That Random Token in Your Wallet Is Probably a Trap 

• The token isn’t the attack. Your reaction to it is.
• On Bitcoin, dusting is a surveillance game. On Ethereum, Solana, and BNB Chain, it’s bait for theft.
• Address poisoning is the dirtiest variant going. Someone slips a lookalike address into your transaction history and waits for you to copy the wrong one.
• One curious click, one rushed copy-paste, one signature you skim-read. That’s the entire gap between nothing happening and watching your wallet drain.
• The fix is unsexy. Ignore the token, never copy addresses out of your transaction history, and audit your token approvals once in a while.

The Token Didn’t Hack You. You’re About To Do That Yourself.

Here’s the scene. You open your wallet for whatever reason and there’s something sitting there you’ve never seen before. Small amount, weird name, maybe a memo telling you to claim a reward at some URL. Most people’s first instinct is to figure out what it is. Could be airdrop money, could be a glitch, could be free upside. That little flicker of curiosity is exactly what the attacker designed the entire campaign around. You haven’t been hacked yet. You’re about to consider hacking yourself for them.

To understand why this works, you have to start where dusting started, which is Bitcoin. Your Bitcoin balance doesn’t exist as a single number in an account. The balance is a collection of unspent outputs, little packets of value that get combined when you make a transaction. Pay someone 0.05 BTC and your wallet might merge three smaller outputs to cover it. An attacker who sends you a tiny output, dust in the proper sense of the word, is watching to see which other outputs that dust gets bundled with later. When multiple inputs appear together in the same transaction, that’s public evidence they’re controlled by the same wallet. Stack enough of those observations and you can start drawing a map of who owns what, then connect that map to a real human through KYC leaks, social posts, or exchange records.

Try the leading VASP data free for 1 month. No card required.

So on Bitcoin, the goal was never theft. The goal was surveillance. Build a clean enough picture and you can sell it to someone, phish the wallet owner, or leverage the information for something worse. Then EVM chains came along and the playbook got nastier.

When Dusting Stopped Being About Watching and Started Being About Stealing

EVM chains run on token approvals. You’ve clicked through hundreds of these in DeFi without thinking. “Allow this contract to spend your tokens.” That approval system is legitimate and necessary for half the things you do on-chain, but it’s also a perfect attack surface if someone can talk you into signing one you don’t fully understand. So the playbook evolved into something simpler and a lot meaner. Drop a fake token in someone’s wallet. Set the metadata to read “claim your reward at this site.” Wait for curiosity to do the rest.

The user visits the site, connects their wallet, signs a transaction they barely read, and somewhere buried in that signature is a line that says “this address can move all your USDC.” The funds don’t leave immediately. The drainer does that hours or days later, after the user has moved on with their life and stopped paying attention.

Mandiant documented one variant of this in January 2024 on Solana, the CLINKSINK operation. Fake airdrop landing pages, social platform promotion through Twitter and Telegram, at least 35 affiliate IDs running their own variations of the same scam at the same time. Estimated losses crossed $900,000, and by that point the whole thing had matured into a drainer-as-a-service business. Affiliates were renting the scam infrastructure the way you’d rent any other piece of software, paying a cut of the take to whoever maintained the codebase.

Address poisoning on Ethereum is colder and arguably more elegant. The attacker doesn’t need to lure you anywhere. They just slip a lookalike address into your transaction history, same first four characters as one of yours, same last four, complete garbage in the middle. Then they wait. Most people sending funds to someone they’ve paid before will copy from history without thinking about it, glance at the start of the address, glance at the end, hit send.

Chainalysis broke down one campaign from May 2024 with numbers that deserve to sink in. 82k seeded addresses. 2.7k real victims. 69.7 million dollars in misdirected transfers. One single payment was sixty-eight million on its own. The attacker returned most of that one, probably got cold feet at the size of it, but still walked away with around three million net from the campaign overall. Profitable enough to justify going right back and doing it again the next month.

The Variants You Run Into Across Chains

BNB Smart Chain introduced its own twist around 2020. Tiny transfers carrying malicious URLs in the memo field. The token is barely the point at that stage. The token is just a vehicle for getting a clickable link in front of you. Hedera has been hit with the same pattern more recently, severely enough that the FBI issued a public service warning in mid-2025 about NFT airdrops being used to push malicious memo links to non-custodial wallet holders. When a federal agency starts publishing PSAs about something, you can safely assume it’s already widespread.

Buy bitcoin and stocks. Signup to Coinbase today

Solana has a delegate permission structure that mirrors ERC-20 approvals fairly closely, so the attack flow there reads almost identically to what you’d see on Ethereum. The only thing that really differs is the wallet UX and the speed at which funds can move once a delegation has been signed.

Then there’s a use case that has nothing to do with stealing your money at all, and it’s worth knowing about because it pollutes everything else you read on-chain. Inflating fake holder counts. Distribute tiny amounts of your scam token to thousands of addresses, and analytics tools dutifully report thousands of holders. Some token screeners now filter these out specifically because of how widespread the practice has become, but it still works often enough that people keep doing it. Manufactured social proof is cheap when each address costs fractions of a cent to seed.

The compliance angle is the one most people never think about, and it has nothing to do with retail users at all. After Tornado Cash got sanctioned in August 2022, someone started sending small amounts of mixer-tainted ETH to the public wallets of celebrities and known institutions. Not to steal from them. To create regulatory headaches. Elliptic’s position at the time, and consistently since, was that recipients and any exchanges processing deposits from those wallets should still handle it carefully and file blocking reports where required. Passive receipt doesn’t earn you a clean bill of health if the source is sanctioned, which is something every exchange compliance team learned the hard way that year.

Red Flags Worth Pausing On

The warning signs are usually visible if you’re paying any attention at all. A token shows up from an address you don’t recognize. The token name or NFT metadata is begging you to visit a website. There’s a URL in a transaction memo. A new address appears in your history that looks almost identical to one you’ve used before, same start and same end with garbage in between. That last one is the most dangerous of the bunch because it requires zero interaction from you to land. You just have to copy the wrong address one time. Your wallet is probably not displaying the full forty-two-character string with enough prominence for you to catch the difference at a glance.

For anyone doing post-incident analysis on a wallet that may have already been compromised, the useful question isn’t “what arrived?” but “what changed after it arrived?” On UTXO chains, did the dust get co-spent with legitimate funds in a later transaction? On EVM chains, did new approvals appear that the user can’t remember granting? Did funds leave to an unknown address shortly after the user visited a sketchy site? Transaction timing and the appearance of new approvals are the two signals worth tracking, and they tell you most of what you need to know.

For anyone who hasn’t been compromised and just wants to know the state of play, Etherscan’s Token Approvals page is one of the most underused tools in crypto. It lists every contract that has permission to spend your tokens, how much exposure you’ve handed each one, and whether the approval is currently active. BscScan offers the same thing for BNB Chain. If you’ve been active in DeFi for any meaningful length of time and you’ve never looked at that page, there’s a decent chance something is sitting there right now you wouldn’t agree to today.

What You Should Do

The first rule is the simplest and the one most people break the moment they get curious. Don’t interact with the token. Don’t click anything embedded in token names, NFT metadata, or memo fields. And don’t try to “clean up” or swap suspicious tokens with your main wallet, because that interaction can be the attack itself. The drainer doesn’t always need you to visit a website. Sometimes the contract call you’d make to dispose of the token is what triggers the approval grant.

Skip the wait. Buy a licensed company.

If you’re on Bitcoin or another UTXO chain, look for coin control features in your wallet. Mark unknown dust as do-not-spend. Wasabi has this built in by default and several other privacy-focused wallets offer the same functionality. Spending dust isn’t an instant doxx, but it gives an attacker more data points to work with on a transparent ledger, and data points compound.

Stop copying destination addresses out of transaction history. Use your address book, or re-verify the full string from a trusted source when you’re sending somewhere new. This single habit eliminates almost all address poisoning risk. It feels paranoid until the first time it saves you.

Audit your token approvals on a schedule, not just after a scare. Revoke anything you don’t recognize or no longer need. The DeFi ecosystem has a long memory and a shorter half-life, so the contracts you approved two years ago for some yield farm that no longer exists are still sitting there with permission to spend your tokens.

If you’ve already clicked something or signed a transaction that felt off afterward, treat that wallet as compromised until proven otherwise. Stop using it for new transactions. Revoke every approval you can find. If there’s significant value in there, move it to a fresh wallet, but verify the destination address from a completely trusted source before you do anything else. Save your transaction hashes and timestamps in case any of this needs to go to fraud reporting later.

Wallet providers can do a lot more here than most of them currently do. Hide spam tokens by default. Warn users when a destination address resembles one already in their history. Simulate transactions before signing so users see the real outcome instead of raw contract calls. Show approval details in plain language. Some wallets are moving in this direction and it shows in their user retention. Adoption across the broader space remains uneven.

A Word on the Compliance Edge

For anyone operating at a level where regulatory exposure is on the table, receiving sanctioned-entity dust without asking for it can still create screening and reporting obligations. OFAC guidance on virtual currencies doesn’t hand you a free pass simply because you didn’t initiate the transaction. Exchanges processing deposits from wallets that received sanctioned-source funds should handle them carefully regardless of whether the original wallet holder knew anything about the source. The “I didn’t ask for this” defense is useful, but it’s a defense rather than an automatic dismissal.

Frequently Asked Questions (FAQ)

Can a random token steal my crypto just by appearing in my wallet? 

Almost never on its own. The theft almost always requires some action from you afterward. Spending the dust, copying a poisoned address, clicking a link in metadata or a memo, signing a transaction you didn’t read carefully. Passive receipt is usually safe.

The future of finance is here. Trade crypto and more

Is address poisoning the same thing as dusting? 

Related but distinct. Classic dusting is a surveillance attack built around later transaction analysis. Address poisoning is a deception attack built around getting you to copy the wrong address from your history. Some wallets group them together in their explainers, but the mechanics and the goals are different.

Should I swap or burn an unknown token to get rid of it? 

Don’t, at least not with your main wallet and not until you’ve independently verified what you’re dealing with. On Bitcoin, spending dust makes the privacy problem worse. On smart contract chains, the contract call you’d make to interact with the token can itself be the attack vector.

How do I check if I’ve already approved something I shouldn’t have? 

Etherscan’s Token Approvals page for Ethereum. BscScan’s allowance checker for BNB Chain. MetaMask’s transaction simulator flags signatures that look likely to cause fund loss. Look at the spender addresses, check the approval amounts, revoke anything you don’t recognize.

Does a hardware wallet protect me from dusting? 

From key theft, yes. From copying a poisoned address or signing a malicious approval, no. Trezor has explicitly acknowledged that hardware security doesn’t eliminate dusting or airdrop scam risk because both attacks bypass key security entirely and exploit user behavior.

What if I already clicked a link or signed something suspicious? 

Stop making transactions from that wallet immediately. Revoke every approval you don’t recognize. If significant funds are involved, move them to a clean wallet, but verify the destination from a trusted source first. Preserve transaction records in case fraud reporting becomes relevant.