Crypto Whale Loses $50M in USDT Poisoning Attack; Offers $1M Bounty
A trader lost $50M after a ‘test send’ triggered a poisoning bot, forcing a $1M on-chain bounty offer as funds hit Tornado Cash.
A crypto trader has lost 49,999,950 USDT in a single transaction, falling victim to an address-poisoning scam that exploited the user’s reliance on transaction history. The theft, identified by Scam Sniffer and SlowMist on December 20, is one of the largest individual losses of 2025.
The ‘Test Send’ Trap
The attack vector was specifically designed to weaponize standard security best practices. On-chain data reveals the victim (0xcB80…00819) first sent a legitimate test transaction of 50 USDT to their intended destination. This activity triggered an automated bot, which immediately generated a "poison" address (0xBaFF…8b5) mimicking the first and last characters of the intended wallet.
The bot then sent a dust transaction to the victim’s wallet, inserting the malicious address into the top of their transaction history. Believing the address in their history was the one they had just interacted with, the victim copied the poisoned address and transferred the full $50 million.
"This is the brutal reality of address poisoning… an attack that doesn’t rely on breaking systems, but on exploiting human habits.". On-chain Analyst
Instant Laundering via Tornado Cash
The attacker wasted no time. Within 30 minutes of receipt, the 50 million USDT was swapped for DAI via MetaMask Swap, then converted into approximately 16,690 ETH (valued at ~$2,990 per ETH). The funds were immediately deposited into Tornado Cash in batches, effectively severing the on-chain link and complicating recovery efforts.
The On-Chain Ultimatum
In a desperate bid to recover the funds, the victim broadcast an on-chain message to the attacker’s wallet. The message offers a $1 million "whitehat" bounty if 98% of the funds are returned within 48 hours, threatening involvement from "legal international law enforcement channels" if the deadline is missed.
Market participants should note that Tether (USDT) has the capability to freeze assets on the Ethereum network, but the attacker’s rapid conversion to DAI and ETH likely circumvented this centralized kill-switch before it could be deployed.
