Ethereum, the smart contract blockchain, now handles more daily activity than its cheaper sidechains, called Layer-2 networks. But this comeback has a downside: not all Ethereum activity appears to reflect genuine user demand.
The number of daily active addresses on Ethereum rose toward the 1 million mark earlier this month, briefly peaking at 1.3 million on Jan. 16 before settling near 950,000, according to data source Token Terminal.
That puts Ethereum ahead of popular scaling networks like Arbitrum, Base, and OP Mainnet, reversing much of the narrative that users had permanently migrated out of L1.
Active addresses are the unique blockchain wallets that perform transactions, such as sending, receiving cryptocurrencies, or interacting with smart contracts, in a given period of time, say daily. Analysts track the metric to study actual network usage beyond the token price hype.
Layer 2 scaling networks are like secondary roads or express lanes built on top of the main blockchain highway, Ethereum. These sidechains handle tons of transaction traffic quickly and cheaply off the main chain, and then communicate the final count back to the main chain for security purposes.
The rebound in Ethereum activity follows December’s Fusaka upgrade, which slashed transaction fees and made it cheaper to transact directly on Ethereum again. Lower costs have helped revive on-chain activity, particularly for stablecoins, which remain the dominant use case for daily transfers.
At first glance, the numbers suggest a “return to the mains” moment. But analysts warn that raw address counts can be misleading, especially when rates drop enough to make spam economical.
Address poisoning clouds the picture
Imagine unwanted calls flooding your phone. Your call log seems busy, but most of it is junk chat, not real chat. Something similar has been happening on Ethereum, as a significant portion of January’s address growth is tied to poisoning attacks rather than organic adoption.
Security researcher Andrey Sergeenkov said in a post earlier this week that the spike aligns closely with an increase in dust activity, where attackers send small transfers of stablecoins to millions of wallets.
Addressing poisoning works by exploiting human behavior. Attackers generate wallet addresses that closely resemble the victim’s real address, often matching the first and last characters.
They then send small “powder” transfers, typically less than $1, so that the fake address appears in the victim’s transaction history. When the victim then copies an address from that history instead of a trusted source, the funds are mistakenly sent to the attacker.
Sergeenkov’s analysis found that the number of new Ethereum addresses jumped to about 2.7 million during the peak week of January 12, about 170% above normal levels. About two-thirds of those addresses received dust as their first stablecoin transaction, a strong sign of poisoning activity rather than actual onboarding.
The attack has already resulted in confirmed losses of more than $740,000, with the majority of the stolen funds coming from a small number of victims. Lower fees after Fusaka appear to have made these campaigns viable, allowing attackers to conduct transactions at scale with limited upfront cost.
The bottom line is not that Ethereum usage is fake, but rather that the headline metrics need context.
Lower fees have clearly brought activity back to the mainnet, especially for stablecoins. At the same time, cheap transactions also allow for abuse, inflating the number of addresses and transaction volumes.
