A cryptocurrency trader has lost nearly $50 million in USDT after falling victim to an address poisoning scam, a technique that exploits transaction history rather than smart contract flaws. Blockchain security firms said the incident highlights how routine wallet habits can expose users to large-scale losses.
In an X post, on-chain analytics firm Lookonchain reported that the victim transferred 49,999,950 USDT to an attacker-controlled wallet on Dec. 20. The funds had just been withdrawn from Binance and were intended for the trader’s own address. Instead, they were redirected to a visually similar address created by the attacker.
Address Poisoning Scam Exploits Spoofed Addresses
The incident began with a test transaction. The trader sent a 50 USDT test transaction to confirm the destination address. Shortly after, an automated script generated a spoofed wallet designed to resemble the legitimate address.This step marked the start of the address poisoning scam.
Source: XThe fraudulent address shared the same opening and closing characters as the intended wallet, with differences confined to the center of the string. Many wallet interfaces shorten these middle characters, reducing visibility during routine checks.
By exploiting this display behavior, the attacker sent small transactions from the lookalike address to the victim’s wallet. This inserted the fake address into the transaction history, causing it to appear legitimate during later transfers.
When the trader later copied an address from their history to complete the full transfer, the lookalike address was likely selected by mistake. Etherscan data shows the test payment was sent at 3:06 UTC. The erroneous $50 million transaction followed roughly 26 minutes later, at 3:32 UTC.
Stolen Funds Moved Through DAI, ETH, and Tornado Cash
Blockchain security company SlowMist reported that the attacker moved quickly in order to minimize recovery risk. In 30 minutes, the $50 USDT was exchanged for DAI by via MetaMask Swap. The decision was strategic because Tether can freeze USDT if it’s associated with illicit activity, but DAI doesn’t come with any centralized freezes.
The DAI was then converted by the attacker to approximately 16,690 ETH. Approximately 16,680 ETH was deposited into Tornado Cash. The mixer was an attempt to obfuscate the transaction trails, the usual step subsequent to an address poisoning scam.
Upon executing the transaction, the victim sent an on-chain message to the attacker by a $1 million white-hat bounty. The offer demanded the repayment of 98% of the stolen money. There has been no public acknowledgement or reply. The security companies remain active monitoring the address poisoning scam.
According to Chainalysis, the incident contributes to a year of rising crypto thefts. Losses in crypo hacks 2025 exceeded $3.4 billion, more than the previous year. One of those, a February breach of Bybit by North Korea-linked actors, totaled about $1.4 billion and was the largest crypto theft ever.
Source: https://coingape.com/nearly-50m-in-usdt-stolen-after-address-poisoning-scam/
