Headline: Ethereum’s recent “busy” weeks were largely fake — dusting attacks inflated network metrics, researcher says
Ethereum posted some of its busiest metrics in weeks, but a new analysis from security researcher Andrey Sergeenkov (sergeenkov.com) shows much of the activity is not organic trading or wallet onboarding — it’s large-scale address “dusting” involving stablecoins.
What happened
- Network spikes: New Ethereum addresses jumped to 2.7x the 2025 average, peaking around January 12 with roughly 2.7 million new addresses — a ~170% increase over normal levels. Weekly transactions climbed 63%, from 10.5 million to a record 17.1 million.
- The catch: Roughly 80% of that growth was driven by stablecoins (mainly USDT and USDC), whose transfers are often automated and can dramatically skew on-chain activity.
The dusting pattern
- First-time stablecoin transfers show the giveaway: 67% of newly created addresses received under $1 as their initial transfer. In total, 3.86 million of 5.78 million new addresses got these tiny “dust” payments.
- That pattern is classic address poisoning: attackers send tiny token amounts to many addresses — often to addresses that resemble real wallet IDs — hoping a user later copies an address from transaction history and accidentally sends funds to the attacker.
How Sergeenkov traced the actors
- He analyzed USDT and USDC transfers under $1 from December 15, 2025 to January 18, 2026, then filtered for senders that airdropped dust to at least 10,000 unique addresses.
- Several large-scale operator contracts emerged. The top three alone sent dust to over 1.6 million addresses: roughly 690,000, 589,000 and 405,000 wallets respectively. New contracts continue to appear; one recent contract has already dusted 78,000 addresses.
Profitability and risk
- Address poisoning has a very low success rate — around 0.01% — so attackers rely on the occasional big mistake to recoup costs. In this campaign, one victim lost $509,000, accounting for most of the funds reported stolen so far.
- A key enabler: Ethereum’s Fusaka upgrade in December drastically lowered average ERC-20 transfer fees — nearly a 6x reduction — making it cheap to send millions of spam transactions and turning dusting campaigns economically viable overnight.
Current status and takeaways
- All major attacker contracts identified by Sergeenkov remain active. Because success depends on rare, large errors by users, the biggest losses often materialize episodically rather than uniformly.
- The episode is a reminder that raw on-chain activity spikes can hide manipulative or automated behavior. Users should be cautious when copying addresses from transaction histories and double-check destination addresses before sending funds.
Source and note
- Analysis by Andrey Sergeenkov (sergeenkov.com). Reporting adapted from AMBCrypto. This article is informational and not investment advice; crypto trading carries high risk and readers should do their own research.
Read more AI-generated news on: undefined/news
