TL;DR
- ZachXBT questioned Phantom Chat, a feature scheduled for 2026, for operating alongside an active address-poisoning issue within the Phantom wallet.
- The investigator cited a recent case in which a victim lost 3.5 WBTC after copying a fake address from transaction history.
- Data from Scam Sniffer shows that address poisoning and signature phishing led losses in January, including a theft exceeding $12.2 million.
On-chain investigator ZachXBT questioned the rollout of Phantom Chat, an integrated messaging feature that the Phantom wallet plans to launch in 2026. His criticism focuses on the coexistence of this feature with an active address-poisoning problem affecting the walletās users.
ZachXBT said that Phantom has not fixed the scam vector that allows fake addresses to be inserted into transaction history. As an example, he cited a case from last week in which a victim lost 3.5 WBTC after copying a fraudulent address from recent transactions. The address mimicked the first characters of the original and passed a quick visual check. The investigator said that Phantomās interface does not filter spam transactions, which keeps scam-related addresses visible to users.
So a new method for people to get drained.
Please consider fixing address poisoning first.
A victim lost 3.5 WBTC last week since your UI still does not filter out spam txns users so they accidentally copied the wrong address from recent transactions since the firstā¦ pic.twitter.com/lid7ATYEvl
— ZachXBT (@zachxbt) February 10, 2026
Phantom Still Fails to Provide Solutions
Address poisoning is carried out through token transfers with little or no value sent to active wallets. These transfers add fake addresses to a userās transaction history. Before acting, attackers analyze the blockchain to identify wallets with activity. The addresses used are built as vanity addresses, designed to match the beginning and end of the real address using open-source tools such as Profanity.
Bitcoin addresses contain between 26 and 35 characters, while Ethereum-style addresses reach 42 characters. Their length makes full verification difficult and encourages partial copying based on the first and last digits. Attackers tailor fake addresses to pass that visual check. MetaMask compared this method to traditional banking phishing, where a fake identity replaces the real one.
ZachXBT Reviews the Recorded Cases
ZachXBT said that losses from this mechanism occur frequently and shared screenshots of multiple cases. He said that copying addresses from previous transactions is driven by user convenience.
Phantom tested in-wallet communication features in December through an integration with Kalshi that included a live chat. Internal messaging allows contact impersonation and the distribution of malicious links within the wallet environment.
Wallet attacks are not limited to address poisoning. In December, a Solana user lost $9,000 after interacting with a fraudulent link promoted through an Instagram advertisement. The site requested approval of an incoming transaction that activated malicious code identified as SkyDrainer, which drained the wallet. Promotion of the drainer later appeared on underground forums such as Cracked[.]sh and LolzTeam, where it was offered as a service with a 10% commission.
Data from security firm Scam Sniffer shows that scams linked to address poisoning and signature phishing recorded the largest losses in January. In one of the documented cases, a single victim lost $12.2 million after copying a malicious address
