ZachXBT Exposes Phantom Chat’s Critical Address Poisoning Flaw—Security Crisis in Web3’s Darling Wallet
Phantom Chat, the sleek messaging feature baked into one of crypto's most popular wallets, just got called out—hard. Blockchain investigator ZachXBT dropped the hammer, exposing a glaring address poisoning vulnerability that could reroute your crypto straight into a scammer's pocket.
How the Poison Works
It's a classic bait-and-switch with a Web3 twist. Attackers generate wallet addresses visually similar to a target's—same first and last few characters—then send tiny, worthless transactions from them. The goal? Poison your transaction history. When you go to send real funds later, you might copy the wrong, lookalike address from your own history, thinking it's a trusted contact. Your assets vanish, no hack required.
The Phantom Blind Spot
While not a novel attack vector, its presence within Phantom's integrated chat is the real story. The feature, designed for seamless social interaction and token transfers, inadvertently creates a perfect vector for this scam. It turns convenience into a liability, highlighting a painful truth in crypto: user-friendly design often races ahead of security audits. It's the fintech playbook—move fast, break things, and let users hold the bag when things go sideways.
A Wake-Up Call for Wallet Security
This isn't just a Phantom problem; it's an industry-wide reminder. As wallets evolve into super-apps—bundling swaps, staking, NFTs, and now chat—their attack surface balloons. Each new feature is a potential new door for exploitation. Security can't be an afterthought bolted onto a slick interface.
The real cost of innovation is measured in lost funds, not just development sprints. Until that calculus changes, expect more clever scams to find the gaps between our ambition and our diligence.
How does address poisoning work?
According to wallet provider MetaMask, address poisoning begins by attackers sending victims token transfers worth little or nothing. The purpose of these “useless” transfers is to add vanity addresses to a potential victim’s transaction history. But before they decide which target to go after, they first scan the blockchain for active wallets.
Vanity addresses are made to match the beginning and ending characters of a target’s address using tools such as Profanity, an open-source wallet address generator. Most users cannot memorize full wallet addresses because they are so long.
Looking at the two most popular blockchains, bitcoin addresses have 26-35 characters, while Ethereum-style addresses have 42 characters. Instead of checking every character, a user may slightly glance at the first and last digits, unknowingly copying the wrong address. The perpetrator will purposefully design their spoofed addresses to survive that quick check.
bro i had the same issue. I was transferring my SOL to USDC now it stuck up with this fucking wallet.
EVDheTpoa43cSgAv544qmtodriLmoV1asre5PSsPw8DT
It happened twice.
Never gonna use this fucking app again. @phantom pic.twitter.com/rubw0JhJ1k
— Kill4h (@cryptokill4h) February 10, 2026
MetaMask said spoofing crypto addresses is very similar to how hackers use phishing to steal from banking brands. Criminals clone the appearance of institutions such as Wells Fargo to steal credentials, but in crypto, the address itself is the disguise.
ZachXBT shared screenshots of several poisoning victims after an X user questioned why anyone WOULD copy old transactions. He replied, “Convenience (thefts happen way more frequently than you’d expect)”.
Phantom previously tested in-wallet communication through a prediction markets partnership with Kalshi in December, which included a live chat feature. Wallet messaging could allow scammers to impersonate trusted contacts or send malicious links.
“Honestly, my exGF downloaded Phantom when Elon mentioned the companions I sent her like 200 bucks worth of Ani, and she said she got scammed because it went to zero … I assumed she clicked the wrong button somehow but never put the pieces together until now,” another X user complained, reacting to ZachXBT’s findings.
Phantom users struggle with phishing attacks
Last December, a solana user named Jack reported losing $9,000 through a wallet drainer. Explaining the ordeal to several news outlets, Jack surmised that the incident began with an Instagram advertisement where SOL holders were convinced to enter a promo offering “fast returns,” although the link shared led them to a fraudulent website.
After clicking on the phishing link, he approved an incoming transfer that exposed his wallet to a malicious JavaScript called “SkyDrainer.” The code drained his wallet, and the website vanished from his browser tabs.
The victim later traced the drainer’s promotion, where he found listings on underground forums such as Cracked[.]sh and the Russian site LolzTeam. One forum post advertised “Supreme #1 Solana Drainer,” promoting security bypassing methods, hosting, and cloaking at a 10% operator fee.
Data from blockchain security firm Scam Sniffer shows wallet scams involving address poisoning and signature phishing caused the biggest losses in January. In one case, a single victim lost $12.2 million after copying a poisoned address.
The smartest crypto minds already read our newsletter. Want in? Join them.
