Arweave TX
Account dusting and address poisoning are deceptive practices on the Solana blockchain that exploit users through low-value transactions. Dusting floods account addresses with tiny SOL transfers to promote something (bots, casinos, tools, etc.) - it's crypto spam, while address poisoning tricks users into sending value to malicious account addresses that mimic legitimate ones. This report details our investigation into these actions and provides a public dashboard on Dune and an open source API that uses Solscan endpoints to assess transaction risk in real time, improving the security of wallets and explorers.
On Solana, SOL is the native currency used for gas fees and network staking. Dusting involves sending negligible SOL amounts—often less than 10 lamports (1 billion (1,000,000,000) lamports is 1 SOL)—to thousands of account addresses, typically to advertise shady platforms like casinos, bots or 'tools'. Over the past week, 5.12 million dust transactions targeted 4.23 million addresses, totaling just $11 USD. These transfers often cluster around specific domains or wallets, with identifiable “duster” addresses executing thousands of transactions.
On chain data reveals a tightly coordinated operation dominated by a few key players. The Accounts Dusted Hourly chart, covering seven days of data, shows that approximately 150,000 account addresses are targeted every hour by around 40 consistent duster account addresses, each executing at least 100 transactions to 100 distinct account addresses. One duster, linked to a Solana domain name associated with “Odin bot,” drives massive spikes every 12 hours, suggesting manual launches or cron-timed automation. These bursts indicate a deliberate strategy to spam account addresses at predictable intervals.
The SOL Dusting Market Share area chart underscores the concentration of this activity. Account addresses tied to “casino flip.gg” consistently dominate, accounting for 74% of dusting transactions. When combined with an unknown account address, 3U6G, and the Odin bot-related account address, these three players control 93% of the market share. During the Odin bot’s 12-hourly surges, their grip tightens to 97%, revealing a near-monopoly on dusting campaigns.
The Odin bot-related account address targets 20,000 account addresses every 12 hours, while casino flip.gg bots collectively hit 10,000. Smaller dusters, by contrast, rarely exceed 500 account addresses per hour, emphasizing the disparity between major players and fringe operators. This pattern points to a hierarchical structure, with well-resourced account addresses orchestrating large-scale spam while others play a minor role.
The Total SOL Dusted by Hour (USD) reveals the negligible value transferred: less than $0.06 USD per hour to target 150,000 account addresses. This trivial cost, paired with the high volume of transactions, explains the profitability of dusting. Spammers can flood accounts with minimal investment, banking on even a tiny conversion rate to scams or bots to turn a profit.
In summary, dusting activity is concentrated among four key account addresses, primarily promoting casino tools and bots. Their coordinated, automated approach exploits Solana’s low-cost transactions to spam millions of account addresses with ease. A complete list of these duster account addresses and their activities is available on the Dune dashboard.
Address poisoning is a sophisticated scam that, like dusting, leverages low-value transactions but with a malicious twist: attackers send tiny SOL or token transfers from account addresses mimicking legitimate ones (e.g., sharing the first four characters) to trick users into sending funds to the wrong account address.
Another massive loss:
Investigating this is no small feat, as Solana’s transaction volume surpasses EVM blockchains by orders of magnitude, demanding careful resource allocation for queries. To understand how poisoning typically unfolds, we built a base query around a common pattern:
A "high-value" withdrawal is performed, usually to an identified CEX account address.
A micro-SOL transfer occurs from a similar-looking account address to the victim’s destination account address, typically minutes later.
We check afterward if the victim sent funds to the scammer’s account address.
This pattern shows how scammers work: they hope users quickly check their recent transactions and mix up a fake account address with one they trust, like mistaking a stranger for a friend. Our query, run over a 12-hour period, uncovered a large wave of these scams. Scammers targeted 1,577 account addresses, creating 4,349 fake account addresses to launch 9,234 poisoning attempts. These attacks were fast, hitting just 9.74 minutes after a legitimate transaction on average, taking advantage of when users are likely to check their recent activity.
Due to data constraints, we only tracked 10 minutes after each poisoning attempt to see if victims sent funds to the fake account address, keeping the query simple for faster results. Extending this window would require more processing time, but an alternative could be checking if these fake account addresses later received funds from victims. The Time to Poisoning Attempt scatter plot tracks this quick timing across recent hours, while the Poisoning Activity column chart highlights the focus on high-value transfers (>$10k), and the Targeted Accounts & Poisoning Attempts line chart shows how often these scams strike, with up to four attempts per transaction. Notably, some fake account addresses aren’t newly created; they seem to mimic CEX account addresses, possibly to track deposits. A list of these account addresses is available, and future work—limited by time—could trace their funding sources, attempt frequency, and success rates to better understand these tactics.
To combat address poisoning, we built an open-source API for real-time detection, designed to slot into wallets, explorers, or RPC layers. It takes two inputs: from_address_check (sender account address) and to_address_check (recipient account address). Using Solscan’s account/transfer and transaction/detail endpoints, it digs into the sender’s transaction history, pinpointing prior interacting account addresses and their first interaction block.
Prefix Matching: The API checks if any account address that previously sent funds to the sender shares the first four characters with to_address_check. The earliest such account address (by block number) is marked safe (risk score: 0); later matches are flagged as risky (score: 50).
Low-Value Check: If the first interaction was a low-value SOL transfer (<10 lamports), the risk score jumps to 90, signaling a potential dusting or poisoning attempt.
Token Transfer Validation: For non-SOL transfers, the API assumes legitimate test transfers are ≥$1. Subsequent transfers in the same token must be ≥1/5 of the original value; otherwise, the risk score hits 90.
This setup keeps false positives low, as the odds of two random Solana account addresses sharing the first four characters are ~0.0005. For high-transaction account addresses (>1,000 interactions), the collision probability creeps to 0.512%, so our layered checks add reliability. The API’s lean design ensures fast queries, critical for real-time wallet integration.
Inputs: from_address_check, to_address_check
Data Source: Solscan API (/v2.0/account/transfer, /v2.0/transaction/detail)
Logic Flow:
Fetch sender’s transaction history.
Identify prior senders and their first interaction blocks.
Compare to_address_check’s first four characters with prior senders.
Apply risk scoring based on timing, SOL value, and token transfer thresholds.
Output: Risk score (0, 50, 90) for the recipient account address.
False Positives: Mitigated by trusting the earliest matching account address and enforcing strict value thresholds.
Scalability: Optimized Solscan API calls for low latency, caching frequent queries.
Evolving Tactics: Adaptive risk scoring handles multi-wallet obfuscation.
Account dusting is dominated by a small number of persistent account addresses that automate spam-like behavior to promote bots and gambling tools. Address poisoning, while less frequent, poses a more deceptive risk and requires further investigation to fully understand how these fake addresses are created and funded. Although our data window is limited, the Dune dashboard offers a clear view of these activities over the past seven days, and our open-source API provides real-time risk scoring to help wallets, explorers, and developers guard against suspicious interactions.
1
