A victim lost $2.6 million in stablecoins after falling for two phishing scams with zero-value transfers within a span of three hours, raising concerns about address poisoning tactics.
One single victim fell for two scams within a span of three hours, losing a total of $2.6 million in stablecoins.
According to data released on May 26 by the crypto compliance firm Cyvers, the victim sent the equivalent of $843 thousand in USDt.
, followed by another $1.75 million about three hours later. Cyvers reported that the scam used a method known as zero-value transfer, a sophisticated form of on-chain phishing.
Zero-value transfers are an on-chain phishing technique that exploits token transfer functions to deceive users and lead them to send real funds to the attackers. Scammers exploit the From function of token transfers to transfer zero tokens from the victim's wallet to a fake address.
As the transferred value is zero, no signature with the victim's private key is needed for the transaction to be included on-chain. Consequently, the victim will see the outgoing transaction in their history.
The victim can trust this address by seeing it in their transaction history, mistakenly interpreting it as a known or safe recipient. In a future transaction, they may end up sending real funds to the attacker's address.
In a high-profile case, a scammer who used a zero-value transfer phishing attack managed to steal $20 million in USDT before being blocked by the stablecoin issuer in the summer of 2023.
Advanced form of address poisoning
Zero-value transfer is considered an evolution of address poisoning, a tactic in which attackers send small amounts of cryptocurrency from an address similar to the victim's, often with the same starting and ending characters. The goal is to make the user accidentally copy and reuse the attacker's address in future transactions, resulting in loss of funds.
The technique exploits the fact that many users rely on partial address comparisons or the clipboard history when sending cryptocurrencies. Custom addresses with similar characters at the beginning and end can also be combined with zero-value transfers.
Growing threat across multiple blockchains
A study from January 2025 found that over 270 million poisoning attempts occurred on the BNB Chain and Ethereum between July 1, 2022, and June 30, 2024. Of these, 6,000 were successful, resulting in losses exceeding $83 million.
The report was released after crypto cybersecurity firms Trugard and the on-chain trust protocol Webacy announced an AI-based system to detect wallet address poisoning. The new tool would have a success rate of 97%, tested on real cases of attacks.