Is Ethereum’s activity growth fake? Behind the 3.86mln poisoned wallets

Ethereum [ETH] just posted some of its busiest network metrics on record, but all that glitters isn’t gold. According to security researcher Andrey Sergeenkov, much of this activity is caused by a large-scale address poisoning attack!

What you should know

On the surface, the data is impressive.

New Ethereum addresses went 2.7x above the 2025 average.

Peak was around the 12th of January, with 2.7 million new addresses; 170% increase over normal levels. At the same time, weekly transactions went up 63%, going from 10.5 million to a record 17.1 million.

But when Sergeenkov dug deeper, he reported that around 80% of this growth was driven by stablecoins, mainly USDT and USDC.

What’s interesting is that stablecoins are often used in automated activity. So, in this case, the numbers were unusually skewed.

Looking at first-time stablecoin transactions, the pattern became clear. 67% of new addresses received less than $1 as their very first transfer. In total, 3.86 million out of 5.78 million addresses received these tiny “dust” payments.

This is obvious address poisoning.

But what is that?

Attackers send tiny amounts of tokens to wallets using addresses that closely resemble a victim’s real one. When users later copy an address from their transaction history without checking it carefully, they end up sending funds to the attacker.

Sergeenkov identified the main culprits by tracking USDT and USDC transfers under $1 between the 15th of December and 18th of January 2026. He filtered for senders that distributed dust to at least 10,000 unique addresses, and uncovered several large-scale operators.

The top three contracts alone sent dust to more than 1.6 million addresses. One distributed dust to 690,000 wallets, another to 589,000, and a third to 405,000.

How Fusaka changed things

Address poisoning wasn’t always worth the effort. The success rate is extremely low (about 0.01%) so attackers depend on a few big mistakes to make money. In this case, one victim alone lost $509,000, making up most of the funds stolen so far.

That changed in December.

Ethereum’s Fusaka upgrade cut average ERC-20 transfer fees by nearly 6x, making it cheap to send millions of spam transactions.

Almost overnight, large-scale poisoning became profitable.

New contracts have appeared in recent days, with one already sending dust to 78,000 addresses. All major attacker contracts are active, and the biggest losses often happen toward the end.

Final Thoughts

• Ethereum’s record growth is being inflated by address poisoning. 
• The Fusaka upgrade cut fees 6×, making it a profitable attack.