Trader tricked by poisoned address loses almost fifty million USDT

According to on-chain data, the investor first moved their funds from an exchange and executed a standard precautionary test transfer of about 50 USDT to confirm the correct destination address. Minutes later, the attacker had already injected a look-alike wallet into the victim’s transaction history by sending a tiny amount, causing the spoofed address to appear among recent activity. When the victim later copied from that history to send the full amount, they mistakenly used the scammer’s address.

Blockchain analytics firms reported that the entire theft unfolded in under an hour. After receiving the nearly $50 million in USDT, the attacker rapidly exchanged those stablecoins for DAI and then for approximately 16,690 ETH via a decentralized swap, and around 16,680 ETH was deposited into Tornado Cash, a privacy mixer used to obfuscate transaction trails.

Security researchers describe address poisoning as a phishing tactic that exploits common user behavior and wallet interface design rather than weaknesses in blockchain cryptography. Attackers use scripts or automated tooling to generate spoofed wallet addresses that match the first and last characters of legitimate ones. By sending small transactions from these spoofed addresses, they “poison” the victim’s history so that when funds are later sent, a copied address may be the fraudulent one.

The malicious wallet involved in this scam, identified on Etherscan as a string beginning with “0xBaF” and ending in “f8b5”, mirrored the legitimate destination closely, making the error difficult to detect through cursory inspection of truncated address views common in many wallet interfaces.

In response to the loss, the victim posted an on-chain appeal demanding the return of 98 percent of the stolen funds within 48 hours, offering a $1 million white-hat bounty for full restitution and warning of legal escalation, including involving international law enforcement – though no public response from the attacker had been recorded as of the latest data.

Security analysts noted that the tactic does not require compromising private keys or wallet software; rather, it relies on how wallets display addresses and how users copy and paste them. They advise that users verify the entire address string using trusted interfaces, maintain whitelists of known recipient addresses, and avoid relying solely on transaction histories for large transfers.

Data from blockchain monitoring firms also indicates that address poisoning attacks have been increasingly prevalent throughout 2025, contributing to escalating losses across the ecosystem as attackers monitor high-value movements and time their poisoning attempts to coincide with large transfers.

In an address poisoning attack, adversaries generate wallet addresses that look deceptively similar to a victim’s intended recipient and leverage that similarity to insert their address into transaction histories or “suggested” lists. Users who rely on partial matching or abbreviated display formats may then unknowingly send funds to the attacker’s wallet. Academic studies have documented millions of poisoning attempts and substantial cumulative losses from such scams across EVM-compatible networks.