Crypto Research

What Is a Dusting Attack?

A dusting attack sends tiny amounts of cryptocurrency to many wallet addresses — not to steal funds, but to map them. Here's how the UTXO consolidation mechanism enables surveillance, and what wallets are doing about it.
Lewis Jackson
CEO and Founder

Most crypto threats are about stealing funds directly. Dusting attacks are different. They're a surveillance technique — quiet, patient, and designed to map out who controls what on a public blockchain.

Understanding them requires a short detour into how blockchain transactions actually work.

Why Small Amounts Matter

A dusting attack starts with an attacker sending tiny amounts of cryptocurrency — fractions of a cent, sometimes less — to a large number of wallet addresses. These micro-amounts are called dust: too small to be worth spending on their own, too small to be meaningfully stolen.

The attacker isn't after the money. They're after information.

Here's the mechanism. In Bitcoin and similar UTXO-based blockchains, a wallet doesn't hold a single running balance the way a bank account does. It holds a collection of unspent transaction outputs — individual chunks of value from previous transactions. When you spend bitcoin, your wallet selects one or more of these chunks as inputs, combines them if needed to cover the amount, and sends the output.

If someone sends you dust, that dust becomes a new, tiny UTXO in your wallet. Most of the time you'd never notice it. But the next time your wallet creates a transaction, it might automatically sweep that dust input together with your other UTXOs to cover the transaction amount. When it does, the blockchain records that these inputs — including the dust — all moved together. They're now visibly linked in a single transaction.

An attacker watching the chain sees that linkage. If the same dust was sent to ten different addresses, and all ten later appeared as inputs in the same transaction, that's strong evidence they're controlled by the same person or entity.

This is address clustering. Chain analysis firms use it routinely. Dusting is one tool in that toolbox.

What the Attack Actually Accomplishes

On its own, knowing that several addresses belong to the same wallet isn't catastrophic. But combined with other data — a KYC exchange deposit, a public address you've shared, an on-chain label — it can deanonymize you.

The scenario that matters: you've been careful about separating your bitcoin activity. You use different addresses for different purposes. An attacker (or a surveillance firm) dusts all of them. You later move funds, and your wallet consolidates everything into one transaction. The careful separation you maintained collapses into a single visible cluster.

From that point, anyone who knows one of your addresses now has a map to all the others. If one of them is connected to a known identity, they now have a connection to your full holding picture.

Worth being clear about: Bitcoin isn't anonymous. It's pseudonymous — activity is visible on the blockchain, but addresses aren't inherently tied to names. Dusting attacks are most useful when combined with off-chain data that bridges that gap. The blockchain is the map; other data sources provide the names.

Is Ethereum Different?

Ethereum uses an account model rather than UTXO-based accounting. Your ETH balance is stored in a single account, not spread across individual unspent outputs. Sending a tiny ETH amount to an Ethereum address doesn't create the same UTXO consolidation risk.

That said, token transfers on Ethereum still create visible on-chain activity. An attacker can send ERC-20 tokens to an address to trigger a wallet interaction or observe activity patterns, and use that as a fingerprint. The mechanism is different, but the surveillance goal is similar.

The UTXO-based chains — Bitcoin, Litecoin, Bitcoin Cash — are more directly vulnerable to the classic dusting technique because of how their transaction inputs work.

How Wallets Are Responding

The dust problem isn't new, and wallet developers have built responses into their software.

Dust thresholds: Many wallets now treat incoming amounts below a certain threshold as suspicious and quarantine them rather than automatically including them in transactions. Some flag them explicitly in the interface.

Coin control: More advanced wallets — Sparrow, Wasabi, Electrum in expert mode — let you manually choose which UTXOs to include in a transaction. This is called coin control. If you can see the dust input and explicitly exclude it, the linkage never gets created. The dust is defused before it can be swept.

CoinJoin: Privacy tools like Wasabi's built-in CoinJoin mix UTXOs with other users' inputs in a single transaction, obscuring the one-to-one address mapping attackers are looking for. This doesn't specifically neutralize dust, but makes address clustering much harder in general.

Admittedly, these tools require users to care about this enough to learn and use them. For most people with small holdings and no particular need to obscure their activity, dusting is a low-priority concern. For anyone holding significant funds, maintaining financial privacy, or operating in a context where surveillance matters, the calculus is different.

What Would Confirm or Invalidate This Pattern

Signals that this technique remains effective: Chain analysis firms continue to use address clustering as a core tool in blockchain investigations. Court cases that cite on-chain transaction analysis as evidence suggest the technique yields actionable intelligence — and that legal demand for it continues.

What would reduce its effectiveness: If all major wallets implemented automatic dust quarantine and coin control by default, the consolidation event that makes dusting useful would rarely occur. A future where CoinJoin-style mixing is standard in wallet software would make clustering significantly harder. Taproot adoption on Bitcoin improves script-level privacy but doesn't directly address UTXO consolidation.

Neither condition fully holds today.

Timing

Now: If you're using a basic wallet without coin control, incoming dust could get swept into future transactions without any indication. Most users aren't at meaningful risk from individual attackers — but chain analysis firms operate at scale and aren't targeting individuals specifically.

Next: Wallet UX is improving. More software is building dust detection into standard interfaces rather than requiring manual configuration. This will reduce passive exposure over time.

Later: Network-level privacy improvements — potential covenant mechanisms, broader Taproot adoption, possible protocol-level changes — are longer-horizon and involve open design questions. Timelines here are genuinely uncertain.

The Boundary

This is a description of how dusting attacks work, what they target, and what mitigates them. It doesn't constitute security advice for any specific situation, and it doesn't cover the full range of on-chain privacy tools available.

The core point: dusting attacks aren't about stealing your crypto. They're about mapping it. And on a public blockchain, that map is visible to everyone with the patience to read it.

Related Posts

See All
Crypto Research
New XRP-Focused Research Defining the “Velocity Threshold” for Global Settlement and Liquidity
A lot of people looking at my recent research have asked the same question: “Surely Ripple already understands all of this. So what does that mean for XRP?” That question is completely valid — and it turns out it’s the right question to ask. This research breaks down why XRP is unlikely to be the internal settlement asset of CBDC shared ledgers or unified bank platforms, and why that doesn’t mean XRP is irrelevant. Instead, it explains where XRP realistically fits in the system banks are actually building: at the seams, where different rulebooks, platforms, and networks still need to connect. Using liquidity math, system design, and real-world settlement mechanics, this piece explains: why most value settles inside venues, not through bridges why XRP’s role is narrower but more precise than most narratives suggest how velocity (refresh interval) determines whether XRP creates scarcity or just throughput and why Ripple’s strategy makes more sense once you stop assuming XRP must be “the core of everything” This isn’t a bullish or bearish take — it’s a structural one. If you want to understand XRP beyond hype and price targets, this is the question you need to grapple with.
Read Now
Crypto Research
The Jackson Liquidity Framework - Announcement
Lewis Jackson Ventures announces the release of the Jackson Liquidity Framework — the first quantitative, regulator-aligned model for liquidity sizing in AMM-based settlement systems, CBDC corridors, and tokenised financial infrastructures. Developed using advanced stochastic simulations and grounded in Basel III and PFMI principles, the framework provides a missing methodology for determining how much liquidity prefunded AMM pools actually require under real-world flow conditions.
Read Now
Crypto Research
Banks, Stablecoins, and Tokenized Assets
In Episode 011 of The Macro, crypto analyst Lewis Jackson unpacks a pivotal week in global finance — one marked by record growth in tokenized assets, expanding stablecoin adoption across emerging markets, and major institutions deepening their blockchain commitments. This research brief summarises Jackson’s key findings, from tokenized deposits to institutional RWA chains and AI-driven compliance, and explains how these developments signal a maturing, multi-rail settlement architecture spanning Ethereum, XRPL, stablecoin networks, and new interoperability layers.Taken together, this episode marks a structural shift toward programmable finance, instant settlement, and tokenized real-world assets at global scale.
Read Now

Related Posts

See All
No items found.
Lewsletter

Weekly notes on what I’m seeing

A personal letter I send straight to your inbox —reflections on crypto, wealth, time and life.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.