Summary:
- A Phantom wallet user lost about $264,000 in Wrapped Bitcoin in a suspected phishing attack linked to Phantom Chat.
- Security researchers warn the incident highlights address poisoning risks and UI shortcomings.
- The attack did not involve stolen keys but exploited users copying crafted addresses from transaction history.
- Phantom Chat's messaging feature is being criticized for not filtering spam transactions, making it easier to trick users.
- Community frustration over similar issues has surfaced in social media complaints.
Phantom, one of the most widely used crypto wallets for Solana and other blockchains, is under scrutiny after a high-value loss that appears to stem from an attack technique known as address poisoning. In this case, an investor lost approximately 3.5 Wrapped Bitcoin (wBTC) - about $264,000 at current prices - after interacting with the built-in Phantom Chat feature. The incident has renewed concerns about how wallet user interfaces handle transaction histories and potentially misleading addresses.
Blockchain investigator ZachXBT brought attention to the incident by sharing on X data showing a victim's loss tied to a specific transaction. He pointed to blockchain records that revealed the attacker's address and transaction hash, noting the pattern was consistent with address poisoning rather than a direct key compromise. In his post, ZachXBT urged Phantom to address this specific kind of risk, explaining why the attack was effective:
This statement highlights a subtle but dangerous aspect of address poisoning: scammers first send small, innocuous transactions to a victim's wallet history, embedding crafted addresses that closely resemble legitimate ones. Later, when a user goes to copy an address from their own history, they can easily pick the scammer's address by mistake especially if wallet interfaces display nothing more than truncated segments of the addresses. The specific theft transaction flagged by on-chain analytics platform Nansen showed the movement of 3.5 wBTC from the victim's address starting with 0x85c to another high-balance address starting with 0x4b7. While publicly visible transaction histories can help transparency on blockchains, they can also create a vector for attackers to mislead users into pasting a malicious address instead of the intended one.
This type of scam is about leveraging interface design and human error - a frustration that many long-time blockchain users have seen in different wallets over the years.
Address poisoning explained and why it matters
Address poisoning is a technique that does not require compromising private keys or infiltrating wallet software. Instead, it exploits how users interact with the wallet's interface and how transactions are displayed. If wallet history is populated with addresses that look plausible - intentionally or as spam - a user might inadvertently select the wrong one when copying and pasting.
In the Phantom case, observers have said the messenger feature, while innovative for peer-to-peer communication, may unintentionally surface data that isn't verified as safe, leading to a higher chance of human error. Crypto wallets typically show truncated forms of addresses - often the first and last few characters joined by ellipses - which can make two addresses with similar prefixes look almost identical at a glance. The threat model here is different from the usual wallet hack. Instead of targeting cryptography, the scam targets the interface and psychology of everyday use. A malicious actor simply needs to get a user to copy a "wrong" address from their own transaction list - one seeded by the attacker earlier - and paste it into a send form. That's easier to do when the interface does not differentiate clearly between spam and legitimate entries.
ZachXBT's call for a fix "Please consider fixing address poisoning first" - reflects a desire for wallets to evolve beyond just storing keys and balances. He suggests that better filtering, warnings, or removal of potentially misleading entries could reduce risk. For example, ignoring very small transactions as potential spam, or flagging addresses that have not been confirmed by the user as valid for future use, might help users make safer choices. Beyond this report, there have been other complaints in the crypto community about address-related confusion. On X, one user recounted a frustrating experience where they said they lost funds and became frustrated with Phantom, describing a situation where a transfer between tokens got "stuck" and caused repeated issues:
Users want wallets that are secure, safe and protect rather than expose them to everyday errors.
What this means for wallet design and user safety
This incident is a reminder that as crypto products add features - like built-in messaging - they also add potential lines of attack. Phantom Chat was likely intended to enhance the user experience, enabling easier communication between counterparties. But part of building user-centric products is also understanding how those features interact with safety and behavior. Crypto wallet designers face a delicate balance. They need to make wallets easy to use for newcomers, yet safe enough for experienced users who are moving large sums. Simple improvements, such as clearer address labeling, warnings when copying from history, or stricter filtering of small, unverified transactions, can make a big difference.
Part of the broader conversation around wallet UX (user experience) and security is that scams evolve as users become more savvy. In earlier days, phishing was about fake links and cloned websites. Now, scams often use interface design, social engineering, and subtle manipulations of transaction flow to trick users. For Phantom, this moment may prompt reflection on how its interface handles transaction histories and which safeguards are appropriate. Users, for their part, are reminded that good practices matter, double-checking full addresses, using contact lists, and verifying destination addresses externally can reduce risk.
READ MORE: The One Thing Ethereum Still Can't Do - That COTI Already Solved