Coinbase Vows to Hunt Scammers as User Loses $50M to Address Poisoning
A $50 million copy-paste error overshadows Coinbase’s aggressive new stance on crypto crime, highlighting the limits of law enforcement on-chain.
The “White Hat” Offer vs. Tornado Cash
Coinbase issued a stark warning to crypto criminals this weekend, promising to deploy law enforcement against anyone targeting its customers. But the proclamation landed just as the ecosystem absorbed a $50 million reality check: a single copy-paste error that law enforcement likely cannot fix.
On December 20, a user (likely an institution or whale) lost 49,999,950 USDT after falling victim to “address poisoning.” The theft is one of the largest single-wallet exploits of 2025, executed without a private key hack or smart contract bug. It relied entirely on a UI blind spot.
The Mechanism: $50M in Minutes
The attack vector was textbook poisoning. The victim intended to transfer funds to their own address starting with 0xbaf and ending in f8b5. Moments before the massive transfer, the attacker generated a vanity address—0xBaFF...86b08f8b5—that matched those critical first and last characters.
The attacker then “dusted” the victim’s wallet with a 0-value transaction or a negligible token amount. This injected the malicious address into the victim’s transaction history. When the victim went to copy their own address for the $50 million move, they clicked the wrong entry. The result? 50 million Tether sent directly to the void.
The Laundromat
Liquidity vanished instantly. According to on-chain data verified by SlowMist and ScamSniffer, the attacker wasted no time:
- Swap 1: 50M USDT converted to DAI via MetaMask Swap.
- Swap 2: DAI converted to roughly 16,680 ETH.
- The Exit: The ETH was funneled into Tornado Cash within 30 minutes.
The victim is now resorting to on-chain pleading. An Input Data Message (IDM) sent to the hacker’s address reads:
“To the Hacker: We have officially filed a criminal case… This is your final opportunity to resolve this matter peacefully. If the hacker cooperates… they are allowed to keep $1,000,000 USD as a white hat bounty.”
History suggests the bounty will go unclaimed. Once funds hit Tornado Cash, the “negotiation” usually ends.
Coinbase’s “One Down, More to Go”
The theft creates a brutal contrast with Coinbase’s victory lap. Hours earlier, CEO Brian Armstrong warned scammers that “law enforcement will close in,” following the arrest of Ronald Spektor, a scammer who allegedly drained millions via social engineering.
“If you try to steal from our customers, we will work with law enforcement to find you and bring you to justice,” Armstrong wrote. While Coinbase can police its own KYC-gated rails, the $50 million USDT theft occurred on-chain, outside the immediate reach of exchange freeze orders. The discrepancy highlights the widening security gap between custodial safety nets and the unforgiving nature of self-custody execution.
