A cryptocurrency trader lost 50 million dollars in USDT from Tether after falling victim to a sophisticated 'address poisoning' attack.
On December 20, the blockchain security company Scam Sniffer reported that the attack began after the victim sent a small test transaction of 50 dollars to their address.
How the address poisoning scheme unfolded
In particular, traders use this standard precaution to confirm they are sending funds to the correct address.
However, this activity triggered an automatic script controlled by the attacker, which immediately generated a “spoofed” wallet address.
The fake address is designed to match the beginning and the end of the alphanumeric string of the expected recipient's address. The differences only appear in the central characters, making the scam difficult to spot at first glance.
The attacker then sent a negligible amount of cryptocurrency from the spoofed address to the victim's wallet.
This transaction effectively inserted the fraudulent address into the recent transaction history of the victim, where many wallet interfaces only show abbreviated address details.
Relying on this synthetic visual form, the victim copied the address from their transaction history without checking the entire string. Thus, instead of transferring the funds to a secure personal wallet, the trader directly sent 49,999,950 USDT to the attacker.
After receiving the funds, the attacker acted quickly to reduce the risk of potential asset seizure, according to on-chain data. The attacker immediately converted the stolen USDT, which the issuer can freeze, into the stablecoin DAI using MetaMask Swap.
The attacker then converted the funds into approximately 16,680 ETH.
To further complicate the tracking of transactions, the attacker deposited ETH into Tornado Cash. This decentralized mixing service is designed to break the visible link between the sender and recipient addresses.
The victim offers a reward of 1 million dollars
In hopes of recovering the assets, the victim sent an on-chain message offering a white-hat bounty of 1 million dollars in exchange for the return of 98% of the stolen funds.
“We have officially filed a criminal complaint. Thanks to the assistance of law enforcement, cybersecurity agencies, and various blockchain protocols, we have already gathered substantial and usable information about your activities,” reads the message (published here).
The message warns that the victim would initiate “ruthless” legal actions if the attacker did not cooperate within 48 hours.
“If you do not cooperate: We will escalate the matter through legal channels and international law enforcement. Your identity will be discovered and shared with the competent authorities. We will relentlessly pursue criminal and civil actions until full justice is obtained. This is not a request. You are given one last chance to avoid irreversible consequences,” the victim stated.
The incident highlights a persistent vulnerability in how digital wallets display transaction information and how attackers exploit user behavior rather than flaws in the blockchain code.
Security analysts have repeatedly warned that the practice of wallet providers shortening long address strings for usability and design reasons creates a constant risk.
If this problem is not resolved, attackers will likely continue to exploit the tendency of users to check only the first and last characters of an address.
