The price of “speed and convenience” in the cryptocurrency space could be as high as $12.4 million. An Ethereum (ETH) holder and regular crypto user just found that out as he lost 4,556 ETH valued at over $12.4 million after he accidentally transferred the asset to an attacker’s poison address.
How copy-paste error enabled $12.4 million attack
Lookonchain update explained that the attacker generated a fake address containing the first and last four characters of the Galaxy Digital’s real deposit recipient. The attacker proceeded to send tiny “dust” transactions to the victim’s wallet.
The goal was to simulate a fake or poison address in the victim’s transaction history. The goal of the malicious actor was to make the address look legitimate and familiar to the victim. The attacker was relying on the victim not paying close attention to details, given the similarity in the address.
The user, likely out of convenience and the need to quickly execute the transaction, opened his transaction history and copied what he thought was Galaxy Digital’s address. Given that it is a transaction he performs on a regular basis, he thought nothing of it and did not double-check the entire address.
This “copy and paste error” has cost the user $12.4 million as he sent the entire 4,556 ETH to the hacker’s address.
The poison address form of scam attacks is gaining traction in the crypto space as hackers rely on users not painstakingly checking addresses. In December 2025, another user lost $50 million after they copied a spoofed address due to visual similarity.
Interestingly, with this user, he had done a test run with $50 to his address, and it was this trial that the malicious hacker used to spoof the wallet as a trap. Unfortunately, the user fell victim to transferring the remaining $49,999,950 to the hacker.
Users warned to watch out for address poisoning scams
The frequency of these attacks calls for more vigilance in the crypto space. Users need to stop copying addresses from transaction history. They also must verify the entire address, not just the first and last four characters, which could be a poisoned address.
One user, Mark Huber, while reacting to the loss, stated that he always prioritizes safety over convenience when making transactions. Huber claimed that if he were to send $12 million, he would probably send it in batches of $100,000 at a time.
The idea is to avoid losing the entire funds in a single transaction. Others have advised the use of the ENS domain or address book to avoid such losses.
Source: https://u.today/scam-alert-ethereum-whales-lose-millions-to-copy-paste-error
