Ethereum, the smart contract blockchain, now handles more daily activity than its cheaper sidechains, called Layer -2 networks. But this comeback has a catch – not all of that Ethereum activity appears to reflect genuine user demand.
The number of daily active addresses on Ethereum climbed toward the 1 million mark earlier this month, briefly peaking above 1.3 million on January 16 before falling closer to 950,000, according to data source Token Terminal.
It puts Ethereum ahead of popular scaling networks like Arbitrum, Base and OP Mainnet, reversing much of the narrative that users had permanently migrated from L1.
Active addresses are the unique blockchain wallets that conduct transactions, such as sending, receiving cryptocurrencies or interacting with smart contracts, in a given period of time, let’s say daily. Analysts track the metrics to study real network usage beyond the token price hype.
Layer 2 scaling networks are like side roads or express lanes built on top of the main blockchain highway, Ethereum. These sidechains handle tons of transaction traffic quickly and cheaply from the main chain and then communicate the final tally back to the main chain for security.
The uptick in Ethereum activity follows December’s Fusaka upgrade, which sharply reduced transaction fees and made it cheaper to trade directly on Ethereum again. Lower costs have helped revive activity on the chain, especially for stablecoins, which remain the dominant use of day-to-day transfers.
At face value, the numbers suggest a “return to mainnet” moment. But analysts warn that the number of raw addresses can be misleading, especially when fees drop far enough to make spam economic.
Address poisoning muddies the picture
Imagine spam calls flooding your phone. your call log looks busy, but most are junk, not real conversations. Something similar has happened on Ethereum, as a significant portion of January’s address growth is tied to poisoning attacks rather than organic adoption.
Security researcher Andrey Sergeenkov said in a post earlier this week that the increase closely matches an increase in dust activity, where attackers send small stablecoin transfers to millions of wallets.
Poison control works by harnessing human behavior. Attackers generate wallet addresses that look like a victim’s real address, often matching the first and last characters.
They then send small “dust” transfers, usually under $1, so that the fake address appears in the victim’s transaction history. When the victim later copies an address from this history instead of a trusted source, money is mistakenly sent to the attacker.
Sergeenkov’s analysis found that the number of new Ethereum addresses jumped to about 2.7 million during the peak week of January 12, about 170% above normal levels. About two-thirds of these addresses received dust as their first stablecoin transaction, a strong signal of poisoning activity rather than real onboarding.
The attack has already resulted in more than $740,000 in confirmed losses, with most of the stolen funds coming from a small number of victims. Lower fees post-Fusaka appear to have made these campaigns viable, allowing attackers to spray transactions at scale with limited upfront costs.
The takeaway is not that Ethereum usage is fake, but that headline metrics need context.
Lower fees have clearly brought activity back to the mainnet, especially for stablecoins. At the same time, cheap transactions also enable abuse, inflating address counts and transaction volumes.
