Crypto Trader Loses $50 Million in Address Poisoning Attack, Offers $1 Million Bounty

The attack marks one of the largest individual losses from this type of fraud on record.

Blockchain security firms SlowMist, Scam Sniffer, and Web3 Antivirus identified the victim as sending 49,999,950 USDT to a scammer-controlled address. The funds were withdrawn from Binance exchange just before the attack occurred.

The Attack Timeline

According to Etherscan data, the victim initially sent a small test transaction of 50 USDT to their intended destination address at 06:20:35 UTC. This is a standard security practice many crypto users follow before sending large amounts.

However, an automated script controlled by the attacker immediately created a fake wallet address. The malicious address (0xBaFF2F13638C04B10F8119760B2D2aE86b08f8b5) was designed to look nearly identical to the victim’s real destination address (0xbaf4b1aF7E3B560d937DA0458514552B6495F8b5).

The scammer made the fake address match the first three and last four characters of the legitimate address. Since most crypto wallets show only the beginning and end of addresses with dots in the middle, this trick easily fools users who don’t check every character.

Source: @lookonchain

The attacker then sent small transactions from the fake address to the victim’s wallet. This “poisoned” the victim’s transaction history with the scammer’s address. When the victim copied an address from their history 12 minutes later to send the full $50 million, they accidentally grabbed the fake one instead. The massive transfer went through at 06:32:59 UTC.

Swift Money Laundering

The attacker moved fast to hide the stolen money. Within 30 minutes of receiving the USDT, the scammer converted all of it to DAI using MetaMask Swap. This was a smart move because Tether can freeze USDT in suspicious wallets, but DAI is decentralized and cannot be frozen.

The attacker then swapped the DAI for approximately 16,690 ETH. Most of this—around 16,680 ETH—was deposited into Tornado Cash, a crypto mixing service that makes transactions nearly impossible to trace.

Security researcher Cos from SlowMist explained that “the subtlety is in the middle characters—enough to deceive even pros who rely on partial checks.”

Recovery Attempts and Legal Threats

The victim sent an on-chain message to the attacker offering a $1 million reward for returning 98% of the stolen funds. The message came with serious legal warnings.

“We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities,” the message stated.

The victim gave the attacker 48 hours to accept the bounty. If refused, they threatened to “escalate the matter through legal and international law enforcement channels” and pursue “relentless” criminal and civil action.

There is some hope for recovery. In May 2024, another victim lost $71 million in a similar address poisoning attack. That victim eventually recovered nearly all their funds after negotiations helped by blockchain security firm Match Systems and Cryptex exchange. However, the current case may be harder to resolve since the funds were quickly moved to Tornado Cash.

A Growing Problem

Address poisoning attacks are spreading across different blockchains. Jameson Lopp, Chief Security Officer at Bitcoin custody firm Casa, warned in April 2025 about this rising threat. His analysis found 48,000 suspected attacks on Bitcoin alone since 2023.

“[The attacks are] a result of the fact that we’re in a very low-fee environment,” Lopp said at the MIT Bitcoin Expo. Low transaction fees make it cheap for scammers to send thousands of fake transactions to potential victims.

Lopp suggested that wallet developers should add warnings when users interact with addresses that look similar to ones they’ve used before. “I think it would be easy for wallets to say ‘Oh, this came from a similar looking address,’ and throw up a big red flag: do not interact,” he explained.

According to security firms Web3 Antivirus and SlowMist, address poisoning accounted for over 10% of all wallet drains in 2025. Users of stablecoins like USDT face particular risk because their predictable transfer patterns help scammers plan attacks.

Record Theft Year

This attack adds to an already devastating year for crypto security. Chainalysis reported that cryptocurrency losses exceeded $3.4 billion in 2025, slightly higher than the $3.38 billion stolen in 2024.

The February 2025 hack of Bybit exchange was the single largest crypto theft ever recorded. North Korean threat actors stole $1.5 billion, accounting for around 44% of the year’s total losses. Security firm Elliptic called it “the largest crypto theft of all time.”

Personal wallet attacks have grown dramatically. In 2022, attacks on individual wallets made up just 7.3% of total stolen value. By 2024, that number jumped to 44%. Chainalysis documented 158,000 instances of personal wallet breaches affecting at least 80,000 different victims.

Mitchell Amador, CEO of blockchain security firm Immunefi, explained the shift: “The threat landscape is shifting from on-chain code vulnerabilities to operational security and treasury-level attacks. As code hardens, attackers target the human element.”

How to Stay Safe

Security experts recommend several steps to avoid address poisoning:

Check Every Character: Never trust just the first and last few characters of an address. Verify the complete address before sending any amount.

Use Address Books: Save trusted addresses in your wallet’s address book. Don’t copy addresses from your transaction history where scammers can plant fakes.

Spot Dust Attacks: Watch for tiny unexpected transactions from unknown addresses. These are red flags that your wallet might be getting poisoned.

Test and Wait: If you send a test transaction, wait and confirm it arrived at the right place before sending larger amounts.

Hardware Wallets Help: Hardware wallets with built-in screens force you to review the full address before approving transactions.

Unlike hacks that exploit code vulnerabilities, address poisoning attacks target human behavior. The blockchain itself works perfectly—scammers just trick people into making mistakes. This makes the problem harder to solve through technology alone.

Educational campaigns from industry groups stress the importance of hardware wallets with address confirmation screens. These tools force users to manually review addresses, which can prevent costly mistakes.

When Trust Becomes a Weakness

The $50 million loss shows how even experienced crypto users following security best practices can fall victim to sophisticated scams. The attacker exploited the very security measure—test transactions—that should have protected the victim.

As blockchain technology improves and becomes harder to hack directly, criminals are finding success by targeting the people using it instead. Whether through legal pressure or negotiation, the crypto community hopes this victim might join the small group who have successfully recovered stolen funds. But with the money already in Tornado Cash, the odds look challenging.