Traders suffer from "address poisoning attack"! Nearly 50 million USDT handed over to hackers for free.

The seemingly simple yet frequently successful “Address Poisoning Attack” has been occurring frequently lately. Recently, a crypto asset trader fell into such a trap and lost nearly 50 million USD in just half an hour. Although a “white hat bounty” of 1 million USD was offered afterwards to urge the attacker to return the assets, the hope of recovery seems bleak as the stolen assets have already flowed into mixing platforms.

According to on-chain data analysis platform Lookonchain, this incident occurred on December 20, when the victim was withdrawing assets from Binance and intended to transfer them to a personal wallet.

A victim (0xcB80) lost $50M due to a copy-paste Address mistake.

Before transferring 50M $USDT, the victim sent 50 $USDT as a test to his own Address 0xbaf4b1aF…B6495F8b5.

The scammer immediately spoofed a wallet with the same first and last 4 characters and performed an… pic.twitter.com/eGEx2oHiwA

— Lookonchain (@lookonchain) December 20, 2025

According to the security practices for most large transfers, the victim first sends 50 USDT as a test transaction to confirm the address is correct. However, just after this small transfer is completed, an automated script controlled by the attacker immediately generates a “Spoofed Address,” where the first 5 digits and the last 4 digits match the victim's original receiving address completely, with only the middle characters differing.

Next, the attacker deliberately used a “disguised address” to send several small transactions to the victim's wallet, so that the “poisoned address” would appear in the victim's transaction history. When the victim wanted to transfer the remaining 49.99 million USD, in order to make it convenient, they directly clicked on this highly similar fraudulent address in the transaction record.

Due to the fact that most wallet interfaces omit the middle characters for easier reading by displaying them as “…”, it makes it visually almost impossible to distinguish between two addresses.

The blockchain explorer Etherscan shows that the test transfer occurred at 3:06 UTC, while the transfer that caused the significant loss happened about 26 minutes later at 3:32.

The cybersecurity firm SlowMist pointed out that this attacker is a veritable “money laundering veteran.” After receiving nearly 50 million USD in USDT, the following steps were completed in less than 30 minutes:

• Cross-coin instant exchange: First, exchange USDT for DAI via MetaMask Swap. Experts analyze that this is to avoid Tether's blacklist freeze mechanism, as the decentralized stablecoin DAI does not have such centralized control measures.
• **Mixing Coins to Obscure Trace: ** The attacker immediately exchanged DAI for approximately 16,690 ETH, of which 16,680 were transferred into the mixer Tornado Cash, completely severing the traceable path of the coins.

To recover losses, the victim has made an offer to the scammer through on-chain messages: willing to pay a bounty of 1 million USD in exchange for the return of 98% of the assets.

The victims clearly warned: “We have officially reported the case and, with the assistance of law enforcement agencies, cybersecurity organizations, and multiple blockchain protocols, we have gathered a substantial amount of intelligence regarding your specific actions.”

This case is just the tip of the iceberg of this year's storm in the crypto assets sector. According to the latest report from Chainalysis, the total amount of cryptocurrency theft has exceeded 3.41 billion USD in 2025, setting a new historical record.

It is worth noting that Casa co-founder Jameson Lopp has warned that “address poisoning” has spread across major blockchains, with over 48,000 similar attacks detected on the Bitcoin network alone. He strongly urged wallet providers to develop a “similar address warning” feature that would pop up a warning when users copy and paste, to prevent tragedies caused by such human errors from happening again.

_
Disclaimer: This article is for providing market information only. All content and opinions are for reference only and do not constitute investment advice, nor do they represent the views and positions of the blockchain. Investors should make their own decisions and trades, and the author and blockchain will not bear any responsibility for any direct or indirect losses incurred by investors' trades.
_

Tags: Crypto Assets Address Poisoning Attack Digital Assets White Hat Wallet Hacker