Ethereum is currently reporting its highest daily network growth in history. This is a statistical spike that ostensibly represents a significant rebound in user activity.
Over the past week, Ethereum’s mainnet processed 2.9 million transactions, an all-time high, according to data from Token Terminal.
This activity led to a sharp increase in daily active addresses, from about 600,000 in late December to about 1.3 million.
Importantly, this throughput explosion occurred while transaction costs remained negligible. Despite record demand, average transaction fees remain in the “penny” range of $0.10 to $0.20.
For a network whose fees have historically soared between $50 and $200 during the 2021-2022 NFT boom, this meant a fundamental shift in economic access.
However, forensic analysis suggests that this increase is not entirely organic. While superficial indicators point to a return to the bull market, security researchers warn that a significant portion of this traffic is being driven by malicious actors.
These attackers are exploiting the network’s newly reduced rates to launch industrial-scale “address poisoning” campaigns, targeting users with automated scams disguised as legitimate activity.
Scaling context
To understand the sudden spike in volume, we need to look at recent structural changes to the Ethereum protocol. For many years, the network was powerful but uneconomical for most people.
Leon Weidman, head of research at the Onchain Foundation, pointed out that since entering the cryptocurrency space, Ethereum’s mainnet fees have simply been too high for the average user.
He pointed out that the network is too expensive for retailers, too expensive for frequent use, and too expensive for building consumer-scale apps.
However, things changed about a year ago as Ethereum developers systematically expanded the network while attempting to decentralize and protect its security.
This resulted in three major protocol upgrades that move the roadmap forward.
The first was the Pectra upgrade in May 2025, which increased blob capacity by increasing the target blobs per block from 3 to 6 and the maximum from 6 to 9. This effectively doubled the expected BLOB throughput.
This was followed by a “Fusaka” network upgrade in December 2025, shipping Peer Data Availability Sampling (PeerDAS). This allowed validators to validate blob availability through sampling rather than downloading the entire dataset, allowing for higher throughput while keeping node requirements reasonable.
Most recently, the Blob Parameters Only (BPO) fork in January 2026 increased the blob target from 10 to 14 and the maximum to 21. These practical updates were designed to free up significant capacity for the blockchain network.
The economics of these upgrades quickly became apparent as the network’s mainnet fees dropped significantly and simple transactions became cheap again.
Waidmann pointed out that building directly on top of Layer 1 has become viable at scale, prompting prediction markets, real-world assets, and payments to return to mainnet.
At the same time, stablecoin transfers on the network reached approximately $8 trillion in the fourth quarter.
Ethereum recording activity is not adding value
While record activity shows signs of blockchain dominance, on-chain data suggests these activities are not adding real value to the network.
Data from Alhpractal shows that the Metcalfe ratio, which compares market capitalization to the square of the number of active users, has declined. This indicates that evaluations have not kept pace with actual network deployments.
Furthermore, Ethereum’s adoption score is currently at level 1, the lowest level in its historical range. This reflects lower valuations and a cooling market relative to on-chain activity.
With this in mind, Matthias Seidl, co-founder of GrowThePie, suggested that the network’s increase in activity may not be organic.
He gave an example of a single address receiving 190,000 native ETH transfers from 190,000 unique wallets in a single day.
Seidl pointed out that while the number of wallets receiving native transfers has remained relatively stable, the number of wallets sending native transfers has increased significantly (doubling). He highlighted that many native transfers (vanilla ETH sending) only use 21,000 gas, making it the cheapest form of EVM transaction.
These now account for almost 50% of all transactions. By comparison, sending an ERC20 token costs around 65,000 gas, and one stablecoin transfer requires the same amount of gas as three native ETH transfers.
Addicted to addresses?
Meanwhile, it has been suggested that Ethereum’s recent surge in on-chain activity can be traced back to old scams that were repackaged for an era of lower fees.
Security researcher Andrey Sergeenkov noted that since December, a series of address poisoning campaigns have exploited low gas costs to inflate network metrics while seeding transaction history with similar addresses aimed at tricking users into transferring real funds to attackers.
The mechanics of these attacks are simple. Scammers generate a “poisoning” address that resembles the target’s legitimate wallet address by matching the first and last characters. After the victim completes a normal transfer, the attacker sends a small “dust” transaction to the victim, causing the spoofed address to appear in their recent history.
Perhaps the user will later copy a familiar address from the activity feed without checking the full string.
With this in mind, Sergenkov ties the proliferation of new Ethereum addresses to that playbook. He estimates that new address creation is about 2.7 times the 2025 average, peaking at about 2.7 million new addresses in the week of January 12th.
He broke down the dynamics behind the growth and concluded that around 80% is driven by stablecoin activity rather than intrinsic user demand.
To test whether this looked like poisoning, Sergenkov looked for telltale signatures, addresses that received stablecoin transfers of less than $1 as the first interaction.
By his calculations, 67% of new addresses fit that pattern. In absolute terms, we found that 3.86 million addresses out of 5.78 million addresses received “dust” as their first stablecoin transaction.
He then narrowed his search to senders, targeting accounts that transferred less than $1 in USDT and USDC between December 15, 2025 and January 18, 2026.
Sergeenkov counted unique recipients for each sender and filtered out recipients who delivered to at least 10,000 addresses. What has emerged, he said, are smart contracts designed to industrialize campaigns. These are codes that can fund and reconcile hundreds of poisoning addresses in a single transaction.
One of the contracts he reviewed included a feature labeled “fundPoisoners,” which he described as distributing small amounts of ETH for stablecoin dust and gas to large amounts of poisoning addresses at once.
These addresses then spread and send dust to millions of potential targets creating misleading entries in their wallet transaction history.
This model is scale-dependent because most recipients will never be fooled by it, but the economics will work if only a small fraction are fooled by it.
Sergeenkov puts the effective conversion rate at around 0.01%, suggesting that the business is built to tolerate extreme failure rates. In the dataset he analyzed, 116 victims collectively lost approximately $740,000, with one loss totaling $509,000.
Historically, gate elements have been costs. Address poisoning involves millions of on-chain transactions that do not directly generate revenue unless the victim accidentally transfers funds.
Sergenkov argues that Ethereum’s network fees made it difficult to justify a high-volume sending strategy until late 2025. But with transaction costs about six times lower, the risk-reward calculus suddenly shifted in the attacker’s favor.
With this in mind, Sergenkov argued that expanding Ethereum’s throughput without increasing security on the user side has created an environment where “recording” activity is indistinguishable from automated abuse.
In his view, the industry’s obsession with headline network metrics risks obscuring the dark reality that cheaper blockspace will easily subsidize mass-market scams as legitimate adoption, with retail users bearing the brunt of the losses.
(Tag to translate) Ethereum
