Dusting attack is a tracking and deanonymization technique where an attacker sends tiny ("dust") amounts of crypto to many addresses they want to monitor. The attacker then tracks subsequent activity from those addresses — particularly any transaction that combines the dust with other inputs — and uses the linkages to map an address graph back to a single owner or real-world identity.
The mechanism on Bitcoin
Bitcoin's UTXO model exposes the inputs of a transaction. When a wallet combines multiple UTXOs (including the dusted UTXO) into a single transaction, the chain-analytics tools (Chainalysis, Elliptic, TRM Labs) infer that all combined inputs likely belong to the same wallet owner. The attacker watches for these "consolidation" events and uses them to expand their map of the target's address set.
The dust amount is typically small enough — $0.10 to $5 in BTC — that the recipient does not notice. The attack is patient: dust is sent today, the deanonymization payoff happens months or years later when the target uses the address for something the attacker cares about (a high-value purchase, a privacy-sensitive transaction, an exchange withdrawal).
Dusting on Ethereum and other chains
Account-based chains (Ethereum, BSC, Polygon) have a different threat model: addresses don't combine UTXOs, so the consolidation-tracking version of dusting doesn't apply. But the same general technique appears as "scam token dusting": the attacker sends an ERC-20 token to a target address. The token is a worthless scam, but the act of the transfer reveals that the receiving address exists and is being monitored.
A variant: the scam token's contract has a malicious "approve" or "transfer" function that, if interacted with via a wallet that has stale approvals, attempts to drain assets. The defense is simple: do not interact with unknown tokens that appear in your wallet. Block them in the wallet UI; do not try to "sell" them.
Who runs dusting attacks
Three categories of actor:
Law enforcement and tax authorities. The IRS criminal division uses dusting (alongside subpoenaed CEX records) to identify the real-world owners of suspect addresses. This is legal, intentional, and a known IRS investigative technique.
Chain-analytics firms (Chainalysis, Elliptic, TRM Labs). Operating commercially under contracts with exchanges, banks, and government agencies. They use a combination of dust-sourced data, exchange-disclosed data, and pattern matching to maintain ongoing address-graph databases.
Criminal actors. Russian and North Korean groups use dusting to track potential targets — high-balance wallets, exchange hot wallets, holders of specific asset classes — and to surveil rival groups. Targeted dust sometimes precedes phishing or extortion attempts at the same address.
What defends against dusting
Two operational habits work for most US-resident holders:
Mark dust UTXOs as "do not spend" in your wallet. Most modern Bitcoin wallets (Sparrow, Electrum, Wasabi) support this. The dust stays at the address forever, never combined with other inputs, and the attacker's tracking goal is defeated.
For high-privacy needs, use coin-control features. When constructing a transaction, manually select which UTXOs to spend; never let the wallet "automatically" combine inputs. Sparrow Wallet's coin-control UI is the cleanest implementation; Electrum and Wasabi are similar.
For the vast majority of US holders, dusting is more of a privacy nuisance than a financial threat. The funds at risk from a dust attack are small; the deanonymization risk depends on how much you wanted to hide in the first place. Adjust your defenses to your actual threat model.