A cunning yet deceptively simple tactic known as the “Address Poisoning Attack” has been making alarming rounds in the cryptocurrency space. This sophisticated scam recently cost a crypto trader a staggering nearly $50 million in USDT within a mere half-hour. Despite a desperate plea and a $1 million “white hat bounty” offer, the chances of recovering the stolen assets remain exceptionally slim, as they have already been funneled through a mixing platform, effectively obscuring their trail.
The incident, meticulously tracked by on-chain data analysis platform Lookonchain, unfolded on December 20th. The victim was in the process of withdrawing a substantial sum of assets from Binance, intending to transfer them to a personal wallet.
A victim (0xcB80) lost $50M due to a copy-paste address mistake.
Before transferring 50M $USDT, the victim sent 50 $USDT as a test to his own address 0xbaf4b1aF…B6495F8b5.
The scammer immediately spoofed a wallet with the same first and last 4 characters and performed an… pic.twitter.com/eGEx2oHiwA
— Lookonchain (@lookonchain) December 20, 2025
The Anatomy of a $50 Million Address Poisoning Attack
Adhering to standard security protocols for large-value transactions, the victim wisely initiated a test transfer of 50 USDT to confirm the recipient address. However, this prudent step inadvertently opened the door for the attacker. Immediately after the small test transaction was confirmed, an automated script, controlled by the perpetrator, sprang into action. It generated a “spoofed address” that cunningly mimicked the victim’s legitimate receiving address, featuring identical initial five and final four characters. Only the characters in the middle differed.
The attacker then strategically sent several minuscule transactions from this “spoofed address” to the victim’s wallet. This insidious move ensured that the fraudulent, “poisoned address” would appear prominently in the victim’s recent transaction history. When it came time to execute the main transfer of the remaining $49.99 million, the victim, seeking convenience, mistakenly selected this highly similar, malicious address from their transaction log.
A critical factor in this deception is how most wallet interfaces truncate lengthy blockchain addresses, often displaying only the beginning and end characters with an ellipsis in the middle for readability. This visual simplification rendered the legitimate and the spoofed addresses virtually indistinguishable to the human eye, setting the stage for the catastrophic error.
Etherscan, the blockchain explorer, confirms the rapid sequence of events: the test transfer occurred at 3:06 UTC, followed by the devastating $49.99 million transfer just 26 minutes later, at 3:32 UTC.
Sophisticated Laundering: A Masterclass in Obfuscation
Cybersecurity firm SlowMist swiftly identified the attacker as a seasoned “money laundering veteran.” Upon receiving the nearly $50 million in USDT, the perpetrator executed a series of sophisticated obfuscation steps in less than 30 minutes:
- Strategic Asset Swap: The stolen USDT was immediately converted to DAI via MetaMask Swap. This crucial move was designed to bypass Tether’s centralized blacklisting mechanism, as the decentralized stablecoin DAI is not subject to such controls.
- Irreversible Mixing: Following the DAI conversion, the funds were then exchanged for approximately 16,690 Ethereum (ETH). A staggering 16,680 ETH were subsequently funneled into Tornado Cash, a notorious cryptocurrency mixer, effectively severing the on-chain traceability of the funds and rendering them nearly impossible to recover.
Victim’s Desperate Plea and Industry-Wide Implications
In a desperate bid to retrieve the stolen assets, the victim issued an on-chain message to the scammer, offering a $1 million white hat bounty for the return of 98% of the funds.
The message included a stern warning: “We have officially reported the case and, with the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, have gathered a significant amount of intelligence regarding your specific actions.”
This incident is not an isolated event but a stark reminder of the escalating security challenges plaguing the crypto industry. According to the latest Chainalysis report, total cryptocurrency theft in 2025 has already surpassed $3.41 billion, marking a new historical record.
Jameson Lopp, co-founder of Casa, has sounded the alarm, highlighting that “address poisoning” is a pervasive threat, extending across major blockchains. He reported over 48,000 similar attacks on the Bitcoin network alone. Lopp strongly advocates for wallet providers to implement “similar address warning” features, prompting alerts when users copy-paste addresses that bear resemblance to known malicious or spoofed patterns. Such a preventative measure could significantly mitigate the risk of human error leading to such devastating financial losses.
Disclaimer: This article is provided for market information purposes only. All content and views are for reference and do not constitute investment advice. It does not represent the views or positions of BlockBeats. Investors are solely responsible for their own decisions and transactions. The author and BlockBeats will not be held liable for any direct or indirect losses incurred by investors’ transactions.
