A cryptocurrency trader lost $50 million in Tether’s USDT after falling victim to a sophisticated “address poisoning” attack.
On December 20, blockchain security firm Scam Sniffer reported that the attack began after the victim sent a small $50 test transaction to his own address.
Sponsored
How The Address Poisoning Scheme Unfolded
Notably, traders use this standard precaution to confirm that they are sending funds to the correct address.
However, that activity alerted an automated script controlled by the attacker, which immediately generated a “spoofed” wallet address.
The fake address is designed to match the intended recipient’s address at the beginning and end of the alphanumeric string. The differences appear only in the middle characters, making the fraud difficult to detect at a glance.
The attacker then sent a negligible amount of cryptocurrency from the spoofed address to the victim’s wallet.
Sponsored
That transaction effectively placed the fraudulent address into the victim’s recent transaction history, where many wallet interfaces display only truncated address details.
Relying on that visual shorthand, the victim copied the address from their transaction history without checking the full string. So, instead of transferring funds to a secure personal wallet, the trader sent 49,999,950 USDT directly to the attacker.
After receiving the funds, the malicious attacker quickly moved to limit the risk of asset seizure, according to on-chain records. The attacker immediately swapped the stolen USDT, which its issuer can freeze, for the DAI stablecoin using MetaMask Swap.
The attacker then converted the funds into roughly 16,680 ETH.
Sponsored
To further obscure the transaction trail, the attacker deposited the ETH into Tornado Cash. The decentralized mixing service is designed to sever the visible link between sending and receiving addresses.
Victim Offers $1 Million Bounty
In an attempt to recover the assets, the victim sent an on-chain message offering a $1 million white-hat bounty in return for 98% of the stolen funds.
“We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities,” the message stated.
Sponsored
The message warned that the victim would pursue “relentless” legal action if the attacker failed to comply within 48 hours.
“If you fail to comply: We will escalate the matter through legal and international law enforcement channels. Your identity will be uncovered and shared with the appropriate authorities. We will relentlessly pursue criminal and civil action until full justice is served. This is not a request. You are being given one final chance to avoid irreversible consequences,” the victim stated.
The incident underscores a persistent vulnerability in how digital wallets display transaction information and how attackers exploit user behavior rather than flaws in blockchain code.
Security analysts have repeatedly warned that wallet providers’ practice of abbreviating long address strings for usability and design reasons creates a persistent risk.
If this problem is not solved, attackers are likely to continue exploiting users’ tendency to verify only the first and last few characters of an address.