Understanding the Threats: Account Dusting and Address Poisoning Explained
Account dusting involves attackers sending tiny amounts of cryptocurrency, often SOL, to many wallets to track transactions or set up for larger scams. Address poisoning, on the other hand, is more deceptive: attackers send small amounts from addresses that look like trusted ones, tricking users into sending funds to the wrong place. Both can lead to financial losses and privacy breaches, especially given Solana’s low transaction fees, which make these attacks cost-effective.
Recent Incidents and Impact
Recent reports, including a $2.91 million loss in November 2024 (The Blockchain - Solana User Losses $2.91Million in an Address Poisoning Scam), highlight the severity, with privacy risks also high due to transaction tracking. These attacks can erode trust in Solana, potentially deterring new users.
Protection Tips
To stay safe, always double-check recipient addresses before sending funds, avoid clicking on links in dust transaction memos, and never share your recovery phrase. Use reputable wallets like Ledger or Phantom, which may offer features to detect suspicious activities. Hiding unwanted token balances instead of interacting with them can also help.
Survey Note: Detailed Analysis of Account Dusting and Address Poisoning on Solana
Introduction to Solana and Emerging Threats
Solana, a high-performance blockchain capable of processing thousands of transactions per second, has seen rapid adoption due to its low fees and scalability. However, this growth has attracted malicious actors, with account dusting and address poisoning becoming notable security concerns. This survey note explores the methodology, data sources, and key research findings related to these attacks, providing a comprehensive overview for users and researchers, including an in-depth analysis of the actors, business models, profitability, and evolving tactics.
Defining Account Dusting
Account dusting involves sending small amounts of cryptocurrency, often referred to as “dust,” to numerous wallet addresses. The primary objectives include:
• Tracking Transactions: Attackers monitor how recipients move funds, potentially linking multiple addresses to compromise user privacy.
• Preparing for Larger Attacks: Dusting can serve as a precursor to more sophisticated scams, such as phishing or address poisoning, by establishing a presence in the victim’s transaction history.
• Deceiving Users: Some dust transactions may include malicious links or prompts, tricking users into interacting with fraudulent contracts or revealing sensitive information.
On Solana, the low transaction fees (less than $0.01, as noted in general crypto security reports) make it economically viable for attackers to target a large number of users. While dusting itself may not directly cause financial loss, it can facilitate subsequent attacks, as seen in discussions on platforms like Reddit, where users report receiving small SOL amounts and express concerns about potential scams.
Understanding Address Poisoning
Address poisoning is a more targeted scam where attackers create cryptocurrency addresses that closely resemble legitimate ones the victim has interacted with. The process typically unfolds as follows:
1. Sending Dust: The attacker sends a small amount of cryptocurrency (e.g., SOL or an NFT) to the victim’s wallet from an address that mimics a trusted address, such as a centralized exchange or a known contact.
2. Tricking the Victim: The victim, seeing the dust transaction in their transaction history, might mistakenly copy the attacker’s address (thinking it is legitimate) when initiating a transaction.
3. Redirecting Funds: The victim sends funds to the attacker’s wallet instead of the intended recipient, resulting in financial loss.
A detailed report by BlockBeats, published in early 2024, identifies address poisoning as one of four main phishing scam scenarios in the Solana ecosystem. It outlines three subtypes:
0U/small transfer: Attackers send 0 or a small amount of crypto to induce copying the phishing address.
Transfer + airdrop mixed: Small token transfer with a phishing link in the memo, tricking users into clicking.
Fake system program: Addresses with the same tail as Solana system programs, generated using tools like “solana-keygen grind,” to appear legitimate.
This report, based on case studies from the GoPlus security team, highlights the evolving nature of these attacks, with a specific mention of a case reported by Scam Sniffer on X in February 2024.
Methodology and Data Sources
The research methodology involved analyzing various sources, including:
Dune Analytics: The “Solana Dusting SCAM Visualizer” dashboard (by me) on Dune Analytics provided on-chain data for analyzing dusting patterns, including the number of small SOL transfers, total volume, unique recipients, top senders, and transfer amount distributions over a 30-day period (April 6 to April 27, 2025).
Security Alerts: A Ledger warning from November 2023, published on U.Today, alerted Solana users to an ongoing phishing and address poisoning scam, advising against clicking links in dust transaction memos (Solana Users Targeted in Address Poisoning Attack).
Security Reports: The BlockBeats report on Solana phishing scams, which included address poisoning, and general crypto security articles from The Coin Zone, discussing dusting attacks across blockchains like Solana.
Case Studies: Notable incidents, such as a user losing $2.91 million in November 2024 due to address poisoning, reported by The Blockchain (Solana User Losses $2.91 Million), and discussions on Reddit about NFT-related losses linked to dusting attacks.
Recent Analyses: Reports from Gate.io and ChainCatcher in December 2024, mentioning a single scammer causing over $3.1 million in losses through address poisoning, and insights from Decrypt on the “spray-and-pray” tactics.
These sources provided insights into the prevalence, methods, and impact of these attacks, with a focus on Solana’s unique characteristics, such as low fees and high transaction throughput.
Key Research Findings
The research revealed several critical findings:
Prevalence and Feasibility: Solana’s low transaction fees (less than $0.01, as per The Coin Zone) make account dusting and address poisoning economically viable, with attackers targeting users through dust transactions to set up for larger scams.
Recent Incidents: Significant cases include the Ledger warning in November 2023, a $2.91 million loss in November 2024 reported by The Blockchain, and multiple Reddit posts from 2024 discussing dust transactions, indicating ongoing activity. Additionally, in December 2024, two victims lost 272 SOL, with the same scammer responsible for over $3.1 million in losses (Gate.io - Solana: Poisoning attacks lead to significant loss, ChainCatcher - Scam Sniffer: Two victims recently lost 272 SOL).
Impact on Users: Financial losses can be substantial, with the November 2024 case being a stark example. Privacy risks are also high, as dusting can link addresses, exposing user activities. Trust erosion in the ecosystem is another concern, potentially deterring new users.
Attack Evolution: Address poisoning has evolved, with subtypes like fake system programs exploiting Solana’s address structure, as noted in the BlockBeats report. Dusting is often a precursor, with attackers using it to manipulate transaction histories. Recent reports suggest a shift to automated, large-scale operations, with attackers using “spray-and-pray” tactics to target high-value wallets (Decrypt - Crypto User Loses $700,000 To Address Poisoning Scam).
Dune Dashboard Analysis
I created a public Dune Analytics dashboard titled “Solana Dusting SCAM Visualizer” that provides real-time insights into account dusting patterns on Solana, focusing on transfers below 0.00001 SOL (10,000 lamports) over the last 30 days (April 6 to April 27, 2025). The dashboard includes five key visualizations:
Number of Small SOL Transfers Over Time: A line chart showing the daily count of SOL transfers below 0.00001 SOL. Peaks in transfer activity were observed around April 20th - 27th, with counts reaching millions of transfers per day, indicating potential dusting campaigns.
Total Volume of Small SOL Transfers Over Time: An area chart displaying the total SOL amount transferred in small transactions daily. Despite high transfer counts, the total volume remains low, peaking at around 0.5 SOL, reflecting the minimal amounts used in dusting (e.g., 0.000001 SOL per transaction).
Number of Unique Recipients Over Time: A line chart tracking the daily count of unique wallets receiving small SOL transfers, a key indicator of dusting breadth. On peak days like April 13th, millions unique wallets were targeted, suggesting widespread campaigns that could compromise user privacy by linking addresses.
Top Senders of Small SOL Transfers: A bar chart listing the top 20 wallet addresses sending small SOL transfers. Notable senders include addresses like FLip…8xKb and FLip…YMFF, each responsible for millions of transfers, potentially indicating coordinated attacker wallets.
Dusting Attack Distribution: A histogram showing the distribution of small transfer amounts across buckets (<1,000, 1,000-10,000, 10,000-100,000 lamports). The majority of transfers (around 200 million) fall in the 1,000-10,000 lamport range, with fewer in the <1,000 and 10,000-100,000 ranges, revealing a preference for amounts like 0.000001 SOL (1,000 lamports), consistent with reported dusting tactics.
These visualizations confirm the prevalence of dusting on Solana, with significant activity targeting a large number of wallets, aligning with the “spray-and-pray” tactics noted in recent reports. The concentration of transfers in the 1,000-10,000 lamport range supports the use of ultra-low amounts to minimize costs while maximizing reach, a hallmark of dusting attacks.
Evolution of Tactics
Over time, the tactics used in account dusting and address poisoning have evolved to become more sophisticated and automated. Initially, these attacks may have been more targeted and manual, but recent developments show a shift towards large-scale, automated operations. Attackers now use tools to generate thousands of fake addresses that mimic legitimate ones, sending dust transactions to a broad range of users in a “spray-and-pray” approach, as mentioned in a recent Decrypt article (Decrypt - Crypto User Loses $700,000 To Address Poisoning Scam).
The Dune dashboard supports this, showing millions of unique wallets targeted on peak days, indicating automated, widespread campaigns. Additionally, scammers have become more adept at tailoring their fake addresses to match those of frequently used services or exchanges, enhancing the deception’s effectiveness. The concentration of transfers in the 1,000-10,000 lamport range suggests a refined strategy to use minimal amounts for maximum reach, reducing costs while increasing the likelihood of successful follow-up attacks like address poisoning.
Impact on Users and the Ecosystem
The impact of these attacks is significant:
• Financial Losses: Users can lose substantial amounts, as seen in the $2.91 million case, where the victim sent PYTH tokens to a poisoned address after a small SOL dust transaction. Reddit posts also mention smaller losses, such as 0.25 SOL, linked to interacting with dust NFTs.
• Privacy Breaches: Account dusting allows attackers to analyze transaction patterns, linking multiple addresses to a single user, which can reveal financial activities and compromise anonymity.
• Trust Erosion: Frequent attacks, especially high-profile ones, can erode trust in Solana, potentially affecting its adoption and developer interest, as noted in community discussions.
Prevention and Best Practices
To mitigate these risks, users should adopt the following measures:
• Do Not Click on Links in Memos: Dust transactions may include phishing links, as warned by Ledger in November 2023. Avoid clicking to prevent malware or phishing site exposure.
• Never Share Your Recovery Phrase: Your 24-word recovery phrase is critical; never share it, as advised in Reddit discussions and security alerts.
• Avoid Interacting with Undesired Tokens: Do not transfer, send, or burn unwanted tokens, as this might activate malicious smart contracts, per Ledger’s advice.
• Hide Token Balances: Instead of removing dust, right-click and select “Hide Token” in your wallet, a practice recommended in security alerts to reduce visibility.
• Verify Addresses: Always double-check recipient addresses before sending funds, and avoid copying from transaction history, a common vector for address poisoning, as noted in the BlockBeats report.
• Use Secure Wallets: Reputable wallets like Ledger and Phantom offer features to detect suspicious transactions, such as blurring and marking them as unverified, enhancing user protection.
Address Poisoning and Account Dusting Detection API
I have developed an AI-powered detection API (using Helius RPC and Langgraph) to proactively scan and identify potential address poisoning and account dusting attacks on Solana. This API leverages machine learning algorithms to analyze transaction patterns, detect anomalies, and flag wallet addresses that exhibit characteristics of dusting or poisoning, such as mimicking legitimate addresses or sending to a high number of recipients. This API goes beyond merely searching for transactions involving small SOL transfers (e.g., <0.00001 SOL), its AI integrations allows it to make accurate and intelligent decisions eliminating the risk of false positives.
By integrating with Solana wallets or dApps, the API provides real-time alerts to users, enabling them to avoid interacting with suspicious transactions or addresses. This tool enhances the ecosystem’s security by offering an automated, scalable solution to counter evolving attack tactics, complementing existing wallet features and community education efforts.
Conclusion
Account dusting and address poisoning pose significant challenges to Solana users, threatening financial security and privacy. By understanding these attacks, adopting best practices, and staying informed about recent incidents, users can better protect themselves. Wallet providers and the Solana community must continue to innovate and educate to ensure the platform remains secure and trustworthy, fostering a robust and resilient ecosystem.
Key Citations
• Solana Users Targeted in Address Poisoning Attack
• Solana User Losses $2.91 Million
• Ledger Support’s X post on Address Poisoning
• Gate.io - Solana: Poisoning attacks lead to significant loss
• ChainCatcher - Scam Sniffer: Two victims recently lost 272 SOL
• Decrypt - Crypto User Loses $700,000 To Address Poisoning Scam