A crypto user lost $50 million in USDT after falling victim to an address poisoning scam in a massive on-chain exploit.
The theft, spotted by Web3 security firm Web3 Antivirus, occurred after the user sent a $50 test transaction to confirm the destination address before transferring the rest of the funds.
Loading…
Within minutes, a scammer created a wallet address that looked very similar to the destination, matching the first and last characters, knowing that most wallets abbreviate addresses and only show prefixes and suffixes.
The scammer then sent the victim a small amount of “dust” to poison their transaction history. Apparently believing that the destination address was legitimate and entered correctly, the victim copied the address from their transaction history and ended up sending 49,999,950 USDT to the scammer’s address.
These small dust transactions are often sent to addresses with large properties, poisoning transaction histories in an attempt to catch users in copy-and-paste errors, like this one. The bots carrying out these transactions cast their nets wide, hoping to be successful, which they got in this case.
Blockchain data shows stolen funds were later exchanged for ether and moved across multiple wallets. Several addresses involved have since interacted with Tornado Cash, a sanctioned crypto mixer, in an attempt to cover the trail of transactions.
In response, the victim posted a chain message demanding the return of 98% of the stolen funds within 48 hours. The message, backed by legal threats, offered the attacker $1 million as a white hat bonus if the assets were returned in full.
Non-compliance, the message warns, will trigger legal escalation and criminal prosecution.
“This is your last opportunity to resolve this matter peacefully,” the victim wrote in the post. “If you do not comply: we will escalate the matter through international legal enforcement channels. »
Address poisoning does not exploit any vulnerabilities in code or cryptography, but rather takes advantage of user habits, namely the use of partial address matching and copy-pasting from transaction history.
