A crypto user lost $50 million in USDT due to an address poisoning scam involved in a significant onchain exploit.
The theft was identified by the Web3 security firm Web3 Antivirus, after the user conducted a $50 test transaction to verify the destination address prior to transferring the bulk of the funds.
Loading…
Minutes later, a scammer created a wallet address that closely resembled the intended destination address, matching both the first and last characters. This tactic exploited the common practice of wallet interfaces presenting only partial address information.
The scammer sent a small “dust” amount to poison the victim’s transaction history. Believing the destination address was correct, the victim copied it from their history, ultimately sending $49,999,950 USDT to the scammer.
These minor dust transactions are often targeted at wallets with substantial holdings to poison transaction histories, luring users into copy-pasting errors like this. Bots carrying out these transactions often have a broad reach, aiming for hits, which they achieved in this incident.
Data on the blockchain reveals the stolen funds were subsequently exchanged for ether and transferred among multiple wallets. Several addresses involved have since interacted with Tornado Cash, a sanctioned crypto mixer, in an attempt to obscure the transaction trail.
In turn, the victim issued an onchain message demanding the return of 98% of the stolen funds within 48 hours. The message included legal threats and offered the attacker a $1 million white-hat bounty if the stolen assets were returned in full.
Refusal to comply, the message stated, would lead to legal escalation and potential criminal charges.
“This is your final opportunity to resolve this matter peacefully,” the victim wrote in the message. “If you fail to comply: we will escalate the matter through legal international law enforcement channels.”
Address poisoning exploits do not exploit any vulnerabilities in code or cryptography; instead, they take advantage of user habits, specifically the tendency to rely on partial address matching and copy-pasting from transaction records.
