ZachXBT calls out Phantom Chat over address poisoning issue

On-chain investigator ZachXBT warned that an advertised social feature for the Phantom wallet, “Phantom Chat,” is a new method for “investors to get drained.” 

In an announcement made Sunday, multichain wallet Phantom said its new integrated social platform is a messaging tool slated for release in 2026, as part of its evolution of in-wallet interaction.

ZachXBT commented on Phantom’s X post, saying the company has not resolved the scam vector affecting its users, known as “address poisoning.” He cited a recent case in which a victim lost 3.5 wrapped bitcoin after copying a fraudulent address from the transaction history. The loss occurred last week, according to the investigator’s public post.

“A victim lost 3.5 WBTC last week since your UI still does not filter out spam txns users so they accidentally copied the wrong address from recent transactions since the first characters looked similar,” he stated.

The 2D investigator identified the address of the theft was 0x85cB…Af11D8f6, with the transaction hash 0x9f0fc3cd…267a647a4.

How does address poisoning work?

According to wallet provider MetaMask, address poisoning begins by attackers sending victims token transfers worth little or nothing. The purpose of these “useless” transfers is to add vanity addresses to a potential victim’s transaction history. But before they decide which target to go after, they first scan the blockchain for active wallets. 

Vanity addresses are made to match the beginning and ending characters of a target’s address using tools such as Profanity, an open-source wallet address generator. Most users cannot memorize full wallet addresses because they are so long. 

Looking at the two most popular blockchains, Bitcoin addresses have 26-35 characters, while Ethereum-style addresses have 42 characters. Instead of checking every character, a user may slightly glance at the first and last digits, unknowingly copying the wrong address. The perpetrator will purposefully design their spoofed addresses to survive that quick check. 

MetaMask said spoofing crypto addresses is very similar to how hackers use phishing to steal from banking brands. Criminals clone the appearance of institutions such as Wells Fargo to steal credentials, but in crypto, the address itself is the disguise.

ZachXBT shared screenshots of several poisoning victims after an X user questioned why anyone would copy old transactions. He replied, “Convenience (thefts happen way more frequently than you’d expect)”.

Phantom previously tested in-wallet communication through a prediction markets partnership with Kalshi in December, which included a live chat feature. Wallet messaging could allow scammers to impersonate trusted contacts or send malicious links.

“Honestly, my exGF downloaded Phantom when Elon mentioned the companions I sent her like 200 bucks worth of Ani, and she said she got scammed because it went to zero … I assumed she clicked the wrong button somehow but never put the pieces together until now,” another X user complained, reacting to ZachXBT’s findings.

Phantom users struggle with phishing attacks

Last December, a Solana user named Jack reported losing $9,000 through a wallet drainer. Explaining the ordeal to several news outlets, Jack surmised that the incident began with an Instagram advertisement where SOL holders were convinced to enter a promo offering “fast returns,” although the link shared led them to a fraudulent website.

After clicking on the phishing link, he approved an incoming transfer that exposed his wallet to a malicious JavaScript called “SkyDrainer.” The code drained his wallet, and the website vanished from his browser tabs.

The victim later traced the drainer’s promotion, where he found listings on underground forums such as Cracked[.]sh and the Russian site LolzTeam. One forum post advertised “Supreme #1 Solana Drainer,” promoting security bypassing methods, hosting, and cloaking at a 10% operator fee.

Data from blockchain security firm Scam Sniffer shows wallet scams involving address poisoning and signature phishing caused the biggest losses in January. In one case, a single victim lost $12.2 million after copying a poisoned address.

If you're reading this, you’re already ahead. Stay there with our newsletter.