- Trending
- Comments
- Latest
A cryptocurrency holder lost nearly $50 million USDT after copying a spoofed wallet address from their transaction history, falling victim to an address poisoning attack that exploited common wallet interface features.
The victim had sent a $50 test transaction to verify their intended address, but an attacker monitoring the blockchain created a nearly identical spoofed address and sent a small amount to the victim’s wallet—setting a trap that resulted in the loss of $49,999,950 when the victim copied the wrong address from their history.
According to blockchain security firm Lookonchain, which first reported the incident, the attack exploited a vulnerability in how most wallet interfaces display addresses: they show only the first and last few characters to improve readability, hiding the middle portion.
The attacker created a wallet address with the same first four and last four characters as the victim’s legitimate address.
When the victim checked their transaction history after the $50 test, both the real address and the attacker’s spoofed address appeared nearly identical in the shortened format.
The victim then copied what appeared to be their own address from the transaction history and proceeded to send the full $49,999,950—directly into the attacker’s wallet.
Address poisoning, also called “dust attacks” or “poison attacks,” involves attackers sending tiny amounts of cryptocurrency to victims’ wallets from addresses that visually resemble legitimate addresses.
The spoofed addresses are generated to match the beginning and ending characters of a target address. Because most wallet interfaces truncate the middle characters, users who quickly glance at their transaction history may not notice the difference.
When victims copy addresses from their recent transaction history for convenience—a common practice—they may inadvertently copy the attacker’s address instead of their intended recipient’s address.
Once the transaction is broadcast to the blockchain, it cannot be reversed, making the funds irrecoverable.
Address poisoning attacks have increased significantly throughout 2025, with security firms reporting hundreds of incidents involving both large and small amounts.
The $50 million loss represents one of the largest single-victim address poisoning attacks publicly documented, though exact figures are difficult to verify as many victims do not report losses publicly.
Earlier in May 2025, Coinbase worked with law enforcement to prevent spoofing schemes after one attacker, Chirag Tomar, allegedly stole over $20 million from users by impersonating the exchange through fake emails and phishing sites, according to statements from Coinbase Chief Legal Officer Paul Grewal.
Security experts recommend several precautions to avoid address poisoning scams:
Members of the crypto community have called for wallet developers to implement better protections against address poisoning attacks.
Suggestions include smart contract-based address verification systems, mandatory full-address verification before large transactions, and warnings when addresses in transaction history don’t match saved contacts.
Binance issued warnings at its recent Dubai event, cautioning users against clicking links not from official Binance channels, part of broader efforts to educate users about phishing and spoofing threats.
Despite growing awareness campaigns, address poisoning remains effective because it exploits human error and interface design rather than cryptographic vulnerabilities.
The irreversible nature of blockchain transactions means there is no recovery mechanism once funds are sent to the wrong address.
