Crypto Trader Loses Nearly $50 Million in Address Poisoning Scam
What looked like a routine transfer turned into one of the most expensive copy-paste mistakes in recent crypto history.
Nearly $50 million in stablecoins vanished not because of a protocol exploit or hacked wallet, but because of a subtle deception buried inside a transaction list.
The incident was first flagged by Lookonchain, which traced a transfer of almost 50 million USDT that went to an attacker instead of the sender’s intended wallet. The funds had just been withdrawn from Binance, and everything about the transfer appeared normal – until it wasn’t.
Unlike most high-profile crypto thefts, there was no malicious smart contract or compromised private key involved. The attacker relied entirely on user behavior and interface shortcuts, exploiting how wallet software displays addresses and how users reuse information from transaction history.
How the Trap Was Set
Before moving the full balance, the trader followed a common safety step: sending a small test transaction. A modest amount of USDT was transferred successfully, confirming that the destination appeared correct.
That confirmation created a false sense of security. Shortly after the test payment, the attacker deployed an automated process to generate a wallet address that visually mimicked the legitimate one. The beginning and ending characters matched perfectly, while differences were hidden in the middle – a section many wallet interfaces truncate.
The attacker then sent tiny transfers from this fake address to the victim’s wallet. This maneuver inserted the lookalike address into the transaction history, where it blended in with legitimate entries. When the trader later copied an address from past transactions to send the full amount, the spoofed address was likely selected.
Less than half an hour separated the test payment from the fatal transfer.
Funds Disappear in Minutes
Once the USDT landed in the attacker’s wallet, the window for recovery closed rapidly. Investigators from SlowMist reported that the funds were quickly swapped into DAI using MetaMask’s swap functionality.
The choice of asset mattered. USDT can be frozen by its issuer when linked to criminal activity. DAI cannot. From there, the attacker converted the stablecoins into roughly 16,700 ETH and pushed nearly all of it into Tornado Cash, effectively breaking the on-chain trail.
This entire laundering sequence unfolded within minutes, leaving little opportunity for intervention.
A Last Attempt to Negotiate
After realizing what had happened, the victim attempted a direct appeal. An on-chain message was sent to the attacker, offering a seven-figure “white-hat” bounty in exchange for the return of most of the funds. The proposal reportedly asked for 98% of the money back.
There has been no public response. The wallets involved remain under observation, but once funds pass through a mixer, recovery becomes highly unlikely.
Why These Scams Keep Working
Address poisoning scams succeed because they exploit assumptions. Many users trust transaction history more than manually verified addresses, especially after a test transfer appears to succeed. Wallet interfaces that shorten addresses make visual checks unreliable, even for experienced traders.
According to Chainalysis, crypto thefts in 2025 have already exceeded $3.4 billion, surpassing the previous year. While some losses stem from sophisticated state-backed hacks, others – like this one – require little more than patience and automation.
One of the largest thefts this year, a $1.4 billion breach at Bybit linked to North Korean actors, involved complex infrastructure and coordination. Address poisoning, by contrast, relies on human error. That simplicity is precisely what makes it so dangerous.
A Costly Reminder
This case underscores an uncomfortable reality: as wallet balances grow, the margin for error shrinks. Even traders who follow basic safety practices can fall victim if they rely on convenience features instead of full address verification.
In an ecosystem obsessed with cutting-edge exploits and advanced threats, one of the biggest risks remains painfully ordinary – trusting what looks familiar without checking what’s actually there.
Alexander Stefanov
Reporter at CoinsPress
Alex is an experienced finance journalist and a cryptocurrency and blockchain enthusiast. With over five years of experience covering the industry, he deeply understands the complex and constantly evolving world of digital assets. His insightful and thought-provoking articles provide readers with a clear picture of the latest developments and trends in the market. His passionate approach allows him to break down complex ideas into accessible and insightful content. Follow up on his content to be up to date with the most important trends and topics - stay ahead of the curve with CoinsPress.
