How do attackers use dust to track wallets?

When a wallet receives dust and later spends it by including it in an outgoing transaction, that dust becomes linked with the wallet's other transaction inputs. Attackers use blockchain analytics tools to trace those connections across the network, identifying which addresses belong to the same user or entity and potentially linking wallet activity to real-world identities.

How much dust is typically sent in a dusting attack?

Dust amounts are typically extremely small, often fractions of a cent's worth of cryptocurrency. On Bitcoin, this might be a few hundred satoshis. On Ethereum, it could be a tiny amount of ETH or a worthless token. The amount is small enough that most users will not notice it or may dismiss it as irrelevant, which is exactly what the attacker relies on.

Who carries out dusting attacks and why?

Dusting attacks are carried out by blockchain analytics firms, government agencies, scammers, and cybercriminals. Analytics firms and regulators use dusting to trace illicit funds and identify entities involved in money laundering or sanctions evasion. Scammers may use dusting as a precursor to targeted phishing attacks once they have mapped wallet ownership to specific individuals or exchanges.

Can a dusting attack steal your crypto?

No, a dusting attack cannot directly steal your cryptocurrency. The attacker simply sends a small amount to your wallet, which does not give them any access to your private keys or funds. The danger is purely informational: if the dust is spent and links your wallet addresses together, it can compromise your privacy and potentially expose you to targeted attacks or surveillance.

How can I protect myself from dusting attacks?

The most effective protection is to never spend the dust. In Bitcoin, you can use coin control features in wallets like Sparrow Wallet or Electrum to mark the dust UTXO as do not spend, preventing it from being included in future transactions. On Ethereum, simply leaving the dust untouched in your wallet prevents it from being used to trace your activity. Using privacy-preserving wallets and practices also reduces exposure.

How do I know if I have received dust in my wallet?

Check your transaction history for incoming transfers of very small, unfamiliar amounts, especially from unknown addresses. On Ethereum, this may appear as a transfer of a suspicious or zero-value token you do not recognise. On Bitcoin, look for tiny amounts from unknown senders. Blockchain explorers like Etherscan or Mempool.space make it easy to review your full transaction history.

Does dusting happen on all blockchains?

Dusting attacks are most common on UTXO-based blockchains like Bitcoin, where spending patterns across multiple inputs are highly traceable. They also occur on Ethereum and other account-based chains, often using spam tokens or micro ETH transfers. The underlying goal, linking wallet addresses to build a profile of a user's holdings and behaviour, is the same across all networks.

WALLETS & SECURITY

What Is a Dusting Attack in Crypto

Q: What is a dusting attack in crypto?

A dusting attack is a surveillance technique where an attacker sends a tiny amount of cryptocurrency, known as dust, to a large number of wallet addresses. The goal is not to steal funds directly but to track the movement of those wallets and de-anonymise their owners by analysing on-chain transaction patterns when the dust is later spent.

What Is a Dusting Attack?

A dusting attack is a surveillance technique used by malicious actors to de-anonymise crypto wallet holders. It works by sending tiny amounts of cryptocurrency, called “dust,” to a large number of wallet addresses. By tracking how and when this dust moves, attackers can link wallet addresses to real-world identities or to each other, building a profile of the target’s financial activity and potentially setting up more targeted follow-on attacks.

The term “dust” in crypto refers to any amount of cryptocurrency so small that it is economically impractical to spend. On Bitcoin, for example, amounts smaller than the minimum transaction fee are considered dust: it would cost more to send them than they are worth. Attackers deliberately use dust amounts because recipients are unlikely to notice tiny additions to their balance, and because mixing dust into a UTXO (unspent transaction output) set links wallets together in ways that privacy analysis tools can exploit.

Dusting attacks are distinct from wallet draining attacks or wallet address poisoning, which involve direct theft or transaction misdirection. A dusting attack itself does not steal funds. Instead, it is a reconnaissance and surveillance tool whose primary purpose is information gathering. However, the information gathered can be used to enable more dangerous attacks: blackmail, targeted phishing, physical threats against high-value holders, or tax investigations.

How Dusting Attacks Work

The mechanics of a dusting attack rely on how UTXO-based blockchains like Bitcoin handle funds. In a Bitcoin wallet, your balance is not a single number: it is a collection of individual UTXOs, each representing a specific receipt of Bitcoin. When you spend Bitcoin, your wallet software combines multiple UTXOs together to cover the transaction amount, then sends the change back to you. This combining process, called “coin selection,” inadvertently links all the UTXOs in the same transaction: an observer can see that the same entity controls all the addresses from which UTXOs were drawn.

An attacker who sends you a dust amount creates a new UTXO associated with your address. If your wallet subsequently uses that UTXO in a transaction, your wallet software combines it with other UTXOs from your wallet to create the transaction. The attacker, monitoring the blockchain, can see that all the addresses involved in that transaction belong to the same entity. If any of those addresses has been used in a way that links it to an identity, such as a KYC-verified exchange withdrawal or a publicly associated address, the attacker can connect your other addresses to that identity.

On account-based blockchains like Ethereum, the dust mechanism is different but the principle is similar. Sending tiny amounts of ETH or tokens to a wallet can reveal address activity patterns. In some cases, specific dust tokens sent to wallets are crafted to interact with malicious smart contracts when the recipient attempts to swap or interact with them, functioning as a hybrid between a dust attack and a token drainer. This is why unknown tokens appearing in your wallet should never be interacted with without thorough research.

Who Conducts Dusting Attacks and Why?

Dusting attacks are carried out by a range of actors with different motivations, ranging from criminal enterprises to law enforcement agencies and blockchain analytics companies.

Criminal Actors

Criminal dusting attacks aim to identify high-value wallet holders for targeted theft, extortion, or physical threats. If analysis reveals that a specific wallet address controls a large amount of Bitcoin, and that address can be linked to an identity, the holder becomes a potential target for blackmail or physical confrontation. This is one reason why operational security, separating different pools of assets across different addresses, is considered important for large holders.

Blockchain Analytics Companies

Some blockchain analytics companies use dusting-like techniques as part of their tracing methodology. These companies are often contracted by exchanges, regulators, and law enforcement to trace funds across the blockchain. Their goal is not theft but de-anonymisation in the context of legal investigations, anti-money laundering compliance, or fraud recovery. The use of dust by these firms occupies a legally grey area in many jurisdictions.

Researchers and Security Firms

Some security researchers use controlled dusting experiments to study how privacy leaks occur on public blockchains. This research contributes to the development of better privacy tools and wallet software that avoids inadvertently mixing dust into legitimate transactions.

The Capital Nexus newsletter covers on-chain security developments and how privacy-related threats are evolving. Stay informed: Capital Nexus Newsletter.

Are Dusting Attacks Dangerous?

The direct risk of a dusting attack is limited: no funds are stolen in the attack itself, and the dust amount sent to your wallet does not give the attacker any direct ability to control or drain your wallet. However, the indirect risks are more meaningful than many people appreciate.

The primary risk is de-anonymisation. If you hold significant amounts of crypto and care about the privacy of your holdings, a successful dusting attack can link your pseudonymous blockchain address to your real identity. This can expose you to tax scrutiny if you have not accurately reported your holdings, to targeted phishing attacks using your personal information, or in extreme cases to physical security risks if your holdings are large and your identity is compromised.

The secondary risk is the potential for the dust tokens themselves to be malicious. On Ethereum and other smart contract chains, some dust tokens are specifically designed to drain funds when interacted with. An unknown token appearing in your wallet may look like a windfall, but attempting to swap it or interact with it through a DEX may trigger a malicious contract interaction. This is why the rule of never interacting with tokens you did not intentionally acquire is important.

A third risk applies specifically to users in jurisdictions with aggressive crypto taxation. Blockchain analysis tools used by tax authorities use similar techniques to dust attacks for tracing unreported crypto income. If you have been using multiple wallets to manage privacy, inadvertent dust mixing can link those wallets and create a more complete picture than you intended to share with any regulatory authority.

How to Protect Yourself from Dusting Attacks

Several practical measures reduce your exposure to dusting attacks and the risks they create.

Do Not Spend Dust

The simplest protection is to leave dust UTXOs unspent. If you never include the tiny dust amount in a real transaction, the attacker gains no linking information from it. Many Bitcoin wallets allow you to “freeze” or mark specific UTXOs as do-not-spend, preventing them from being included in future transactions. Using this feature for any unrecognised small deposits is recommended.

Use Privacy-Enhancing Techniques

Tools like CoinJoin for Bitcoin or privacy-focused wallets can disrupt the chain analysis that dusting attacks rely on. By mixing your UTXOs with those of other users in a way that breaks the traceability, you make it much harder for an attacker to build a complete picture of your wallet relationships. The specifics of how these tools work are covered in the crypto wallet security guide.

Never Interact with Unknown Tokens

On Ethereum and other smart contract chains, any unknown token appearing in your wallet should be treated as potentially malicious until proven otherwise. Do not attempt to swap, send, or interact with it. Check the token contract address on Etherscan and research it before doing anything. If it has no legitimate project behind it or shows up alongside known malicious contracts, ignore it entirely.

Use Multiple Wallets with Deliberate Separation

Maintaining separate wallets for different purposes, with no cross-contamination, reduces the linking potential that dust attacks exploit. Your long-term holdings wallet should be separate from your trading wallet, your DeFi interaction wallet, and any publicly associated wallet addresses. The secure long-term crypto storage guide covers how to build this kind of compartmentalised security architecture.

If You Spot Suspicious Dust in Your Wallet

If you notice a small, unexpected deposit of an unfamiliar token or an unusually tiny amount of a known cryptocurrency, the appropriate response is to leave it untouched and investigate without interacting.

Check the transaction on the relevant block explorer. If the same address sent the same tiny amount to thousands of different wallets, it is almost certainly a dusting campaign. Check whether the sending address is flagged by blockchain analysis tools as associated with known scam or surveillance activity.

For Bitcoin dust, mark the UTXO as frozen in your wallet software if that option is available. For Ethereum tokens, simply do not add the token to your watchlist or attempt to interact with it. Check whether the token contract is associated with any known phishing attacks or wallet draining schemes.

Document the event. While individual dusting attacks are rarely actionable in isolation, maintaining a record contributes to the broader ecosystem of information used by blockchain security researchers and platforms that track and flag malicious addresses.

Dusting Attacks in Context

Dusting attacks are part of a broader ecosystem of blockchain-based surveillance and exploitation techniques. Understanding them alongside wallet draining, phishing attacks and protection, wallet address poisoning, and general crypto security best practices gives you a complete picture of the threat landscape.

Crypto’s pseudonymity is a feature, not a guarantee of anonymity. Public blockchains are fully transparent by design. The privacy you maintain depends entirely on how you use your wallets, what information you associate with your addresses, and whether you adopt practices that resist the analysis techniques attackers and investigators use. Building those practices now, while your holdings are still yours to protect, is far better than learning this lesson after a successful de-anonymisation campaign.

Shepley Capital’s membership provides security insights, market analysis, and strategy for investors who take protecting their crypto seriously: View Membership Options.

WRITTEN & REVIEWED BY Chris Shepley

UPDATED: MAY 2026