Address Poisoning Strikes: How a $50M USDT Heist Exploited One Simple Wallet Mistake

One wrong click. That's all it took for $50 million in Tether to vanish from a digital wallet. The culprit? A deviously simple exploit called 'address poisoning'—and it's targeting crypto users who make a single, common error.

The Bait-and-Switch You Won't See Coming

Forget complex smart contract hacks. This scam preys on human nature. Attackers generate a wallet address nearly identical to a victim's recent transaction recipient—same first and last characters, with gibberish in the middle. They then send a tiny, worthless transaction to the victim's wallet. The goal? To pollute the transaction history.

Days or weeks later, when the victim goes to send a large sum, they glance at their history, see the familiar-looking address, and copy it. They paste the poisoned address instead of the legitimate one. The funds are gone in a flash—no hacking required, just a moment of inattention.

Why Your 'Verified' History Isn't Safe

Wallet interfaces that display transaction history for convenience are inadvertently creating the trap. Users trust what they see, assuming a past transaction validates an address. The scam exploits that trust, turning a feature designed for safety into a vector for theft. It's a stark reminder that in crypto, you are your own chief compliance officer—and the penalties for a typo are brutal.

The $50 Million Wake-Up Call

This isn't theoretical. The recent heist proves the scale is massive. While exchanges have teams and insurance, the individual holder has no backstop. The on-chain transaction is final; there's no fraud department to call for a chargeback. It's the ultimate test of personal operational security in a system that offers both sovereignty and zero forgiveness.

The finance world loves to talk about 'unbanked the banked,' but sometimes it feels like we've just replaced old-fashioned vaults with digital tripwires. Stay paranoid, triple-check every character, and never copy from your history. Your wallet's memory is trying to help, but sometimes it's the one holding the poison.

In Brief

• An individual accidentally transferred almost 50 million USDT to a scammer after copying a fake wallet address from past transactions.
• The stolen funds were quickly converted from USDT to DAI, then into over 16,000 ETH, and deposited into Tornado Cash to hide them.
• After the loss, the victim issued an on-chain alert calling for most of the funds to be returned, including legal warnings and offering a $1 million reward for full recovery.

Small Test Transfer Leads to $50M USDT Loss

On-chain investigator Web3 Antivirus shared on X that the victim lost 49,999,950 USDT after inadvertently copying a fraudulent wallet address from their transaction history. The user had first carried out a small test transfer to what they believed was the correct address before sending the full $50 million minutes later. While the initial transfer seemed harmless, it set the stage for a significant loss.

EyeOnChain, an on-chain analyst, explained that the scam Leveraged the initial $50 USDT test transaction. The attacker then created a wallet nearly identical to the original, keeping the first and last characters the same while taking advantage of wallet interfaces that hide the middle section with “…”. When the victim later attempted to send the remaining 49,999,950 USDT, they copied the address from transaction history instead of manually verifying it. Trusting the familiar start and end characters, the user unknowingly sent the full amount to the scammer’s wallet. This sequence of events made it one of the largest on-chain scam losses recorded this year.

Shortly after receiving the stolen funds, the attacker moved quickly to obscure them: within 30 minutes, they swapped 50 million USDT to DAI using MetaMask Swap, converted all DAI into 16,690 ETH, and deposited 16,680 ETH into Tornado Cash, effectively hiding the assets.

The Victim’s Response and the Mechanics of Address Poisoning

Following the loss, the victim posted an on-chain alert calling for 98% of the stolen funds to be returned within 48 hours, including legal warnings and offering a $1 million white-hat reward if the attacker returned the full amount. Analysis of the wallet showed it had been active for roughly two years and primarily handled USDT transfers, with the funds having been withdrawn from Binance shortly before the incident.

Typically, address poisoning does not exploit flaws in smart contracts or cryptography. Instead, it preys on common user behaviors. How then does it occur?

• The scammer initiates a small or dust transfer using a wallet that closely resembles the intended recipient, making it appear legitimate at first glance.
• This fraudulent address then shows up in the victim’s transaction history, blending in with other past transactions and creating a false sense of security.
• When the user copies this address from their history to send funds, they inadvertently transfer the assets to the attacker instead of the correct recipient.

The risks illustrated by cases like this reflect a wider surge in attacks across the crypto space. The year 2025 has been particularly active for malicious actors targeting crypto platforms. Cointribune reported that hacks across the sector led to $3.4 billion in losses, marking the highest annual total since 2022. Most of the damage came from a small number of major attacks, with just three breaches making up 69% of the total value stolen.

Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.