Ethereum L1 Activity Outpaces Layer‑2s, but “Address‑Poisoning” Scams Cast Doubt on the Numbers
By [Your Name] – January 28 2026
Ethereum’s mainnet is reporting record‑high activity levels that have temporarily eclipsed the usage metrics of its popular Layer‑2 (L2) rollups. At the same time, on‑chain researchers and analysts warn that a large portion of the surge is being driven by automated “dust” attacks – often dubbed “address‑poisoning” campaigns – rather than genuine user demand.
The headline numbers
- Daily active addresses: 1.2 million on Jan 16, more than double the previous peak of 589 k set in July 2025.
- Daily transaction count: Roughly 2.8 million transactions on the same day, the highest ever recorded for the Ethereum base layer.
- Current levels: The network continues to process about 2.5 million transactions per day.
These figures were highlighted by data providers Token Terminal and BitInfoCharts and have been cited in social‑media posts that claim Ethereum’s L1 now “outranks all leading L2s” in terms of active addresses.
What the raw data may be hiding
Andrey Sergeenkov, an independent on‑chain researcher, published a detailed analysis that suggests the spike is inflated by a wave of low‑value stablecoin transfers. His key observations:
| Metric | Findings |
|---|---|
| Dust transactions | Automated contracts have been sending sub‑$1 stablecoin amounts (often just a few wei) to millions of distinct addresses. |
| First‑transaction pattern | Approximately 67 % of newly observed addresses received such a dust transfer as their inaugural stablecoin receipt – 3.86 million out of 5.78 million addresses. |
| Economic impact | The cumulative value of the dust payloads exceeds $740 k, and the technique is used to lure victims into sending larger sums to look‑alike scam addresses. |
Sergeenkov attributes the feasibility of these campaigns to the Fusaka upgrade (deployed in December 2025), which raised the block gas limit and lowered the marginal cost of sending very small transactions. While Ethereum’s roadmap for Fusaka emphasized that it would not directly reduce base‑layer fees, post‑upgrade fee data from BitInfoCharts shows a modest decline—from around $0.50 per transaction in late November to roughly $0.20 after the upgrade went live.
Citi’s latest blockchain risk report echoed these concerns, describing the recent activity as resembling coordinated “address‑poisoning” scams.
Community response
The findings have sparked debate within the Ethereum ecosystem:
-
Critics of the dust‑attack narrative argue that security is inevitably a trade‑off with usability. A handful of developers on X (formerly Twitter) described Sergeenkov’s view of Fusaka as “a crazy take” and suggested that network upgrades inevitably expose users to new attack vectors.
-
Researchers defending the warning point out that the scale of the dust campaigns is unprecedented and that the upgrade’s fee‑reduction side effects were not merely speculative. Sergeenkov contended that the developers “knew the effect their upgrade would cause and chose to sacrifice security for headline‑grabbing metrics.”
-
Security practitioners such as Gonçalo Magalhães, head of security at Immunefi, note that while upgrades improve user experience by reducing friction, they also make it easier for users to inadvertently sign malicious transactions. He highlighted the potential of human‑readable naming systems like ENS to mitigate look‑alike address attacks.
- Calls for infrastructure fixes stress that wallet‑level UI improvements and user education are insufficient “band‑aids.” Sergeenkov argues that the Ethereum protocol must address fundamental design issues – from dust‑attack prevention to better MEV (miner‑extracted value) safeguards – before scaling to billions of users, a goal outlined by the Ethereum Foundation’s recent “Trillion‑Dollar Security” initiative.
The Defiant reached out to the Ethereum Foundation for comment; a response had not been received at press time.
Analysis
-
Inflated activity metrics: The surge in daily active addresses is heavily skewed by automated dust transactions that inflate address counts without representing meaningful economic activity. This raises questions about the reliability of L1 usage statistics as a proxy for network health.
-
Fusaka’s unintended side effects: By making single‑byte transactions cheaper, Fusaka inadvertently lowered the barrier for spam campaigns. While the upgrade succeeded in providing more blob space for rollup data—a key goal for L2 scalability—the modest fee decline also created a fertile environment for address‑poisoning attacks.
-
Security‑vs‑usability trade‑offs: The debate reflects a broader tension in blockchain development. Enhancements that improve UX (lower fees, faster confirmation) can simultaneously expand the attack surface. Striking the right balance will be critical as Ethereum pursues its roadmap toward “billions of users.”
-
Potential mitigations:
- Protocol‑level changes: Introducing minimum‑dust thresholds or anti‑spam gas‑price mechanisms could curb mass‑dust campaigns.
- Naming services: Wider adoption of ENS or similar human‑readable identifiers makes it harder for attackers to rely on look‑alike address tricks.
- Wallet UX: More explicit warnings when interacting with unknown or newly created addresses, combined with flow‑designs that prevent accidental approvals, could reduce victimization rates.
- Impact on L2 perception: If the L1 activity numbers are heavily distorted, the comparative advantage of L2 solutions—lower fees, higher throughput, and arguably cleaner on‑chain metrics—may become more pronounced. Investors and developers might reassess where genuine utility is emerging.
Key Takeaways
- Record L1 metrics: Ethereum’s mainnet hit 1.2 M daily active addresses and ~2.8 M transactions, temporarily surpassing leading L2s.
- Dust attacks dominate: Over two‑thirds of newly observed addresses received sub‑$1 stablecoin dust, a pattern linked to automated “address‑poisoning” contracts.
- Fusaka upgrade role: The December 2025 upgrade lowered the cost of spam‑type transactions, inadvertently enabling large‑scale dust campaigns while delivering modest fee reductions.
- Security concerns surfacing: Analysts at Citi and independent researchers argue that the activity spike masks a rise in social‑engineering scams, urging the community to prioritize protocol‑level defenses.
- Community split: Some view the issue as an unavoidable trade‑off; others see it as reckless experimentation that should be addressed before Ethereum scales further.
- Mitigation path: Proposed solutions include protocol tweaks to limit dust, broader use of ENS, and more robust wallet safeguards—though consensus on implementation remains unsettled.
As Ethereum continues to evolve, distinguishing genuine user adoption from artificially inflated metrics will be essential for accurately gauging the network’s trajectory and for shaping the next wave of security‑centric upgrades.
Source: https://thedefiant.io/news/blockchains/ethereum-mainnet-ath-activity-address-poisoning-scam
