Dusting and Deanonymisation Attacks
Attackers send tiny amounts of cryptocurrency to target wallets to link pseudonymous addresses to real identities, enabling targeted phishing, extortion, or further wallet attacks.
Last reviewed: 1 June 2026
What this scam is
A dusting attack is a blockchain-based surveillance technique in which an attacker sends very small amounts of cryptocurrency — often fractions of a cent, called 'dust' — to a large number of wallet addresses. The attack itself does not steal funds. Its purpose is to deanonymise wallet owners by analysing how the dust is subsequently moved.
Blockchain transactions are pseudonymous, not anonymous. Every transaction is publicly recorded on the ledger, but wallet addresses are not inherently linked to real-world identities. When a wallet holder later moves funds — combining the dust with other inputs in a new transaction — their various wallet addresses can be linked together through on-chain analysis. If any of those addresses can be connected to a known identity (through exchange KYC records, a previously doxxed address, or a public donation or NFT purchase), the entire cluster of addresses can potentially be attributed to the same person.
For high-value wallet holders, deanonymisation creates serious risks: targeted phishing attacks using personal information derived from the wallet's transaction history, physical threats or extortion based on estimated wealth, or highly targeted social engineering attacks that reference specific holdings to appear credible.
Some dusting attacks are conducted by chain analytics firms for legitimate research. Others are conducted by malicious actors specifically to enable follow-on fraud, extortion, or directed wallet-draining attacks.
How it works
The attacker generates or obtains a list of target wallet addresses — often focused on wallets with significant balances, wallets that have interacted with specific DeFi protocols, or wallets associated with specific NFT collections. Small amounts of a token (sometimes a new token created specifically for the attack) are sent to each address.
If the wallet holder later moves their funds and combines the dust with other balances in a transaction, the input addresses are now publicly linked on the blockchain. A chain analysis tool can identify the cluster of addresses that belong to the same wallet holder. If any address in the cluster has been linked to a real identity through previous activity, the whole cluster becomes attributable.
In more aggressive variants, the dust token itself is a fraudulent token with a contract that steals ETH or approved tokens when the holder attempts to sell or interact with it. In this case, the 'dusting' is actually a mechanism to deliver a drainer asset that activates on first interaction.
Following successful deanonymisation, the attacker may use the information for targeted spear-phishing emails referencing specific holdings, impersonation attacks leveraging known transaction history, or extortion threatening to expose the victim's wealth to others.
Why this scam works
Dusting attacks exploit the transparency that makes blockchains trustworthy for other purposes. Because all transactions are public, fund consolidation gives attackers exactly the information they need. Most wallet holders are not aware of the privacy implications of combining small received amounts with their other funds.
The follow-on attacks are effective because they arrive with unusually specific information — referencing actual holdings, specific tokens, or recent transactions — which makes them far more convincing than generic phishing attempts.
Common red flags
- Small, unexplained token deposits from unknown senders to your wallet
- New tokens appearing in your wallet that you did not purchase or claim
- Spear-phishing messages referencing specific holdings or transaction history
- Requests to sell or interact with a recently airdropped token
- Contact from someone claiming to know the contents of your wallet
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
We noticed your wallet holds [specific token]. You have been selected for our exclusive presale — click here to claim: [drainer link].
Your recent purchase of [NFT name] qualifies you for a bonus airdrop. Connect at [fake claim site].
We know your wallet [abbreviated address] holds approximately [estimated value]. Contact us or this information will be shared publicly.
Common variations
- Malicious token airdrop — dust is a drainer token that activates on first interaction or sale attempt
- Address poisoning overlap — dust used to insert a lookalike address into transaction history
- Coordinated deanonymisation — large-scale systematic dusting to build an identity database
How to verify before you act
There is no reliable way to verify the source or intent of dust tokens after they arrive. The safest approach is simply not to interact with any token you do not recognise, regardless of its apparent value. Use a blockchain explorer to check the sending address and the token contract for prior reports of malicious activity before taking any action.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- High-value cryptocurrency holders
- DeFi power users with large on-chain footprints
- NFT collectors with identifiable public wallet addresses
- Pseudonymous public figures whose wallet addresses have been shared
What to do immediately
- Do not interact with, sell, or send any tokens you did not consciously acquire — particularly very small or zero-value amounts
- If you receive suspicious dust tokens, leave them in your wallet — do not touch them, as interaction may trigger a drainer
- Use a fresh wallet for any high-value holdings if you suspect your current address has been identified
- If targeted by extortion or spear phishing, report to your national fraud authority
- Check whether your wallet address has been publicly linked to your identity and consider whether using a new wallet is appropriate
How to prevent it
- Never interact with tokens you did not consciously acquire
- Use separate wallets for different activities to limit the on-chain footprint that can be analysed
- Avoid publicly linking your wallet address to your real identity where possible
- Use privacy tools appropriate to your threat model for high-value holdings
- Regularly check which of your addresses have been publicly associated with your identity
Evidence to preserve
- Transaction hashes for any dust deposits received
- The contract address and token details of any suspicious airdrops
- Any follow-up phishing or extortion communications
- Screenshots of any platforms where your wallet address was publicly shared
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Will ignoring dust tokens protect me?
Not interacting with dust tokens is the right approach — you avoid triggering any malicious contract. However, it does not undo the fact that the dust has been sent and is now visible on your transaction history. Deanonymisation analysis can be done entirely off-chain by examining the public ledger, regardless of whether you move the dust.
Should I send the dust away to get rid of it?
No. Sending dust away involves an on-chain transaction that confirms you control the wallet, potentially links your addresses, and could trigger a malicious contract if the token is a drainer. Leave unknown tokens in place and ignore them.