Ethereum, the smart contract blockchain, now handles more daily activities than its cheaper sidechains, called layer -2 networks. But this return has a catch: all this Ethereum activity does not seem to reflect real user demand.
The number of daily active addresses on Ethereum climbed to the one million mark earlier this month, briefly peaking above 1.3 million on Jan. 16 before closing in on 950,000, according to data source Token Terminal.
This puts Ethereum ahead of popular scaling networks such as Arbitrum, Base and OP Mainnet, reversing much of the narrative that users had permanently migrated out of L1.
Active addresses are the unique blockchain wallets that carry out transactions, such as sending, receiving cryptocurrencies or interacting with smart contracts, during a given period of time, say daily. Analysts track the metric to study real network usage beyond the token price hype.
Layer 2 scaling networks are like side roads or expressways built on top of the main blockchain highway, Ethereum. These sidechains handle tons of transaction traffic quickly and cheaply off the main chain, then report the final tally back to the main chain for security.
The rebound in Ethereum activity follows the Fusaka upgrade in December, which significantly reduced transaction fees and made it cheaper to transact directly on Ethereum again. Lower costs have helped revive on-chain activity, particularly for stablecoins, which remain the dominant use case for daily transfers.
At first glance, the numbers suggest a “return to mainnet” moment. But analysts warn that raw address counts can be misleading, especially when fees drop enough to make spam economical.
The fight against poisoning blurs the picture
Imagine spam calls flooding your phone. your call log looks busy, but most of it is spam and not real conversations. Something similar happened on Ethereum, as a significant portion of January’s address growth is tied to poisoning attacks rather than organic adoption.
Security researcher Andrey Sergeenkov said in a post earlier this week that this spike closely corresponds to an increase in dusting activity, where attackers send tiny transfers of stablecoins to millions of wallets.
Fight against poisoning works by exploiting human behavior. Attackers generate wallet addresses that closely resemble a victim’s real address, often matching the first and last characters.
They then send small “dust” transfers, usually less than $1, so that the fake address appears in the victim’s transaction history. When the victim later copies an address from this history instead of a trusted source, the funds are mistakenly sent to the attacker.
Sergeenkov’s analysis found that the number of new Ethereum addresses jumped to around 2.7 million during the peak week of January 12, around 170% above normal levels. About two-thirds of these addresses received dust on their first stablecoin transaction, a strong signal of poisoning activity rather than actual onboarding.
The attack has already resulted in confirmed losses of more than $740,000, with most of the stolen funds coming from a small number of victims. The drop in fees following Fusaka appears to have made these campaigns viable, allowing attackers to broadcast transactions at scale with limited upfront cost.
The takeaway is not that Ethereum usage is wrong, but that the core metrics require context.
The drop in fees has clearly brought activity back to mainnet, especially for stablecoins. At the same time, cheap transactions also enable abuse, inflating the number of addresses and transaction volumes.
