Another case of "address poisoning," causing one user to lose $50 million. Photo: Techradar
The attack caused a shock.
A cryptocurrency user lost nearly $50 million USDT after mistakenly transferring assets to a scammer's wallet address in a phishing attack . The incident is being considered by analysts as one of the largest on-chain scams ever recorded .
Blockchain investigators discovered the incident last weekend. Unlike smart contract hacks or exchange intrusions, this incident did not stem from a complex technical vulnerability, but from a seemingly simple operational error that turned out to be particularly concerning.
A "poisoning attack" is a type of attack where a hacker creates a wallet address with the first and last characters closely resembling the victim's address. When users copy and paste the address from their transaction history without fully verifying the chain of characters, they may unknowingly send money to the attacker's wallet. In this case, the fraudulent address is designed to almost perfectly match the victim's familiar wallet, making the confusion difficult to detect with the naked eye.
on-chain analysis revealed that the incident was not an isolated accident, but the result of a carefully planned scenario. Prior to the nearly $50 million transaction, the attacker sent a very small amount of USDT – known as a “dust transaction” – to the victim's wallet. The purpose was to have a fake address appear in the transaction history. When the victim then made a large transfer and selected an address from the list of recent transactions, they inadvertently chose the "poisoned" address.
Notably, blockchain data also revealed that the victim had previously made a test transaction with a small amount of money – a common safety measure in the crypto community. However, this very habit was exploited, as it reinforced the credibility of the fake address in the transaction history and led to the fatal transfer.
SlowMist stated that the attacker acted almost immediately after receiving the massive sum of money. Within approximately 30 minutes, the entire amount was swapped and laundered through multiple layers of transactions. Specifically, 50 million USDT was swapped for Dai via MetaMask Swap, then further converted into approximately 16,690 ETH. The majority of this Ethereum – 16,680 ETH – was quickly deposited into Tornado Cash, a coin mixing platform designed to conceal the flow of funds on the blockchain.
30 mins after receiving 50M $ USDT , the Scammer took action:
— SlowMist (@SlowMist_Team) December 20, 2025
• Swapped 50M $ USDT to $ Dai via MetaMask Swap
• Swapped all $ Dai to 16,690 $ETH
• Deposited 16,680 $ETH into Tornado Cash
The Scammer addresses:
0xbaff2f13638c04b10f8119760b2d2ae86b08f8b5… https://t.co/ySGWtg3VIB pic.twitter.com/3BsWndrrJC
The use of Tornado Cash demonstrates the attacker's level of sophistication, as well as the increasing challenge for regulators, as cash flows can be obscured in a short period of time. Experts believe the chances of recovering assets in such cases are very low.
Blockchain analyst Specter Analyst wrote on X that what left him "speechless" wasn't just the scale of the damage, but the nature of the attack. Address poisoning is Capital XEM one of the least likely risks to cause such massive losses. Yet it still happened, he noted, pointing out that human error and wallet interface design are becoming the weakest links in the ecosystem.
Following the incident, the victim left a direct message on the blockchain, demanding that the attacker return 98% of the money within 48 hours and offering to keep $1 million as a reward.
Cybercrime is on the rise significantly.
While shocking, this nearly $50 million loss is actually just the tip of the iceberg of a much larger problem. According to the latest research, in 2025 alone, IP spoofing attacks caused an estimated total loss of up to $3.4 billion across the entire cryptocurrency ecosystem.
Over 158,000 wallets were compromised, affecting approximately 80,000 different victims. September 2025 was the most critical period, with 32,290 suspected attacks occurring across multiple blockchains, impacting 6,516 users in a single month.
On Ethereum and Binance Smart Chain, researchers have tracked over 270 million address poisoning attempts. Of those, the directly confirmed losses from this type of attack exceeded $83.8 million, not including major incidents that received media attention, such as this latest $50 million loss.
The latest incident is also sparking heated debate about the user experience (UI/UX) design of cryptocurrency wallets. Many experts and Ethereum community members are calling on platforms to stop shortening wallet addresses and instead display the full chain of characters to reduce the risk of confusion.
The incident also occurred amidst a significant increase in cybercrime targeting the digital asset market. According to the latest statistics from Chainalysis, the amount of crypto stolen by North Korean hackers in 2025 increased by 51% compared to the previous year . The total amount of money stolen by these hacking groups, believed to be state-backed, since 2016 has reached $6.7 billion. Just a few months ago, the crypto industry also witnessed the largest attack in history on the Bybit exchange, resulting in losses of up to $1.5 billion in Ethereum and related Token .
Coin68 compilation
