A crypto trader lost $ 50 million in Tether's USDT after being the victim of a sophisticated 'address poisoning' attack.
On December 20, the blockchain security company Scam Sniffer reported that the attack began after the victim sent a small test transaction of $ 50 to their own address.
How the address poisoning scheme developed
It is common for traders to use this as a precaution to confirm they are sending funds to the correct address.
But this activity alerted an automated script controlled by the attacker, which immediately generated a 'spoofed' wallet address.
The fake address is designed to match the recipient's address at the beginning and end of the alphanumeric string. The differences are only found in the middle of the address, making the scam difficult to detect at first glance.
The attacker then sent a negligible amount of cryptocurrency from the fake address to the victim's wallet.
This transaction effectively placed the fake address in the victim's recent transaction history where many wallets only show shortened addresses.
By relying on these visual shortcuts, the victim copied the address from history without checking the entire string. Instead of sending the funds to a secure personal wallet, the trader sent 49,999,950 USDT directly to the attacker.
After receiving the funds, the attacker quickly moved the assets to limit the risk of asset seizure, according to blockchain data. The attacker immediately swapped the stolen USDT, which the issuer can freeze, to DAI stablecoin via MetaMask Swap.
The attacker then converted the values to around 16,680 ETH.
To further conceal the traces, the attacker deposited the ETH into Tornado Cash. This decentralized mixing service is designed to break the visible link between sender and receiver.
Victim's bounty of $1,000,000 from the victim
In an attempt to recover the funds, the victim sent a message on the blockchain offering a “white-hat bounty” of $1 million in exchange for 98% of the stolen funds.
“We have officially reported the case. With assistance from police, cybersecurity agencies, and several blockchain protocols, we have already gathered significant and actionable information about your activities,” the statement said.
The message warned that the victim would pursue “relentless” legal follow-up if the attacker did not comply within 48 hours.
“If you do not comply: We will escalate the matter through legal and international channels. Your identity will be revealed and shared with relevant authorities. We will relentlessly pursue both criminal and civil lawsuits until full justice is achieved. This is not a request. You have one last chance to avoid irreversible consequences,” the victim stated.
The incident underscores a persistent vulnerability in how digital wallets display transaction information, and how attackers exploit user behavior rather than flaws in blockchain code.
Security analysts have repeatedly warned that wallet providers' practice of shortening long addresses for user-friendliness creates a persistent risk.
If this issue is not resolved, attackers will likely continue to exploit users' tendency to only verify the first and last characters in an address.
