Introduction
In the evolving landscape of digital assets, sophisticated threats continue to emerge, targeting unsuspecting users and their funds. Two such prevalent attack vectors are Address Poisoning and Dusting Attacks. While distinct in their methodology, both exploit the public nature of blockchains to deceive or deanonymize users.
This document provides an overview of these attacks, outlines industry-wide best practices for defense, and details the robust security framework Liminal Custody has implemented to protect our clients. Understanding these threats is the first step toward a more secure digital asset management experience, representing a shared responsibility between custodians and users.
Understanding the Threats
Address Poisoning: The Deceptive Doppelgänger
An Address Poisoning attack is a deceptive scam where an attacker tricks a user into sending funds to a malicious address that looks nearly identical to a legitimate one they have transacted with before. The core of the attack lies in exploiting user convenience and the common practice of copying addresses from transaction histories.
How It Works
The attack unfolds in a few calculated steps:
- Monitoring: The attacker monitors a target’s transaction history to identify frequently used addresses.
- Generation: Using a “vanity address generator,” the attacker creates a new wallet address where the first and last few characters are identical to the legitimate address. For example, a legitimate address 0x1234…abcd might be mimicked by an attacker’s address 0x1234…abce
- Poisoning: The attacker sends a minuscule, often zero-value, transaction from their lookalike address to the victim’s wallet. This action “poisons” the victim’s transaction history, inserting the malicious address into their records.
- Deception: When the victim next initiates a transaction, they may copy the attacker’s similar-looking address from their history by mistake, thereby sending their funds directly to the scammer.
According to a 2024 Chainalysis report, one such address poisoning campaign generated over 82,000 lookalike addresses, highlighting the scale and low cost of these attacks for scammers [1].
Dusting Attacks: The Privacy Intrusion
A Dusting Attack is a form of blockchain analysis aimed at compromising a user’s privacy. Attackers send tiny, almost unnoticeable amounts of cryptocurrency, known as “dust,” to a large number of wallet addresses. The primary goal is not to steal funds directly but to link different addresses to a single entity, thereby deanonymizing the wallet’s owner.
How It Works
The ultimate goal of a dusting attack is to trace the ownership of funds:
- Distribution: An attacker sends dust (e.g., a few satoshis of Bitcoin) to thousands of addresses.
- Tracking: The attacker then monitors the blockchain to see when this dust is moved. When a user unknowingly includes the dust in a transaction, they create a link between that input and their other funds.
- Clustering: By analyzing these transactions, the attacker can use heuristics—such as the common-input-ownership assumption—to cluster multiple addresses together and infer they belong to the same person or entity.
- Exploitation: Once a user’s addresses are linked and their holdings are estimated, they can be targeted for more direct attacks, such as phishing, extortion, or social engineering.
It is crucial to differentiate these attacks: Address Poisoning is a direct theft attempt through deception, while Dusting is a reconnaissance mission to breach privacy for future exploitation.
Proactive Defense Strategies
Liminal Custody’s Advanced Security Framework
At Liminal Custody, we employ a multi-layered security strategy to provide institutional-grade protection against these and other emerging threats. Our controls are designed to be both proactive and responsive, ensuring the integrity of your asset.
- Proactive Threat Intelligence: We partner with leading blockchain intelligence firms like Cyverse and Cube3. This allows us to receive real-time alerts on malicious addresses, identify emerging attack patterns, and preemptively block transactions associated with known threats.
- Multi-Layered Transaction Security: Our platform integrates a sophisticated firewall engine that screens all outgoing transactions against a dynamic risk database. Furthermore, our built-in transaction simulation capability allows users to preview the outcome of a transaction before it is broadcasted to the network, providing a critical verification step to prevent mistakes.
- Continuous Vigilance and Hardening: Our 24/7 Security Operations Center (SOC) provides constant monitoring for anomalous activities, including unusual micro-transactions indicative of dusting attacks. Every product release undergoes robust security testing and vulnerability assessments to ensure our defenses evolve ahead of the threat landscape.
Liminal supports the following security and compliance features to implement the above security framework:
- Wallet Address Whitelisting: Supports destination address whitelisting for multisig and MPC (mobile and hot deposit) wallets. Wallets interact with approved addresses only. Address whitelisting implements proactive threat intelligence via:
- Wallet quorum policy: Only approved wallet members can make wallet transactions.
- Supported address types: External and internal address whitelisting for the specific wallet.
- Token Whitelisting: Liminal supports token whitelisting, so only whitelisted tokens are processed within an organisation. It helps mitigate risks associated with dust transactions since most attacks use spam tokens. Supported for native chains and smart contract coins.
- IP Address Whitelisting for API Key: Liminal supports IP address whitelisting for Source and Express Server IP addresses interacting with the API key. A further security layer is implemented using HMAC authentication with SecureAPI. API request authenticity is validated using the HMAC-SHA256 security protocol to protect against replay attacks, IP spoofing, and dust transactions.
Industry Best Practices for Users
While Liminal provides a secure environment, user diligence is a critical component of defense. The following table summarizes best practices to protect against these attacks:
| Attack Type | Key Prevention Strategies |
|---|---|
| Address Poisoning |
|
| Dusting Attacks |
|
Conclusion
Securing digital assets is a collaborative effort. Liminal Custody is committed to providing a fortified platform with institutional-grade controls that protect against sophisticated attacks. By combining our advanced security framework with vigilant user practices, we can create a formidable defense, ensuring your assets remain secure in an ever-changing digital world.
References
Chainalysis. (2024). Anatomy of an Address Poisoning Scam. https://www.chainalysis.com/blog/address-poisoning-scam/
Gemini. (n.d.). Crypto Dust and Dusting Attacks Explained. https://www.gemini.com/cryptopedia/crypto-dusting-attack-bitcoin
BitGo. (2025). Dust Attacks in Crypto: What They Are and How to Stay Protected. https://www.bitgo.com/resources/blog/dust-attacks-in-crypto/
Ledger. (2025). Protecting yourself from a dusting attack. https://support.ledger.com/article/protecting-yourself-from-dusting-attack
About the Author
Hilal Ahmad Lone serves as the Vice President and Chief Information Security Officer (CISO) at Liminal Custody. A specialist in digital asset protection, he leads Liminal’s strategic security initiatives, building resilient frameworks to safeguard institutional assets against the evolving threats of the decentralized landscape.
