Traders fall victim to "address poisoning attack"! Nearly 50 million USDT given away to hackers.

The “Address Poisoning Attack,” which seems simple yet often succeeds, has been occurring frequently lately. Recently, a crypto assets trader lost nearly 50 million USD in just half an hour after mistakenly falling into this type of trap. Although a “white hat bounty” of 1 million USD was offered afterwards to entice the attacker to return the assets, the hope of recovery is slim since the stolen assets have already flowed into mixing platforms.

According to on-chain data analysis platform Lookonchain, this incident occurred on December 20, when the victim was withdrawing assets from Binance and intended to transfer them to a personal wallet.

A victim (0xcB80) lost $50M due to a copy-paste Address mistake.

Before transferring 50M $USDT, the victim sent 50 $USDT as a test to his own Address 0xbaf4b1aF…B6495F8b5.

The scammer immediately spoofed a wallet with the same first and last 4 characters and performed an… pic.twitter.com/eGEx2oHiwA

— Lookonchain (@lookonchain) December 20, 2025

According to the security practices for large transfers, the victim first sends 50 USDT as a test transaction to confirm the address is correct. However, right after this small transfer is completed, an automated script controlled by the attacker immediately generates a “Spoofed Address”, where the first 5 digits and the last 4 digits are exactly the same as the victim's original receiving address, with only the middle characters differing.

Next, the attacker deliberately used a “disguised Address” to send several small transactions to the victim's wallet, so that the “poison Address” would appear in the victim's transaction history. When the victim wanted to transfer the remaining 49,990,000 USD, for convenience, they directly clicked on this highly similar fraudulent Address in the transaction record.

Due to the fact that most wallet interfaces use “…” to omit characters in the middle for easier reading, it makes it almost difficult to visually distinguish between two addresses.

The blockchain explorer Etherscan shows that the test transfer occurred at UTC time 3:06, while the transfer that caused the significant loss took place approximately 26 minutes later at 3:32.

The cybersecurity company SlowMist pointed out that this attacker is a genuine “money laundering expert.” After receiving nearly 50 million USD in USDT, they completed the following steps in less than 30 minutes:

• Cross-coin Flash Exchange: First, exchange USDT for DAI through MetaMask Swap. Experts analyze that this is to avoid Tether's blacklist freezing mechanism, as the decentralized stablecoin DAI does not have such centralized control measures.
• Mixing Coins and Anonymity: The attacker immediately exchanged DAI for approximately 16,690 ETH, with 16,680 of those coins transferred to the mixing platform Tornado Cash, completely severing the tracking path of the coins.

To recover the losses, the victim has proposed conditions to the scammers through on-chain messages: willing to pay a 1 million USD bounty in exchange for the return of 98% of the assets.

The victim clearly warned: “We have officially reported to the authorities and, with the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, have gathered a substantial amount of intelligence regarding your specific actions.”

This case is just the tip of the iceberg of this year's security storm in the coin industry. According to Chainalysis's latest report, the total amount of cryptocurrency thefts in 2025 has exceeded USD 3.41 billion, setting a new historical record.

It is worth noting that Casa co-founder Jameson Lopp warned that “address poisoning” has spread across major blockchains, with over 48,000 similar attacks discovered on the Bitcoin network alone. He strongly urged wallet providers to develop a “similar address warning” feature that pops up a warning when users copy and paste, to prevent the tragedy caused by such human negligence from happening again.

_
Disclaimer: This article is for providing market information only. All content and opinions are for reference only and do not constitute investment advice, nor do they represent the views and positions of the blockchain community. Investors should make their own decisions and trades, and the author and the blockchain community will not bear any responsibility for any direct or indirect losses incurred by investors' trades.
_

Tags: Crypto Assets Address Poisoning Attack Digital Assets White Hat Wallet Hacker