An investor lost $50 million after falling victim to an “address poisoning” technique. What happened and how can you protect yourself from this risk?
Investor loses tens of millions of dollars in attack
This week, analytics firm Lookonchain reported a significant loss by a cryptocurrency investor. The victim wanted to transfer $50 million USDT and first transferred $50 USDT to their own wallet address to test it.
Once this first transfer was successful, they sent the sum of $50 million to what they thought was the same address… Except that a hacker had been there first. The hacker used the “address poisoning” technique to steal the funds.
This type of “poisoning” is simple: it involves sending a small amount to the victim by creating an address whose first and last characters resemble theirs. The goal is for the person not to check the entire address and simply copy the address from their transaction history.
$50 million stolen, funds laundered
This is what happened here, according to Lookonchain:
Since many wallets hide the middle part of the address with “…” to improve the user interface, many users often copy the address from the transaction history and usually only check the first and last characters.
The result: $50 million in USDC vanished. The victim, who wanted to withdraw their funds from Binance, actually sent them to the fake address.
The scammer then quickly laundered the funds, according to information shared by SlowMist. First, they exchanged the USDT for DAI via MetaMask Swap, then exchanged it all for ETH. Finally, they sent the ETH to the Tornado Cash cryptocurrency mixer.
A proposed agreement with the scammer
As a result, the original holder of the USDC lost tens of millions of dollars in a matter of minutes. Following this, they posted an “on-chain” message offering a deal to the person who stole their cryptocurrency:
We have officially filed a criminal complaint. With the help of law enforcement, cybersecurity agencies, and several blockchain protocols, we have already gathered substantial and actionable information about your activities.”
He proposes that the hacker keep $1 million and restore the majority of the sum. In exchange, the original holder agrees not to pursue legal action:
This is your last chance to resolve this matter amicably. You are hereby required to return 98% of the stolen assets to the address below within 48 hours. You are authorized to keep $1,000,000 as a “white hat” bonus for identifying the vulnerability.
At this time, the funds have not been restored. This is yet another sign that you need to be vigilant when copying addresses during fund transfers. We recommend that you never copy addresses from a blockchain explorer and always carefully check the entire address.
