Address Poisoning Scams on Telegram
Attackers use Telegram to distribute lookalike wallet addresses, impersonate project admins, and trick users into sending funds to attacker-controlled addresses disguised as official deposit destinations.
Part of: Address Poisoning Scams
Last reviewed: 9 June 2026
While the classic address poisoning attack operates silently on-chain, Telegram introduces a social-engineering layer that dramatically increases the attack's reach and success rate. In crypto communities, users routinely share wallet addresses in Telegram groups for payments, airdrops, and peer-to-peer transfers. Attackers monitor these conversations and inject lookalike addresses at precisely the right moment to intercept transactions.
The trust dynamics of Telegram crypto communities make this especially dangerous. When a message appears to come from a familiar admin handle, a pinned message, or a response to a legitimate address request, users are far less likely to scrutinize every character of the address they copy.
How this scam works on Telegram
On Telegram, address poisoning takes several forms. In group chats where a user asks for an official deposit address, an attacker with a similarly named or visually identical username replies first with a lookalike address. The real admin's reply comes later but the victim may have already copied the first response.
In fake admin direct messages, an attacker impersonates a project moderator and sends an address for a token claim, airdrop registration, or fund migration. The message mirrors legitimate support communications in tone and structure. Another variant involves fake pinned messages or forwarded announcements that replace the original contract or deposit address with a lookalike. In each case, the poisoned address differs from the real one only in middle characters that few users check character by character.
Common red flags
- An address was shared in a DM from someone claiming to be project support, even though you did not initiate the conversation
- Multiple accounts in a group respond simultaneously to an address request with slightly different addresses
- Pinned message was recently edited or the original poster's account shows signs of impersonation
- The sender's username closely mimics a known admin but has subtle differences such as an extra underscore or replaced letter
- You are being asked to migrate funds to a new address due to a claimed smart contract upgrade or security issue
- The shared address looks identical to a known address at first and last glance but you have not verified every character
How to protect yourself
- Always copy wallet addresses from the official project website or your own address book rather than from Telegram messages
- Verify every character of any address received through Telegram before sending funds, including middle characters
- Treat any DM from a project admin as suspicious if it arrives unsolicited or directs you to a new address
- Check the sending account's username against the known admin list in the official pinned message or project website
- Enable username verification in Telegram by cross-referencing handles against the project's official social media
- Use small test transfers before sending large amounts to any address received through a social platform
How to report it
- Report the impersonating Telegram account to Telegram at abuse.telegram.org
- Notify the legitimate project team immediately so they can warn their community
- Flag the malicious wallet address on the relevant block explorer phishing database
- Report to the IC3 at ic3.gov if financial losses occurred
Frequently asked questions
Why do attackers impersonate admins rather than just posting lookalike addresses in group chats?
Admin impersonation adds an authority signal that reduces the victim's impulse to verify independently. A message from a perceived trusted source exploits social trust in a way that an anonymous group message does not.
Can I tell a real admin from an impersonator on Telegram?
Telegram allows identical display names with different usernames. Always check the full username (the @handle) character by character against the officially published admin list. Block and report any account that DMs you claiming to be support.
What should I do the moment I realize I sent to the wrong address?
Cryptocurrency transactions cannot be reversed once confirmed. Preserve all evidence including the fake message and transaction hash, report to the project team and block explorer, and file a report with law enforcement.