Scoutinternal

Dust and Dusting Attack Transactions — Identification, Prevention, and Remediation

Dust and Dusting Attack Transactions — Identification, Prevention, and Remediation

Problem

Customers report receiving unsolicited small-value deposits (dust) into their BitGo wallets across multiple chains including BTC, BCH, LTC, XLM, TRX, and Ethereum-based tokens (e.g., ERC-1155, HEX). These dust deposits are typically the result of "dusting attacks," where external actors send tiny amounts to on-chain addresses in an attempt to de-anonymize wallet owners by tracking how the dust UTXOs are spent in future transactions. Customers ask whether BitGo can prevent these deposits, isolate or freeze the dust to preserve privacy, or remove the entries from transaction reports. On the sending side, customers occasionally encounter an "error 400: output value is less than dust threshold" when attempting to send amounts below the network's minimum dust threshold.

Diagnostics

  • Confirm the deposit is dust: Check the transaction amount. For BTC, BitGo uses a threshold of 2750 satoshis — amounts below this are generally already unusable. For other UTXO coins (BCH, LTC), compare against the chain's standard dust limit.
  • Identify the coin type and wallet model:
    • UTXO-based coins (BTC, BCH, LTC): Dust UTXOs can be frozen (reserved) so they are excluded from future transactions.
    • Account-based coins (ETH, XLM, TRX) and tokens (ERC-1155, HEX): There is no UTXO to freeze. Handling differs — see resolution scenarios below.
  • Collect transaction IDs: Ask the customer for the specific transaction IDs of the dust deposits. For UTXO coins, you will also need the output index (e.g., txid:0).
  • Check whether the transaction is actually UTXO-based: If the customer provides a transaction ID starting with 0x, it is an Ethereum transaction, not a UTXO. The freeze process does not apply to Ethereum transactions.
  • Check for malicious content: For chains that support memo fields (e.g., XLM), advise the customer not to click on any URLs contained in memo tags, as they may be malicious.
  • Check for "output value is less than dust threshold" errors: If the customer is sending and receives this error, the issue is that the output amount is below the network's dust threshold — this is a protocol-level restriction, not a BitGo-specific limitation.

Resolution

Scenario: dust-dusting-transaction-bch#utxo-freeze

Trigger: Customer reports receiving small unsolicited deposits on a UTXO-based chain (BTC, BCH, LTC) and wants to prevent those UTXOs from being used in future outgoing transactions.

Signals: dust, dusting, dusting attack, BTC, BCH, LTC, freeze, reserve, UTXO, privacy, unspent, reservedunspents

Steps:

  1. Ask the customer to provide the transaction IDs of the dust deposits.
  2. For each transaction ID, confirm it is a UTXO-based transaction (not an Ethereum 0x-prefixed hash).
  3. In BitGo admin tools (BGA), run the following command for each dust UTXO:
    bga wallet reservedunspents create 2111-11-11T11:11:11Z {transaction_id:output_index}
    The special expiry date 2111-11-11T11:11:11Z is used to mark these as related to dust attacks so they can be easily managed and excluded from withdrawals.
  4. Confirm the reservation was successful by verifying the response includes the UTXO ID, wallet ID, and the expireTime of 2111-11-11T11:11:11.000Z.
  5. Notify the customer that the dust UTXOs have been frozen and will not be included in future outgoing transactions.

Notes: - For BTC, dust is generally below the 2750 satoshi threshold, which makes it unusable already. However, freezing is still recommended to ensure it is never selected.

  • BitGo cannot prevent external parties from depositing funds to on-chain addresses. There is no way to block inbound dust deposits at the protocol level.
  • If the customer wants to be notified proactively when dust is received, they should inform their BitGo support contact. However, BitGo cannot determine which inbound transactions are expected vs. unexpected without customer input.

"Identify the dust UTXO by transaction ID. Run the following command in your admin tools: bga wallet reservedunspents create 2111-11-11T11:11:11Z {transaction id:height} The special expiry date (2111-11-11T11:11:11Z) is used to mark these as related to dust attacks, so they can be easily managed and excluded from withdrawals." (ticket #271516)

"For UTXO coins, we can reserve the received unspents so that they can never be considered for use in a future transaction." (ticket #358875)

"As soon as dust is received, your team should let us know. We can reserve that .001 BTC so it will not be used. Generally, dust is below our 2750 Satoshi threshold which makes it unusable already. If we are not notified, we are not able to act as we are unable to determine which transactions are expected and which are not." (ticket #358875)

Scenario: dust-dusting-transaction-bch#non-utxo-dust

Trigger: Customer reports receiving dust deposits on a non-UTXO chain (ETH, XLM, TRX) or unsolicited token deposits (ERC-1155, HEX, etc.) and asks BitGo to remove or isolate them.

Signals: dust, dusting, XLM, TRX, ETH, ERC-1155, HEX, token, account-based, memo, malicious URL, remove, transaction report

Steps:

  1. Explain to the customer that for non-UTXO coins, BitGo is unable to freeze or reserve specific deposits the way it can with UTXO-based chains.
  2. Advise the customer to note these receipts in their accounting records.
  3. For XLM dust specifically: warn the customer that malicious URLs may be embedded in the XLM memo tag. Advise them not to click on any URLs found in memo fields of unsolicited deposits.
  4. For ERC-1155 token dust: BitGo can remove ERC-1155 entries from the system/transaction report. Escalate to the engineering/ops team to process the removal. Ask the customer to provide a transaction report showing the affected entries.
  5. For XLM dust entries: BitGo cannot remove XLM dust deposits from the system, as doing so would interfere with internal data syncing. If the customer needs documentation for regulatory purposes (e.g., for ADGM), offer to provide an official written explanation confirming these deposits are dust.
  6. For other unsolicited token deposits on account-based chains (e.g., HEX on Ethereum): inform the customer that BitGo is unable to address these amounts on their behalf. Recommend noting them in accounting.

Notes: - Dust receipts do not represent a compromise of the customer's account or addresses.

  • BitGo recommends not clicking into any attachments or URLs that may be included in dust deposits.
  • The ability to remove entries from transaction reports is limited to specific token types (e.g., ERC-1155). XLM and other chain-native dust cannot be removed.

"These indeed look like dust deposits. However, it is not really possible to identify the sender from the address and why they are sending these deposits. There is also no way to stop deposits to your addresses." (ticket #316390)

"We can only remove ERC1155s from the system. Removing XLM ones will mess up with our internal data syncing, hence we can not perform it unfortunately." (ticket #316390)

"For Non-UTXO coins, we are unable to take a formal action on these and recommend noting these receipts in your accounting." (ticket #358875)

Scenario: dust-dusting-transaction-bch#send-below-dust-threshold

Trigger: Customer receives "error 400: output value is less than dust threshold" when attempting to send a transaction.

Signals: error 400, output value is less than dust threshold, dust threshold, send, sub-dust, min dust threshold

Steps:

  1. Confirm the customer is attempting to send an amount below the network's dust threshold for the given coin.
  2. Explain that this is a protocol-level restriction enforced by the blockchain network — outputs below the dust threshold are rejected by nodes and cannot be relayed.
  3. Advise the customer to increase the output amount above the dust threshold for the relevant chain (e.g., 546 satoshis for standard BTC outputs, though this varies by output type and chain).
  4. If the customer needs to sweep a wallet that contains only sub-dust-threshold amounts, consult with engineering on whether the balance can be consolidated or if it must remain in place.

Notes: - The exact dust threshold varies by coin and output script type. For BTC, BitGo uses a 2750 satoshi threshold internally.

  • This error is not a BitGo bug — it reflects standard blockchain protocol behavior.

Related

  • utxo-consolidation-and-fanout — Related to UTXO management, which intersects with dust handling on UTXO chains.
  • transaction-send-errors — Covers other common send-side errors including threshold and fee-related failures.
  • none identified for non-UTXO token removal procedures beyond what is documented above.