A cryptocurrency dealer has misplaced almost $50 million in USDT after falling sufferer to an deal with poisoning rip-off, a way that exploits transaction historical past moderately than sensible contract flaws. Blockchain safety companies mentioned the incident highlights how routine pockets habits can expose customers to large-scale losses.
In an X post, on-chain analytics agency Lookonchain reported that the sufferer transferred 49,999,950 USDT to an attacker-controlled pockets on Dec. 20. The funds had simply been withdrawn from Binance and had been supposed for the dealer’s personal deal with. Instead, they had been redirected to a visually related deal with created by the attacker.
Address Poisoning Scam Exploits Spoofed Addresses
The incident started with a check transaction. The dealer despatched a 50 USDT check transaction to substantiate the vacation spot deal with. Shortly after, an automated script generated a spoofed wallet designed to resemble the reliable deal with.This step marked the beginning of the deal with poisoning rip-off.
The fraudulent deal with shared the identical opening and shutting characters because the supposed pockets, with variations confined to the middle of the string. Many pockets interfaces shorten these center characters, decreasing visibility throughout routine checks.
By exploiting this show conduct, the attacker despatched small transactions from the lookalike deal with to the sufferer’s pockets. This inserted the faux deal with into the transaction historical past, inflicting it to seem reliable throughout later transfers.
When the dealer later copied an deal with from their historical past to finish the total switch, the lookalike deal with was possible chosen by mistake. Etherscan information reveals the check cost was despatched at 3:06 UTC. The misguided $50 million transaction adopted roughly 26 minutes later, at 3:32 UTC.
Stolen Funds Moved Through DAI, ETH, and Tornado Cash
Blockchain safety firm SlowMist reported that the attacker moved rapidly in order to reduce restoration threat. In half-hour, the $50 USDT was exchanged for DAI by by way of MetaMask Swap. The resolution was strategic as a result of Tether can freeze USDT if it’s related to illicit exercise, however DAI doesn’t include any centralized freezes.
The DAI was then transformed by the attacker to roughly 16,690 ETH. Approximately 16,680 ETH was deposited into Tornado Cash. The mixer was an try to obfuscate the transaction trails, the standard step subsequent to an deal with poisoning rip-off.
Upon executing the transaction, the sufferer despatched an on-chain message to the attacker by a $1 million white-hat bounty. The supply demanded the reimbursement of 98% of the stolen cash. There has been no public acknowledgement or reply. The safety firms stay lively monitoring the deal with poisoning rip-off.
According to Chainalysis, the incident contributes to a 12 months of rising crypto thefts. Losses in crypo hacks 2025 exceeded $3.4 billion, extra than the earlier 12 months. One of these, a February breach of Bybit by North Korea-linked actors, totaled about $1.4 billion and was the most important crypto theft ever.
