Here is the frustrating truth about getting your crypto stolen: it rarely involves a genius hacker cracking a zero-day smart contract bug. Most of the time, it just takes a user being in a hurry for two seconds.
Recently, former Binance CEO Changpeng Zhao (CZ) took a direct shot at Etherscan on X (formerly Twitter). He pointed out a massive user-experience flaw in how we view blockchain data—one that is actively helping scammers drain wallets every single day. The issue is “address poisoning,” and it highlights a growing debate about what block explorers should and shouldn’t show you.
If you are moving funds around on Tapbit or self-custody wallets, you need to understand exactly how this trick works.
The Lazy Trap: How They Steal Your Funds
Address poisoning is shockingly simple. It is a social engineering attack that relies entirely on human laziness.
Here is the playbook:
Hackers run automated scripts that monitor the blockchain. When their bot sees you send USDT to your exchange deposit address or your cold wallet, it immediately generates a fake “vanity” address. This spoofed address is mathematically generated to have the exact same first few and last few characters as your real address.
Next, the hacker sends a $0 token transfer from that fake address to your wallet. Because token contracts allow for zero-value transfers without the receiver’s permission, this junk transaction successfully lands right in your on-chain history.
In fact, the spam is relentless. In one recent case, a user named Nima made just two normal stablecoin transfers and was instantly bombarded with 89 automated $0 poisoning attempts in under 30 minutes.
The Trap: A week later, you need to move more funds. Instead of carefully opening your address book, you pull up Etherscan or your wallet’s recent history. You see an address that looks right at a quick glance, you copy it, and you hit send.
Your money is gone. You just sent it to the hacker.
The Etherscan Debate
So, why is CZ mad at Etherscan?
In his post, CZ pointed out that frontend crypto wallets like TrustWallet are already actively filtering out these zero-value spam transactions. They hide them so users don’t accidentally click them.
Etherscan, however, still displays them by default. Unless you dig into Etherscan’s advanced settings and manually toggle “hide 0 amount tx,” your transaction history is a minefield of phishing links.
Etherscan’s implicit defense is that they are a neutral block explorer—their job is to show the raw ledger, not to censor it. But to CZ and many security researchers, failing to filter obvious, malicious spam at the UI level is just handing scammers free victims.
Why We Can’t Just Ban All $0 Transactions
You might be wondering why we don’t just hardcode a rule to block all $0 transactions globally. CZ actually brought up a great counterpoint to this: the rise of AI Agents.
We are moving into a Web3 era where autonomous AI agents will constantly interact on-chain. These bots will execute complex arbitrage, ping contracts for routing checks, and run micro-transactions. If block explorers or protocols blindly nuke all $0 transfers, it will break the underlying communication layer for the incoming Machine-to-Machine (M2M) economy.
The fix isn’t a blanket ban. It requires smarter, machine-learning-driven filters on the explorer side to tell the difference between a scammer’s spoofed address and a legitimate AI bot pinging a contract.
How to Protect Yourself Today
Until the infrastructure providers fix this UI mess, you have to protect your own liquidity. If you trade frequently, make these hard rules for yourself:
- Stop copying from your transaction history. Seriously, just stop. Treat your recent transaction list on Etherscan or MetaMask as compromised.
- Whitelist everything on Tapbit. Go to your Tapbit security settings right now and turn on the Withdrawal Address Whitelist. Once your verified addresses are locked in, the exchange will block the withdrawal even if you accidentally paste a poisoned address to your clipboard.
- Check the middle. Hackers know that humans only check the start and end of a hash (e.g.,
0xAb...1234). When you verify an address, force your eyes to check the middle characters.
Frequently Asked Questions (FAQ)
What is address poisoning? It is a scam where a hacker generates a wallet address that looks almost identical to one you use. They send a $0 transaction to your wallet using this fake address so it shows up in your transaction history. They are hoping you will accidentally copy and paste their fake address the next time you send money.
How can they send me $0 without my permission? The underlying code of most crypto tokens (like ERC-20 smart contracts) doesn’t require the receiver’s permission for a transaction to process, even if the value is zero. Scammers pay a tiny network fee to broadcast thousands of these junk transactions.
Why is CZ criticizing Etherscan? CZ pointed out that crypto wallets (like TrustWallet) already hide these $0 scam transactions to protect users. Etherscan, however, shows them by default. CZ argues that block explorers need to step up and filter malicious spam rather than leaving users exposed.
How do I hide zero-value transactions on Etherscan? You have to do it manually. Go to your Etherscan account settings or site preferences, and look for the option to “hide 0 amount tx” or filter zero-value token transfers.
Disclaimer: This article is for educational and security awareness purposes only. Custodying crypto assets carries inherent technical risks. Always protect your private keys and utilize official security features to safeguard your Tapbit account and on-chain assets.
