Every crypto investor’s nightmare became reality this weekend. A trader lost nearly 50 million dollars in USDT following a simple copy-paste error, falling victim to a sophisticated yet deceptively simple attack known as « Address Poisoning ».
The incident, which occurred around December 19, 2024, serves as a brutal reminder that in the blockchain ecosystem, security responsibility rests entirely on the user.
Anatomy of a $50 Million Disaster
According to on-chain data revealed by security analysts (notably SlowMist and Scam Sniffer), the victim was preparing to transfer a colossal sum of 49,999,950 USDT.
The trader had followed a basic prudence rule: they first performed a test transaction of 50 USDT to the correct address. This initial transaction went through without issue. It was in the interval that the trap closed.
The Polluted History Trap
Between the test and the final transfer, the attacker spotted the « whale’s » activity. They immediately generated a « vanity address » (customized) that almost perfectly mimicked the legitimate recipient’s address.
- Legitimate address: Started with
0xbafand ended withf8b5 - Poisoned address (Scammer): Started with
0xBaFand ended withf8b5
The attacker then sent a micro-transaction (dust) from this fake address to the victim’s wallet. Result: the fake address appeared at the top of the trader’s transaction history.
Thinking they were copying their usual recipient’s address from their recent history, the victim actually copied the attacker’s address. The 50 million dollars were instantly sent to the thief’s wallet.
The Escape and a Desperate Bounty
Once the funds were received, the attacker wasted no time. The USDT was quickly converted to Ethereum (ETH) to avoid any freeze by the stablecoin issuer (Tether), then dispersed through multiple wallets. Part of the funds was then directed to the Tornado Cash mixer to obscure the trail.
In a desperate attempt, the victim sent an on-chain message to the attacker. They offered a bounty of 1 million dollars (about 2% of the stolen amount) in exchange for the return of the remaining 98%. The message also threatened legal action, claiming to have solid leads through collaboration with cybersecurity agencies.
Understanding Address Poisoning to Protect Yourself
It’s crucial to understand that this hack didn’t result from a protocol security flaw or a stolen private key, but from social engineering exploiting the user interface.
The attack relies on cognitive laziness: the human eye tends to only verify the beginning and end of a character string. Attackers use bots to generate addresses that « match » these characters in seconds.
How to Protect Yourself?
- Never copy from history: Your wallet’s history is an unreliable zone. Anyone can make a transaction appear there.
- Use an address book (Whitelist): Save your trusted addresses in your wallet or exchange and only use those.
- Complete verification: Check every character of the address for large amounts, or at least several blocks of characters in the middle, not just the extremes.
- Use a hardware wallet: Physical wallets like Ledger display the complete address on their screen.
- Double verification: For significant amounts, perform multiple test transactions with different amounts.
A Growing Threat in 2024
According to data from Chainalysis and Scam Sniffer, Address Poisoning attacks have increased by over 300% in 2024, causing losses exceeding 150 million dollars in total. This scam technique is becoming increasingly sophisticated with the use of automated bots capable of generating vanity addresses in minutes.
This incident reinforces a fundamental crypto rule: « Not your keys, not your coins » must be complemented by « Verify twice, send once ». In an ecosystem where transactions are irreversible, vigilance isn’t an option—it’s an absolute necessity.
Sources and References
- The Block – Initial incident report
- Chainalysis – Address Poisoning mechanism analysis
- Ledger Academy – Prevention guide
- Binance Academy – How address poisoning works
- Coinpedia – Detailed scam analysis
