A cryptocurrency trader has suffered a devastating loss of nearly $50 million after falling victim to a sophisticated address poisoning attack, marking one of the largest individual incidents of its kind to date.
The attack highlights how even experienced users can be exploited through subtle wallet manipulation techniques.
Following the breach, the victim issued an urgent on-chain message offering a $1 million bounty for the return of the funds and confirmed that a criminal case has been filed. Despite the public appeal, the stolen assets have not been recovered.
How the Attack Unfolded
The incident, which occurred around December 20, 2025, exploited a common habit among crypto users: copying recipient addresses from transaction history instead of verifying them independently.
The sequence began with a routine safety step. The victim sent a small test transfer of 50 USDT to a legitimate destination address. Shortly after, the attacker deployed an automated script designed to execute the core deception.
A fraudulent wallet address was generated to match the exact same starting and ending characters as the legitimate one. This look-alike address then sent a tiny transaction to the victim’s wallet, ensuring it appeared in the transaction history.
When the trader later initiated the main transfer, nearly $50 million in USDT, they mistakenly copied the spoofed address from their history, believing it was the original, verified destination.
Rapid Laundering to Obscure the Trail
Once the funds were received, the attacker moved swiftly to reduce traceability.
The stolen USDT was first converted into DAI, a stablecoin not subject to freezing. The DAI was then swapped for approximately 16,680 ETH. Most of that ETH was subsequently routed through Tornado Cash, a crypto mixing service designed to obfuscate transaction flows and complicate forensic tracking.
This rapid sequence significantly reduced the likelihood of asset recovery through conventional on-chain tracing.
On-Chain Bounty and Legal Threats
In a last-ditch effort to recover the funds, the victim sent an on-chain message directly to the attacker. The proposal offered a 98% return of the stolen assets, allowing the attacker to retain $1 million as a so-called “white hat” bounty.
The message also warned that failure to comply within 48 hours would result in aggressive legal action and coordination with international law enforcement agencies. As of now, there has been no public response, and the funds remain unreturned.
Why Address Poisoning Is So Dangerous
Address poisoning attacks are particularly effective because they exploit visual shortcuts users rely on when verifying wallet addresses. By matching only the first and last characters, attackers can create addresses that appear legitimate at a glance, especially in transaction histories or wallet UIs with truncated displays.
The scale of this loss underscores that address poisoning is no longer a nuisance attack, it has become a high-impact threat capable of draining institutional-level sums.
How Users Can Protect Themselves
Security experts emphasize several best practices to reduce exposure to address poisoning attacks:
Always verify the entire wallet address, character by character, before sending large transfers. Relying only on the beginning and end of an address is not sufficient.
Use wallet address books for frequently used destinations and avoid copying addresses from transaction history.
Treat unexpected small transactions from unfamiliar or similar-looking addresses as a red flag rather than confirmation.
Consider hardware wallets that display the full destination address on a separate screen, forcing manual verification before approval.
Final Takeaway
This incident serves as a stark reminder that in crypto, operational security failures can be catastrophic, regardless of experience level or portfolio size. As attackers refine social and technical deception methods, defensive habits, slow verification, trusted address storage, and hardware safeguards, remain the most effective protection.
In decentralized systems, there are no chargebacks, and a single copied character can be the difference between a routine transfer and a nine-figure loss.
