An investor lost $50 million after falling victim to an “address poisoning” technique. What happened, and how can you protect yourself from this risk?
Investor loses tens of millions of dollars in an attack
The analytics firm Lookonchain reported this week a massive loss suffered by a cryptocurrency investor. The victim intended to transfer 50 million USDT and first sent 50 USDT to their own wallet address to test it.
Once this first transfer was successful, they sent the sum of $50 million to what they thought was the same address… Except that a hacker had already been there. The hacker used the “address poisoning” technique to steal the funds.
This type of “poisoning” is simple: it involves sending a small amount to the victim by creating an address whose first and last characters resemble the victim’s. The goal is for the person not to verify the entire address and to simply copy the address from their transaction history.
$50 million stolen, funds laundered
This is what happened here, according to Lookonchain:
Since many wallets mask the middle part of the address with “…” to improve the user interface, many users often copy the address from their transaction history and generally only check the first and last characters.
The fake address next to the victim’s
Result: 50 million USDC vanished. The victim, who wanted to withdraw their funds from Binance, actually sent them to the spoofed address.
The scammer then quickly laundered the funds, according to information shared by SlowMist. First by exchanging the USDT for DAI via MetaMask Swap, then by exchanging it all for ETH. He finally sent the ETH to the Tornado Cash cryptocurrency mixer.
A settlement proposal with the scammer
Result: the original holder of the USDC lost tens of millions of dollars in a matter of minutes. Following this, he posted an “on-chain” message to propose a settlement with the person who stole his cryptocurrency:
We have officially filed a criminal complaint. With the help of law enforcement, cybersecurity agencies, and several blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities.
He offers the hacker the chance to keep one million dollars and return the majority of the funds. In exchange, the original holder agrees not to pursue legal action:
This is your last chance to resolve this matter amicably. You are hereby required to return 98% of the stolen assets to the address below within 48 hours. You are authorized to keep $1,000,000 as a “white hat” bounty for identifying the vulnerability.
As of now, the funds have not been returned. This is yet another reminder to be vigilant about addresses copied during fund transfers. We recommend never copying an address from a blockchain explorer and always carefully verifying the entire address.
