Ethereum is currently reporting the highest daily network growth in its history, a statistical surge that ostensibly signals a massive return of user activity.
Over the past week, the Ethereum mainnet processed 2.9 million transactions, a new all-time high according to Token Terminal data.
This activity was accompanied by a sharp jump in daily active addresses, which rose to approximately 1.3 million from roughly 0.6 million in late December.
Critically, this explosion in throughput has occurred while transaction costs have remained negligible. Average transaction fees have stayed in the “pennies” range of $0.10 to $0.20 despite the record demand.
For a network that historically saw fees spike between $50 and $200 during the 2021-2022 NFT boom, this represented a fundamental shift in economic accessibility.
However, forensic analysis suggests this growth is not entirely organic. While surface metrics indicate a bull-market revival, security researchers warn that a significant portion of this traffic is driven by malicious actors.
These attackers are exploiting the network’s newly lowered fees to launch industrial-scale “address poisoning” campaigns, targeting users with automated scams disguised as legitimate activity.
The scaling context
To understand the sudden spike in volume, one must look at the recent structural changes to the Ethereum protocol. For years, the network was powerful but economically unusable for most people.
Leon Waidmann, head of research at the Onchain Foundation, pointed out that since he entered crypto, Ethereum mainnet fees were simply too high for the average user.
He noted the network was too expensive for retail, too expensive for frequent usage, and too expensive to build consumer-scale apps.
However, that changed about one year ago when Ethereum developers methodically scaled the network while attempting to protect decentralization and security.
This led to three major protocol upgrades that advanced the roadmap.
The first was the May 2025 “Pectra” upgrade, which increased blob capacity by raising the target blobs per block from 3 to 6 and the max from 6 to 9. This effectively doubled expected blob throughput.
Then, the network’s “Fusaka” upgrade followed in December 2025, shipping Peer Data Availability Sampling (PeerDAS). This allowed validators to verify blob availability via sampling rather than downloading the entire dataset, enabling higher throughput while keeping node requirements reasonable.
Most recently, the Blob Parameter-Only (BPO) fork in January 2026 raised the blob target from 10 to 14 and the max to 21. These pragmatic updates were designed to unlock significant capacity for the blockchain network.
The economic effects of these upgrades became apparent quickly as the network’s mainnet fees dropped sharply, and simple transactions became cheap again.
Waidmann pointed out that building directly on Layer 1 became viable at scale, prompting prediction markets, real-world assets, and payments to move back to the mainnet.
At the same time, stablecoin transfers on the network reached approximately $8 trillion in the fourth quarter.
Ethereum’s record activity is not adding value
While the record activity shows signs of a blockchain in the ascendancy, on-chain data suggest that these activities have not added real value to the network.
Data from Alhpractal shows that the Metcalfe Ratio, which compares market capitalization to the square of the number of active users, is declining. This indicates that valuation is not keeping pace with real network adoption.
Additionally, Ethereum’s Adoption Score is currently at level 1, the lowest tier in its historical range. This reflects a cold market, with valuation relative to on-chain activity low.
Considering this, Matthias Seidl, the co-founder of GrowThePie, suggested that the network’s activity increase might not be organic.
He cited the example of a single address receiving 190,000 native ETH transfers from 190,000 unique wallets in a single day.
Seidl noted the number of wallets receiving native transfers is relatively stable, but the number of wallets sending native transfers increased a lot (2x). He highlighted that many native transfers (sending vanilla ETH) use only 21,000 gas, the cheapest form of EVM transaction.
These are currently accounting for almost 50% of all transactions. In comparison, sending an ERC20 token costs roughly 65,000 gas, and one stablecoin transfer needs as much gas as three native ETH transfers.
Address poisoning?
Meanwhile, Ethereum’s latest burst of on-chain activity is being traced to an old scam, repackaged for a cheaper-fee era.
Security researcher Andrey Sergeenkov noted that a wave of address-poisoning campaigns has been exploiting low gas costs since December, inflating network metrics while seeding transaction histories with lookalike addresses designed to trick users into sending real funds to attackers.
The mechanics of these attacks are simple: scammers generate “poisoning” addresses that resemble a target’s legitimate wallet address by matching the first and last characters. After a victim completes a normal transfer, the attacker sends a small “dust” transaction to the victim so the spoofed address appears in their recent history.
The bet is that, at some later point, the user will copy the familiar-looking address from their activity feed without verifying the full string.
Considering this, Sergeenkov ties the surge in new Ethereum addresses to that playbook. He estimates new address creation ran about 2.7 times the 2025 average, with the week of Jan. 12 peaking at roughly 2.7 million new addresses.
When he decomposed the flows behind the growth, he concluded that roughly 80% was driven by stablecoin activity rather than organic user demand.
To test whether this looked like poisoning, Sergeenkov looked for a telltale signature: addresses that received a sub-$1 stablecoin transfer as their first interaction.
By his count, 67% of the new addresses fit that pattern. In absolute terms, he found 3.86 million out of 5.78 million addresses received “dust” as their first stablecoin transaction.
He then narrowed the search to the senders: accounts moving less than $1 of USDT and USDC between Dec. 15, 2025, and Jan. 18, 2026.
Sergeenkov counted unique recipients for each sender and filtered for those distributing to at least 10,000 addresses. What surfaced, he says, were smart contracts designed to industrialize the campaign. These are codes that can bankroll and coordinate hundreds of poisoning addresses in a single transaction.
One contract he reviewed included a function labeled `fundPoisoners`, which, in his description, disperses stablecoin dust and a small amount of ETH for gas to a large batch of poisoning addresses at once.
Those addresses then fan out, sending dust to millions of potential targets to manufacture misleading entries in wallet transaction histories.
The model relies on scale as most recipients will never fall for it, but the economics work if a tiny fraction do.
Sergeenkov pegs the effective conversion rate at around 0.01%, implying the business is built to tolerate extreme failure rates. In the dataset he analyzed, 116 victims collectively lost about $740,000, with one loss accounting for $509,000 of that total.
The gating factor has historically been cost. Address poisoning demands millions of on-chain transactions that do not directly generate revenue unless a victim mis-sends funds.
Sergeenkov argues that, until late 2025, Ethereum network fees made the mass-send strategy harder to justify. However, with transaction costs roughly six-fold lower, the risk-reward calculus shifted sharply in favor of the attacker.
Considering this, Sergeenkov argued that scaling Ethereum throughput without hardening its user-facing safety has created an environment where “record” activity can be indistinguishable from automated abuse.
In his view, the industry’s obsession with headline network metrics risks masking a darker reality in which cheaper blockspace can easily subsidize mass-targeted scams as legitimate adoption, leaving retail users to bear the loss.
