- Trending
- Comments
- Latest
Zero-value transfer phishing scams just claimed another major victim, and this time, it was a brutal double hit. A crypto investor lost $2.6 million in stablecoins across two separate attacks within just three hours, exposing the growing sophistication of on-chain address poisoning.
The zero-value transfer exploit has become a potent weapon for scammers operating across Ethereum and BNB Chain. According to crypto compliance firm Cyvers, the victim was initially duped into sending $843,000 in Tether (USDT), only to fall for a second scam mere hours later — this time transferring an additional $1.75 million.
Cyvers, which flagged the incident on May 26, described the attacks as a textbook case of zero-value transfer phishing, a method that deceives users by mimicking previous onchain interactions without requiring wallet signature approval.
At its core, a zero-value transfer uses the blockchain’s public visibility to manipulate trust. Here’s how it unfolds: attackers send a zero-token transaction from a victim’s wallet to a spoofed address using the transferFrom function.
Since no value is being moved, the blockchain doesn’t require private key authorization, but the transaction still appears in the victim’s history.
“People trust what they see on-chain. That’s the problem,” said Doron Rosenblum, head of Cyvers, in a statement. “If you see an address in your history, you assume it’s familiar — and that’s where attackers strike.”
When a user later searches their wallet for past transactions or copies addresses from clipboard history, they may mistakenly send real crypto to the attacker, believing it to be a trusted address.
Experts now see zero-value transfer phishing as the next generation of address poisoning. In older attacks, bad actors would send small transactions from addresses that look similar to real ones, often mimicking the first and last characters, to appear legitimate in history logs.
But zero-value transfer eliminates even the small cost of a transaction. With gas fees as the only barrier, scammers now have near-zero-cost access to a victim’s trust.
“This is no longer just about bad spelling or shady links. It’s about deep manipulation of blockchain mechanics,” noted Webacy co-founder Maika Isogawa, whose firm recently partnered with cybersecurity group Trugard to develop AI-driven detection for poisoned wallets.
The numbers reveal the scale of the threat. A joint study by Trugard and Webacy, published in January 2025, reported over 270 million zero-value transfers and address poisoning attempts across Ethereum and BNB Chain between July 2022 and June 2024.
Out of those, 6,000 attacks succeeded, resulting in more than $83 million in confirmed losses. The study also highlighted the rising complexity of these scams and how victims often unknowingly authorize massive transfers based on faulty trust.
“Scammers exploit human behavior, not just code,” Isogawa added. “They rely on people trusting their history — and that’s exactly what zero-value transfer scams manipulate.”
Security firms advise crypto users to never copy addresses from transaction histories, especially on mobile wallets or dApps. Instead, addresses should be double-checked manually or stored using hardware wallets or secure address books.
Additionally, tools like the new AI-powered address checker from Webacy and Trugard, reportedly 97% accurate, can help flag spoofed or poisoned addresses before transfers are made.
The $2.6 million loss serves as a stark reminder: trust onchain records with caution. As zero-value transfer scams grow more advanced, the crypto community must adapt its defenses.
With over $83 million already lost and new attacks surfacing daily, education, vigilance, and AI-enhanced tools are now essential to protect your crypto from invisible thieves. The Bit Gazette will continue to observe the market and report as events unfold.
Copyright © 2025 - The Bit Gazette.
