A cryptocurrency trader lost nearly $50 million in a single transaction on Dec. 20 after falling victim to a sophisticated “address poisoning” attack. The incident, which saw 49,999,950 USDT transferred directly into a scammer’s wallet, highlights a growing security crisis where high-tech thieves exploit basic human habits and user interface limitations.

According to onchain investigator Specter, the victim, attempting to move funds from an exchange to a personal wallet, initially performed a test transaction of 50 USDT to his legitimate address. This was detected by the attacker, who immediately generated a “spoofed” vanity address that matched the victim’s legitimate wallet’s first and last four characters.

Read more: Crypto Scams in 2025: How to Spot Them and Protect Yourself

The attacker then sent a negligible amount of crypto from this fake address to the victim, effectively “poisoning” the user’s transaction history. In a discussion that followed on X, Specter lamented the fact that a trader had lost funds to “one of the least likely causes of such a massive loss.” Replying to fellow investigator ZachXBT, who expressed sorrow for the victim, Specter said:

“This is exactly why I was speechless, losing such a massive amount because of a simple mistake. Just a few seconds to copy and paste the address from the correct source instead of the transaction history could have prevented everything. Christmas spoiled.”

Since most modern crypto wallets and block explorers truncate long alphanumeric strings—displaying addresses with ellipses in the middle (e.g., 0xBAF4…F8B5)—the spoofed address appeared identical to the victim’s own at a glance. Therefore, when the victim went on to transfer the remaining 49,999,950 USDT, they followed a common practice: copying the recipient address from their recent transaction history rather than the source.

Within 30 minutes of the poisoning attack, the nearly $50 million in USDT was swapped for the stablecoin DAI before being converted into approximately 16,690 ETH and funneled through Tornado Cash. After realizing what happened, the desperate victim sent an onchain message to the attacker, offering a $1 million white-hat bounty for the return of 98% of the funds. As of Dec. 21, the assets remain unrecovered.

Security experts warn that as crypto assets reach new highs, these low-tech, high-reward “poisoning” scams are becoming more prevalent. To avoid similar fates, holders are urged to always source a receiving address directly from the wallet’s “Receive” tab.

Users should whitelist trusted addresses in their wallet to prevent manual entry errors. They should also consider using devices that require physical confirmation of the full destination address to provide a critical second layer of scrutiny.

• What happened in the Dec. 20 attack? A trader lost nearly $50M USDT to an address‑poisoning scam.
• How did the scam work? Attackers spoofed a wallet address that looked identical in truncated form.
• Where was the stolen crypto moved? Funds were laundered through DAI, converted to ETH, and funneled via Tornado Cash.
• How can traders protect themselves?
  Always copy addresses from the wallet’s “Receive” tab and whitelist trusted accounts.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。