Dusting Attacks: How Wallets Are Tracked Through «Dust»

Sometimes it all starts with a «gift» — a few cents in crypto that you didn't ask for and most likely didn't even notice appearing. Such micro-transfers look like noise: no meaning, no benefit, no threat. The problem is that this is hackers' way of attacking and stealing assets. Cryptocurrency «dust» is a marker.

It's needed to see what the recipient will do next. If they spend it — they'll provide a link between addresses. If they don't notice — the «dust» will sit in history and become a convenient bait for address substitution. The user can make a mistake immediately or a bit later, in any case they risk losing their assets.

In this article, we'll break down what a dusting attack is, tell real cases of theft of huge sums through sending «dust», and explain which habits and tools protect funds and data.

Key Takeaways

• Dusting attacks start with a micro-transfer. Attackers send tiny amounts of cryptocurrency to thousands of addresses to mark wallets and prepare the ground for analysis.
• «Dust» is used to track behavior. When a user spends funds and accidentally includes a dust input, data appears to link addresses together.
• Addresses are combined into clusters. Through on-chain analysis, attackers determine which wallets belong to one owner and assess the scale of their activity.
• Attacks go beyond surveillance. Dusting attacks are increasingly used together with address poisoning, phishing and address substitution, turning into a tool for direct theft of funds.
• Errors provoked by «dust» transactions have already led to losses of hundreds of thousands and tens of millions of dollars. Protection is built on control and discipline. Not using dust inputs, checking addresses and using wallets with extended control significantly reduces risks, especially in corporate environments.

What is a Dusting Attack

A dust attack (or cryptocurrency dust attack) is a method of deanonymizing cryptocurrency wallet owners. An attacker sends tiny amounts of cryptocurrency — «dust» — to a large number of addresses, and then tracks how these amounts are spent in the future.

The term «dust» in the cryptocurrency environment refers to such small amounts that their value often doesn't even cover the transfer fee. For example, in the Bitcoin network it can be 546 satoshis or less, in Ethereum — a few Gwei. It's precisely this insignificance that makes the attack invisible to the victim.

How a dusting attack works: step-by-step mechanism:

1. Mass dust mailing. The attacker sends microscopic amounts to thousands and even millions of addresses. These transactions are publicly recorded on the blockchain.
2. Waiting period. Scammers wait until address owners start conducting regular operations with their wallets.
3. Tracking fund movement. When a user spends their crypto assets and accidentally includes the received «dust» in a transaction, the attacker receives valuable information.
4. Analysis and deanonymization. Through blockchain analysis, attackers identify connections between different addresses of one owner, build a transaction graph and try to establish the user's identity.

According to Gemini research, dust attacks on crypto wallets were first noticed back in 2018, but have since significantly evolved in complexity and scale.

How Dangerous Are Dusting Attacks

At first glance, it may seem that receiving a few cents in cryptocurrency is harmless. However, the consequences can be serious:

Deanonymization

By matching dust transactions with subsequent transfers, attackers build connections between wallets. This allows them to:

• Determine which addresses belong to one person or organization.
• Assess the overall balance and activity of a user.
• Link crypto addresses to a real person through exchanges, IP addresses or other metadata.

Evolution of Attacks: From Surveillance to Direct Losses

Modern dust attacks in crypto have gone beyond simple observation. They have become part of multi-stage schemes:

• Address poisoning attack. Scammers create addresses similar to those used by the victim (the first and last characters match). After sending a dust transaction, such an address appears in the wallet history. When the user copies an address from history, they mistakenly send funds to the attackers.
• Phishing through memo fields. Some blockchains (for example, TRON) allow adding text notes to transactions. Attackers use this to place phishing links that the dust transfer recipient sees.
• Targeted attacks on large holders. Having identified an owner of large capital through dust analysis, scammers can organize a personalized phishing campaign or even physical persecution.

Real Cases of Dusting Attacks

Dust attacks have already brought hackers tens of millions of dollars. Here are three high-profile fraud cases where sending «dust» was only the first step.

Case: From Micro-Transfer to Theft of 170K USDT on TRON

In September 2023, a TROM network user became a victim of a sophisticated address poisoning scheme. Attackers sent a microscopic amount of USDT to their wallet — so small that the victim didn't even notice the notification.

Then the scammers created a clone address: the first five and last four characters matched the address to which the user regularly sent funds. The fake address appeared in the transaction history right below the legitimate one.

A few days later, when the user was making another transaction, they opened the wallet history, briefly glanced at the beginning and end of the address, copied it and sent ~$170K USDT directly to the scammers.

Loss of $68M Through Address Poisoning

This case became one of the most expensive in the history of cryptocurrency fraud related to dust attacks. In May 2024, the owner of a large wallet lost $68M as a result of a targeted address poisoning campaign.

The attack was multi-stage and carefully planned. Scammers tracked the victim's activity for several weeks, studied their transaction patterns and identified the most frequently used recipient addresses.

Then the attackers created several duplicate addresses and began a massive mailing of dust transactions. Every day, microscopic amounts from fake addresses came to the victim's wallet, cluttering the operation history.

When the user made another large transfer of 714 WBTC (Wrapped Bitcoin), they didn't notice the substitution. The address looked familiar: the same first and last characters and already existing transactions with their participation in history. The funds were gone forever.

Large-Scale Attack with Losses of $10M+

At the end of October 2025, analytics company TRM Labs described in its report a large-scale campaign by scammers that affected hundreds of thousands of TRON network users. The peculiarity of this attack was its combined nature. Attackers used three vectors simultaneously:

• Classic dusting. Mass mailing of microscopic amounts of TRX to deanonymize users and build a graph of connections between wallets.
• Address poisoning. Creating clone addresses and introducing them into victims' transaction history. During the observation period, TRM Labs experts recorded the creation of more than two million fake addresses.
• Phishing through memo fields. In the TRON network, each transaction can contain a text field with a note. Scammers used this to place messages with phishing links: «Get your reward [link]» or «Verify your wallet to avoid restrictions: [link]».

This campaign led to confirmed losses of over $10M. The real figure is probably much higher, as many victims don't report incidents.

What makes these examples particularly telling is the evolution of the threat itself. If in 2018-2019 dust attacks were an analytics tool, by 2026 they became a full-fledged weapon of cybercriminals, bringing them tens of millions of dollars.

How to Recognize a Dusting Attack

Detecting a dust attack at an early stage is not always easy, but there are several signs:

• Unexpected microscopic receipts. If a transaction with an amount of a few cents or even fractions of a cent that you didn't expect came to your wallet — this is a reason to be alert.
• Multiple dust transactions. Receiving several micro-payments in a short period of time is a characteristic sign of an attack.
• Strange sender addresses. Dust usually comes from addresses that don't have a long transaction history or look randomly generated.
• Similar addresses in history. If addresses very similar to those you often work with appeared in the transaction history, but you didn't add them — this is a sign of address poisoning.
• Suspicious memo notes. Links, advertising messages or calls to action in transaction text fields should raise suspicion.

According to Coinbase, Bitcoin and Ethereum wallet users receive dust transactions most often during periods of high market activity, when it's easier for attackers to get lost in the general flow of operations.

Protection Against Dusting Attacks

Now about the main thing — how to protect yourself and your assets. Security measures are divided into basic for all users and advanced for business.

For Individual Users

1. Don't spend «dust» together with main funds

The most important rule: don't include suspicious dust inputs in your transactions. If the «dust» remains untouched, attackers won't be able to link your addresses.

2. Use wallets with Coin Control function

Many modern wallets (for example, Electrum, Wasabi Wallet, Bitcoin Core) allow you to manually select which inputs to use in a transaction. You can mark dust assets and exclude them from spending operations.

3. Use HD wallets

HD wallets (Hierarchical Deterministic) automatically generate a new address for each transaction. This significantly complicates tracking and linking your operations, even if «dust» got to one of the addresses.

4. Check addresses completely

Never copy addresses from transaction history if you're not sure of their authenticity. Always verify not only the first and last characters, but also several characters from the middle, and better yet the entire address with the original.

For Business: Corporate Solutions

Companies working with cryptocurrency face additional risks. A dust attack on a corporate wallet can lead to information leakage about business counterparties and financial flows. This is extremely dangerous and can even threaten a physical attack on the company.

One of BitHide's clients noticed that unexpected micro-transfers of cryptocurrency began regularly arriving at their addresses. At first glance, it looked like network noise, however, the repeatability and nature of the receipts raised a natural question: what's happening and does this carry a risk.

Our team didn't have to analyze the situation for long to understand that this was a dusting attack. We explained to the client the mechanism of such attacks, possible consequences and reminded them about available BitHide tools that allow protection:

• Role-based access to the wallet. Not all company managers can initiate transfers — only authorized employees with appropriate rights. This reduces the likelihood of error due to inattention.
• Double confirmation of fund sending. Each transaction requires confirmation from an authorized person. Even if one employee makes a mistake and specifies a fraudulent address, another will notice the discrepancy.
• Automation of mass payments. The file with recipient addresses is agreed upon and checked in advance. After confirmation, the system automatically executes transfers. The human factor and the probability of copying a fake address from history are minimized.
• Unique addresses for each client. BitHide generates a separate address for each transfer of your client. There simply is no main central address where large amounts are stored.

This approach is especially important for companies conducting dozens or hundreds of crypto transactions daily.

Conclusion

What is a dust attack? It's a deanonymization tool that has evolved into a complex fraud scheme capable of leading to losses of millions of dollars.

Key conclusions:

• Dust attacks target your privacy, and through it — your funds.
• Modern schemes with address poisoning rely on user inattention.
• Simple precautions (not spending dust, checking addresses, using HD wallets) significantly reduce risks.
• For business, corporate solutions with multi-level control are critically important.

The cryptocurrency space is becoming increasingly dangerous. Protection against dusting attacks starts with awareness and ends with using the right tools. Be attentive to unexpected receipts, check addresses completely and don't ignore basic security measures — they really work.

And to learn more about how BitHide will help solve your business tasks, contact our team.