The simplest attack method can still catch big fish. According to on-chain analysis expert @EmberCN (余烬)'s sharing today, a whale/institution withdrew 50 million USDT from Binance around midnight on the 19th Taiwan time, and first "tested" by transferring 50 USDT to the planned receiving address.
Subsequently, the attacker quickly generated a similar address with the first and last three digits identical and transferred 0.005 USDT of dust tokens to the victim. When the victim actually made the transfer, it appears the address was copied directly from recent transaction records, resulting in the entire 50 million USDT being transferred to the attacker's similar address – a truly disastrous outcome.
Fund flow: USDT → DAI → ETH → Tornado
Ember pointed out that the attackers quickly converted 50 million USDT into DAI (to reduce the risk of being frozen), then used it all to buy 16,624 ETH , and subsequently laundered the chain through Tornado. The post also listed the relevant addresses: the victim's address is 0xcB80784ef74C98A89b6Ab8D96ebE890859600819 , and the attacker's address is 0xBaFF2F13638C04B10F8119760B2D2aE86b08f8b5 .
Attack methods: Risks of "poisoning" via similar addresses and operational habits
"Address poisoning" refers to an attacker quickly generating multiple addresses with similar beginnings and endings after you make a transfer and then sending these similar addresses to you as "dust transfers," causing them to appear in your recent transaction history. If users develop the habit of "directly copying recent transaction addresses," they are highly likely to mistakenly send large sums of money to the attacker's address during actual transfers.
Yu Jin emphasized that one should not only look at the first and last few characters of an address , as generating similar addresses "can be done in a few seconds," and the risk is quite high.
Many users commented that using ENS domains (such as xxx.eth ) can improve security, prevent the address from being copied from recent transaction records, require manual copying , ensure complete comparison of address characters, and increase vigilance for small dust transfers. For professional institutions and high-net-worth individuals, these "operational details" are often more crucial than the tools themselves.
Some online communities have put it more bluntly: if this address belongs to an organization, they hope it can be made public to reveal which organization it is. They hope that this practice of making large transfers with extremely weak security mechanisms can be made public so that everyone can "avoid this trap."
