Ethereum’s active addresses surge past 1.29M, but hidden security traps multiply
Ethereum is in the middle of a powerful activity spike. Daily usage on the mainnet has climbed so sharply that it recently overtook leading Layer 2 (L2) networks in terms of active addresses, underlining how attractive the base layer has become again for users and builders.
However, beneath this seemingly bullish on-chain picture lies a worrying pattern: a large share of this newfound “activity” is being driven by malicious tactics such as dusting and address poisoning. In other words, not all of Ethereum’s current growth is organic — and some of it is deliberately engineered to exploit users.
—
Activity explodes on Ethereum
Data from blockchain analytics platforms show that on 16 January, Ethereum recorded about 1.297 million active addresses in a single day. This figure briefly put Ethereum ahead of many major L2s, a significant feat given the relentless rise of rollups and sidechains in the past two years.
By the time of writing, the daily active address count had cooled down to around 945,000. Still, the overarching trajectory is clear: Ethereum’s base layer remains heavily used, and recent upgrades have made it more accessible than it has been in a long time.
A major driver behind this renewed traction is the Fusaka upgrade, completed in early December. This update significantly reduced the cost of transfers on Ethereum — by roughly a factor of six — making everyday transactions far more affordable than they used to be. Lower fees tend to attract both legitimate users and, unfortunately, opportunistic attackers.
—
When cheaper gas invites bad actors
Lower transaction fees are generally celebrated as a milestone for scalability and mainstream adoption. But they also have a double-edged effect: they drastically reduce the barrier for mass, automated activity on-chain.
Blockchain security expert Andrey Sergeenkov analyzed the sudden spike in daily addresses and on-chain interactions and found a disturbing pattern. A huge portion of the new activity originated from stablecoin transactions, and a remarkable 67% of the new addresses received less than 1 dollar worth of stablecoins in their first transaction.
At first glance, that may look like meaningless micro-usage. In practice, this is what’s known as “dust” — tiny token transfers that are too small to be economically interesting on their own but extremely useful as a vector for attacks, especially when automated at scale with cheap gas.
Sergeenkov traced this dust to smart contracts designed to perform mass distribution, sending minute amounts to countless addresses. The purpose is not generosity or testing. It’s an organized attempt to set up address poisoning attacks.
—
What is address poisoning and how does it work?
Address poisoning is a subtle form of fraud that targets common user habits rather than protocol vulnerabilities.
The basic mechanics are:
1. The attacker sends small tokens (“dust”) to a target wallet.
2. The sending address is crafted to look very similar to the victim’s usual transaction counterparties — often sharing the same starting and ending characters.
3. The dust transfer now appears in the victim’s transaction history.
4. Later, when the victim wants to send funds and opens their history to copy a “familiar” address, they might accidentally copy the attacker’s nearly identical address instead of the real one.
5. The victim sends funds, believing they are paying or moving assets to a trusted address — but the money goes straight to the attacker’s wallet.
This attack does not require hacking the wallet, breaking cryptography, or compromising private keys. It weaponizes carelessness and visual similarity, exploiting users who rely on quick glances at addresses rather than full verification.
—
The damage so far: hundreds of thousands lost
Even with a very conservative conversion rate of just 0.01% — meaning only a tiny fraction of dusted victims actually make a mistake — the impact has been significant.
Estimates indicate that roughly 116 addresses have already fallen victim to these poisoning campaigns, with combined losses of about 740,000 dollars. One single address alone reportedly lost 509,000 dollars, showing how lucrative this attack can be if it lands just a few wealthy or high-value targets.
Because dusting is inexpensive to perform, attackers can afford to cast an extremely wide net. If millions of addresses receive dust, even a handful of errors by unsuspecting users can produce meaningful profits for the attackers.
—
Fusaka upgrade: success with unintended side effects
Despite enabling some of this malicious behavior, the Fusaka upgrade itself is broadly considered a success. Slashing transfer fees by nearly 6x is a major milestone on the path to scalability and institutional readiness.
Cheaper transactions:
– Make Ethereum more competitive with alternative L1s and L2s
– Lower the barrier for retail users and small-value use cases
– Enable more complex on-chain strategies and applications to operate economically
For large financial institutions, fee predictability and lower transaction costs are important prerequisites to deploying capital and infrastructure on-chain. From that perspective, Fusaka is a positive step toward the long-discussed “institutionalization” of Ethereum.
The flip side is that cheap gas also gives scammers and bots a powerful tool. Mass attacks that would have been prohibitively expensive during high-fee periods become trivial to execute at scale. As a result, the community must pair protocol-level progress with better security practices and user education.
—
Fundamentals: stablecoins, RWAs, and institutional flows
Looking beyond malicious dust transactions, Ethereum’s underlying fundamentals remain robust.
– The network continues to be the primary home for stablecoins, which are central to DeFi, remittances, and on-chain trading infrastructure.
– Ethereum has cemented itself as the leader in the real-world asset (RWA) segment, reportedly controlling around 60% of the market for tokenized real-world instruments such as bonds, treasuries, and various yield-bearing products.
These trends are consistent with the narrative that Ethereum is evolving into a settlement and issuance layer for high-value financial assets, not just a playground for speculative tokens.
Further strengthening this view is the behavior of large entities and treasuries. Crypto investment and mining-related organizations — such as Bitmine — have reportedly been aggressively accumulating ETH. In Q4 2025, Ethereum treasuries collectively added around 1.2 million ETH to their holdings.
On-chain data supports this accumulation story. Metrics point to buyer dominance in spot markets, with significant absorption of supply instead of broad distribution. That pattern is often interpreted as capital quietly building positions in anticipation of future upside.
—
Price vs. fundamentals: a classic bear market signal
While on-chain usage, adoption of RWAs, and institutional flows are signaling strength, Ethereum’s price performance has not always mirrored this improvement in fundamentals.
This divergence between price and on-chain reality is often cited as a hallmark of late-stage bear markets. When strong foundational metrics — adoption, usage, revenue, and long-term holders — improve while prices remain under pressure, it can indicate that speculative sentiment is lagging real development.
Bitwise CIO Matt Hougan has argued that such divergences frequently mark the bottoming zone of bear cycles. In this framework, the market is slow to recognize structural progress, and price eventually catches up once sentiment turns and liquidity returns.
Of course, no single metric or narrative can guarantee a bottom. But the combination of increased activity, deepening institutional involvement, and growing RWA presence paints a more optimistic long-term picture than price charts alone.
—
How users can protect themselves from dusting and poisoning
As address poisoning grows more common, individual users need to adopt safer habits. The core defenses are simple but must be applied consistently:
1. Never rely on “recognizing” an address visually
Always verify the entire address or use features like address books, ENS names, or saved contacts. Do not trust your memory of the first and last few characters alone.
2. Avoid copying addresses from your transaction history
If possible, get the address directly from the intended recipient (via a secure channel) or from your own whitelist, rather than reusing one listed in past transactions.
3. Label and bookmark frequent addresses
Many wallets allow you to name or star addresses you use regularly. This helps distinguish legitimate contacts from lookalike attacker addresses.
4. Treat tiny incoming transfers with suspicion
Random deposits of tiny amounts of tokens — especially stablecoins — from unknown senders can be a red flag of dusting. Do not interact with those tokens and double-check any addresses associated with them.
5. Use wallets with advanced security features
Some wallets and security tools can flag suspicious activity or warn when an address closely resembles a known contact. Consider using solutions that specialize in transaction simulation and risk alerts.
6. For large transfers, use multi-step verification
Before sending high-value amounts, confirm the destination address through a secondary channel or with another team member, and consider doing a small test transaction first.
—
Why attackers love stablecoins for dusting
The preference for stablecoins in dusting campaigns is no coincidence. They offer multiple advantages to attackers:
– Psychological familiarity: Users are more comfortable interacting with stablecoins and may be less cautious when they see a recognizable asset rather than an unknown token.
– High on-chain presence: Stablecoins are widely held and frequently moved, so a tiny incoming stablecoin transfer seems less unusual than a random obscure token.
– Liquidity: If an attack succeeds, stolen stablecoins can be easily moved, swapped, and laundered through various protocols and chains.
As long as stablecoins remain the backbone of on-chain finance, they will likely continue to be a preferred tool for both legitimate users and malicious actors.
—
What this means for Ethereum’s future
The current situation embodies Ethereum’s broader challenge: scaling to billions of users while managing an increasingly sophisticated threat landscape.
Positive side:
– Lower fees and upgrades like Fusaka make Ethereum more accessible.
– Institutional interest and RWA dominance underline its role as financial infrastructure.
– On-chain activity remains resilient despite market cycles.
Negative side:
– Attackers can now operate more cheaply and at greater scale.
– Security risks are shifting from protocol-level bugs to user-interface and behavior exploits.
– Apparent spikes in active addresses may mask malicious patterns rather than healthy organic growth.
For Ethereum to sustain long-term adoption, technical improvement must be matched by better security UX, more robust wallet design, and widespread user education on modern attack vectors.
—
Bottom line
Ethereum’s leap past 1.29 million daily active addresses is not purely a sign of organic growth. A meaningful chunk of the recent spike can be traced back to dusting and address poisoning campaigns, made more economical by cheaper gas after the Fusaka upgrade.
At the same time, Ethereum’s fundamentals remain strong: leadership in RWAs, large-scale ETH accumulation by treasuries, and on-chain metrics signaling buyer dominance all point toward a robust underlying ecosystem that may not yet be fully reflected in price.
For now, the network is simultaneously more useful and more dangerous than ever. Users who take the time to understand and defend against new attack patterns will be best positioned to benefit from Ethereum’s evolution while avoiding its growing security traps.
*This article is for informational purposes only and should not be interpreted as financial or investment advice. Always conduct independent research and consider your risk tolerance before buying, selling, or holding cryptocurrencies.*