A cryptocurrency trader lost $50 million in USDT from Tether due to an advanced 'address poisoning' attack.
On December 20, blockchain security company Scam Sniffer reported that the attack began after the victim sent a small test transaction of $50 to their own address.
How the address poisoning scam unfolded
It is important to know that traders take this standard precaution to check whether they are sending money to the correct address.
But this activity was noticed by an automated script from the attacker, which immediately created a 'spoofed' wallet address.
The fake address closely resembles the intended receiving address: it starts and ends with the same letters and numbers. Only the middle of the address is different, making it difficult to recognize.
The attacker then sent a very small amount of crypto from the fake address to the victim's wallet.
As a result, the fraudulent address appeared in the victim's latest transaction history, while many wallet apps only display a truncated version of the address.
Because the victim only looked at the beginning and end, he copied the fake address from his transaction history without checking the entire address. Instead of sending money to his secure personal wallet, the trader then directly transferred 49,999,950 USDT to the attacker.
After the attacker received the funds, he quickly tried to limit the chance of seizure, as evidenced by on-chain information. The perpetrator directly exchanged the stolen USDT – which can be frozen by the issuer – for the DAI stablecoin via MetaMask Swap.
The attacker then converted this to about 16,680 ETH.
To further obscure the trail, the attacker deposited the ETH via Tornado Cash. This decentralized mixing service is designed to break the visible link between sender and receiver.
Victim offers $1,000,000 bounty
In an attempt to recover the stolen crypto, the victim sent an on-chain message offering a white-hat bounty of $1 million in exchange for 98% of the stolen funds.
"We have officially filed a report with the police. With the help of law enforcement, cybersecurity agencies, and various blockchain protocols, we have already gathered a lot of important and useful information about your activities," the message stated.
In the message, the victim warned the attacker that he would "relentlessly" take legal action if there was no response to the request within 48 hours.
"If you do not cooperate: we will escalate the matter through legal and international law enforcement channels. Your identity will be traced and shared with the appropriate authorities. We will tirelessly pursue criminal and civil actions until full justice is achieved. This is not a request – you have one last chance to avoid irreversible consequences," said the victim.
This incident again highlights a persistent vulnerability in how digital wallets display transaction information and how attackers exploit user behavior instead of errors in blockchain code.
Security analysts have repeatedly warned that wallet providers create a dangerous situation by truncating long addresses for ease of use.
If this issue is not resolved, attackers are likely to continue to exploit the fact that users usually only check the first and last characters of an address.
