A crypto trader lost 50 million USD in Tether USDT after falling victim to an advanced 'address poisoning'.
On December 20, the blockchain security company Scam Sniffer reported that the attack began after the victim sent a test transaction of 50 USD to their own address.
How Address Poisoning Fraud Occurred
Traders often do this to ensure that they send money to the correct address.
But this activity caused an automated script controlled by the attacker to quickly create a false wallet address.
The false address resembles the recipient's address at the beginning and end. The differences are only in the middle, making it difficult to detect the fraud quickly.
The attacker then sent a very small amount of cryptocurrency from the false address to the victim's wallet.
This transaction inserted the false address into the victim's transaction history, where most wallets only display parts of the address.
The victim then used the address from their transaction history without checking the whole thing. Therefore, the trader sent 49 999 950 USDT directly to the attacker instead of their own secure wallet.
When the attacker received the money, they quickly moved to reduce the risk of seizure. The attacker immediately swapped the stolen USDT, which the issuer can freeze, for DAI stablecoin via MetaMask Swap.
The attacker then exchanged the amount for about 16 680 ETH.
To further obscure the tracks, the attacker deposited ETH into Tornado Cash. This service breaks the link between sender and receiver.
Victim offers a reward of 1 million USD
To get the money back, the victim sent a message on the blockchain and offered a white hat reward of 1 million USD in exchange for 98% of the stolen money.
"We have officially filed a police report. With the help of the police, cybersecurity authorities, and several blockchain protocols, we have already gathered a lot of information about your activities," the message stated.
The message warned that the victim would pursue the case vigorously in court if the attacker did not cooperate within 48 hours.
"If you do not cooperate: We will proceed through legal and international channels. Your identity will be found and shared with authorities. We will pursue prosecution until justice is served. This is not a request. You have one last chance to avoid serious consequences," wrote the victim.
The incident illustrates an ongoing weakness in how digital wallets display transaction information. Attackers exploit user behavior, not any flaw in the blockchain code.
Security analysts have often warned that wallet providers' truncation of address strings creates risks.
If this issue is not resolved, attackers will likely continue to exploit that users only check the first and last characters of addresses.
