A trader lost nearly $50 million in USDT after an "address poisoning" attack, where a scammer replaced the recipient address, disguising it as the legitimate one. The incident occurred on December 20 and ended with a transfer of 49,999,950 USDT to the attacker’s wallet. According to onchain researcher Specter, this highlights vulnerabilities in common user behaviors combined with wallet interface features.
What happened?
The core of the incident was address substitution in the transaction history: the attacker generated a fake vanity address matching the legitimate one by the first and last four characters and inserted a small transaction from that address into the victim’s history. The victim first made a test transfer of 50 USDT to their real address, then copied the address from the history and sent the remaining 49,999,950 USDT to the fake wallet. As a result, nearly $50 million went to the scammer, triggering a rapid chain of swaps and laundering.
Scam mechanism
The attack was simple in concept but effective in practice: the victim made a test transaction of 50 USDT to their real address, allowing the attacker to monitor activity. The scammer immediately generated a spoofed vanity address matching the first and last four characters of the legitimate address, then sent a small amount from this fake address, "poisoning" the victim’s transaction history. Because many interfaces display addresses truncated with ellipses, the fake address appeared identical at first glance, causing the victim to accidentally copy the wrong address from the history.
Movement of stolen funds
Within half an hour after transferring 49,999,950 USDT, the funds were swapped to DAI, then converted to approximately 16,690 ETH, and subsequently passed through Tornado Cash. This sequential movement and conversion complicated tracking and recovery of assets, demonstrating methods for rapid liquidation of large cryptocurrency sums. For comparison with other major transfers and ETH movements, see examples of large USDT transfers and cases involving ETH withdrawals.
Victim's response
After discovering the theft, the owner sent an onchain message to the attacker offering $1 million as a white-hat bounty for returning 98% of the funds. Despite this, as of December 21, the assets have not been returned. The case attracted community and expert attention, warning about the rise of such low-tech, high-reward attacks.
Security recommendations
- Always take the recipient address from the "Receive" tab in your own wallet, not from transaction history or external sources.
- Add verified addresses to your wallet’s whitelist to reduce the risk of manual errors when entering or copying addresses.
- Consider using hardware or other devices that require physical confirmation of the full recipient address to prevent substitution via truncated addresses in interfaces.
Why this matters
Even a single mistake copying an address can lead to catastrophic loss of funds, regardless of your setup—from one device to a thousand. For miners in Russia, this means a routine wallet operation performed by habit can result in total liquidity loss when transferring or consolidating large sums. The economic and operational availability of exchange tools enables scammers to quickly convert and conceal stolen assets.
What to do?
- Before transferring funds, always send a small test amount first and confirm the address is correct—but do not copy the address from history; use the wallet’s "Receive" tab.
- Add critical addresses (such as your own cold wallet or trusted exchanges) to a whitelist to avoid manual entry errors.
- For significant transfers, require physical confirmation of the full address on your device and verify the first and last characters before confirming.
- Keep logs and transaction records—these will be useful for community communication and attempts to track funds if loss occurs.
