily skip one paste and swap the next. So it's no substitute for verifying the address again on the transfer confirmation page.

Why Checking Only the First and Last Four Characters Isn't Enough

Checking the first four and last four characters used to be adequate — one wrong character in a hand-typed address would fail the check. But the attacker's cost structure has changed: generating an address whose first four and last four characters match a target is something a regular computer can do in reasonable time. Every additional character they'd need to match multiplies the difficulty by tens. But they don't need more, because everyone only checks the first and last four. Your verification range defines their forgery target.

So the check needs to upgrade — the overhead is actually small:

  • First four + last four + a random section in the middle. Pick any four to six characters from somewhere in the middle and verify those too. That alone pushes the difficulty from "doable" to "not worth it" for attackers.
  • For large amounts, scroll through the whole string. A few dozen characters, maybe fifteen seconds — trivial compared to what's at stake.
  • Make sure your reference comes from a trusted source: what the recipient just shared with you directly, or what your wallet displays right now. Not your transfer history — history may already be poisoned.

The Three-Point Check Before Every Transfer

Three checks before every transfer — skip none: First, source — where did this address come from? Only trust what the recipient just provided directly, or what's in your address book whitelist. Reject anything from your history or a chat thread. Second, full string — verify the first four, last four, and a middle segment. All three must match. Third, amount — for large transfers, always send a small test amount first, confirm the recipient received it, then send the rest.

The third check is the one people skip most often — yet it's your last line of defence. Even if the first two checks fail, losing a small test amount still saves the main transfer. Why experienced users swear by this tedious-sounding habit is explained fully in the small test transfer guide.

Everyday Habits That Actually Protect You

First: Save your regular addresses in an address book and always send from there. Your wallet's address book, your exchange's withdrawal whitelist — same principle. You verify an address carefully once when you add it, then every subsequent transfer is a selection from a list, never a paste operation. Both poisoning and hijacking require you to paste something; remove that step and they have nothing to work with. The exchange whitelist adds another layer: once enabled, any new address must pass a verification wait period before it can receive funds. Even if your account is compromised, an attacker can't immediately withdraw to their own address.

Binance's withdrawal whitelist is in the account security settings. No account yet? You can sign up with referral code BN3233 at Binance (we earn a referral fee from this, at no cost to you).

Second: Never casually copy addresses from chat history or transfer records. History may already be poisoned. Chat logs aren't safe either — someone in a group can impersonate a recipient and post a "new address," or the counterparty's own account may have been compromised. If you need an address, ask the recipient to send it fresh. Then confirm the first and last few characters over a separate channel.

Third: Keep your devices clean. Clipboard hijacking requires malware on the machine. Don't install pirated or cracked software. Only download wallet apps from official sources. Keep browser extensions to the absolute minimum. The device you use for large transfers should be as stripped down as possible.

Waybill Log · Editors' Findings

While writing this guide, we scrolled through the incoming transfer records on a few of our own addresses. Several zero-value and dust deposits were sitting there from unknown sources — one had an opening sequence that matched our own address, with only the long middle section differing. These dust entries can't move your funds; we didn't do anything about them. Their only value to the attacker is occupying a line in your history, waiting for the day you grab it out of habit.

We'd recommend doing the same check on your own records. Seeing a planted address sitting right there in your own ledger makes the "three-point check" feel less like advice and more like a reflex.

If You've Already Been Hit

Honesty first: if the funds have already landed in an attacker's address, the chances of recovery are very low. On-chain transfers are irreversible. No institution can forcibly claw back those coins — this is the same situation as sending to the wrong address entirely. What's still worth doing, in order:

  1. Stop using the compromised device for transfers immediately. If it was a clipboard hijack, there's malware on that machine. Run a thorough scan or reinstall the OS, switch to a clean device, and change all relevant account passwords and 2FA settings.
  2. Preserve evidence and file a police report. Gather the TxID, both addresses, screenshots, and a timeline of how you discovered it. Filing a formal report is the prerequisite for every follow-up step, even if recovery looks unlikely.
  3. Report the attacker's address to exchanges and block explorers. Both major exchanges and blockchain explorers accept address reports. Flagging won't recover your funds, but it may protect others.

If the incident happened on the exchange side — for example, your account was compromised and an attacker withdrew to an unknown address — freeze the account immediately, change your password, reset your 2FA, and submit a detailed incident report to the platform's security team. They can't reverse an on-chain transaction, but they can assist law enforcement and prevent further withdrawals from funds still in the account.

One more thing that needs to be said clearly: after you share your story online, "blockchain recovery experts," "hacker teams," and "legal claims specialists" will find their way to your inbox. Any of them who ask for an upfront fee or deposit is a scammer. No exceptions. Getting hit once is painful enough; second-attempt fraud specifically targets people in this position.

Back to Marcus: Four Gates, One Is Enough

Looking back at Marcus's story, the scam needed him to miss four separate checkpoints: the dust entry was planted — he didn't notice; he copied from history — first gate down; he only checked the first and last four — second gate down; he sent the full amount without a test transfer — last gate down. Four gates. Any one of them, closed, and the money stays put.

The good news: keeping those gates closed doesn't require constant vigilance. It just requires locking in a few default behaviours: add addresses to an address book, copy only from live trusted sources, extend your verification to include the middle, and always test with a small amount first. We've built all of these into the Transfer Checklist — run through it once before each transfer and the routine takes about a minute. Once it's a habit, you don't have to stay alert to stay safe.

Make the Three-Point Check a Fixed Routine

Whitelists, address books, test transfers — none of these are hard. The hard part is consistency. Register on Binance with code BN3233 for a potential fee discount on trades (check the registration page for current terms). First thing after opening your account: turn on the withdrawal whitelist.

Register on Binance with BN3233 Open the Transfer Checklist

This is an independent third-party site, not an official Binance website. On-chain transfers are irreversible — operate carefully and accept responsibility for the outcome.