$BTC
Investor Loses $2.6 Million in Sophisticated Double Phishing Attack Using Zero-Value Transfers
In a striking incident that unfolded over just three hours, a cryptocurrency investor suffered a devastating loss of $2.6 million in stablecoins through a highly deceptive double phishing attack. The method employed—known as zero-value transfers—is a sophisticated evolution of address poisoning and poses an escalating threat to the crypto ecosystem.
Two Transactions, One Target: User Trust
According to blockchain security firm Cyvers, the victim unknowingly authorized two substantial USDT transfers:
$843,000 in the initial transaction
Followed by $1.75 million shortly thereafter
Both payments were sent to fraudulent addresses embedded in the user’s transaction history through zero-value transfers—a tactic that even experienced users may overlook.
Understanding Zero-Value Transfers
This method manipulates the standard token transfer function to send a transaction with a zero balance, which does not require the sender’s private key. The recipient address, crafted by the attacker, is then recorded in the user’s wallet history. When users later search their transaction history and copy a familiar-looking address, they may unknowingly select the scammer’s address—resulting in a costly mistake.
A Recurrent and Growing Threat
This is not an isolated case. In 2023, a similar exploit led to the theft of $20 million in USDT before the perpetrator was blacklisted. Zero-value transfers are classified as an advanced form of address poisoning, where attackers mimic wallet addresses with similar prefixes and suffixes to deceive users into reusing malicious addresses.
A January 2025 study reported over 270 million phishing attempts across Ethereum and BNB Chain between July 2022 and June 2024. While most were intercepted, over 6,000 successful attacks resulted in losses exceeding $83 million.