Address poisoning scam costs crypto user $50M

Published: 22 December 2025
Last updated: 28 December 2025
Mushroom Poison
By Shutterstock

In less than two years, criminals have managed to steal crypto assets worth dozens of millions of USD in so-called address poisoning attacks, while victims fight to get their funds back.

This time, multiple blockchain analysts reported over the weekend that someone lost $50 million worth of the tether (USDT) stablecoin after criminals tricked the victim into using a malicious address to which the funds were sent.

"The user first sent a small test [transaction] to the correct address. Mins later, $50M was sent to a poisoned address copied from transaction history," crypto security specialist Web3 Antivirus said.

ADVERTISEMENT

The victim was tricked as the criminals used an address with the same first and last four characters.

"Since many wallets hide the middle part of the address with "..." to make the UI look better.

USDT
Image by Diamond Visuals | Shutterstock

Many users often copy the address from transaction histories, and usually only check the starting and ending letters," analysts at Lookonchain added, urging users to always double-check the address before making a transfer and not copy addresses from transaction history for convenience.

Meanwhile, according to security specialist SlowMist, 30 minutes after receiving the stolen USDT, the scammer swapped it for the decentralized stablecoin dai (DAI) and then swapped it for ethereum (ETH) before depositing it into the so-called crypto mixer, Tornado Cash.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The victim is trying to reach the criminal by sending a message via the Ethereum blockchain, informing them that they have officially filed a criminal case and that they have "already gathered substantial and actionable intelligence regarding your activities," offering $1 million as a whitehat bounty for identifying the vulnerability. The deadline to return the funds ends today.

"This is not a request. You are being given one final chance to avoid irreversible consequences," the message reads.

ADVERTISEMENT

In a similar case in May 2024, a victim lost more than $71 million in wrapped bitcoin (WBTC), a tokenized version of bitcoin (BTC), in another poisoning attack. However, in that case, the victim managed to recover almost all of the funds after negotiations with the attacker.

As reported by Cybernews, Ethereum-inspired address poisoning attacks are now occurring on the bitcoin blockchain as well.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT