One Click, $50 Million Gone: Whale Falls for Address Poisoning Scam
A high-net-worth trader lost $50M in USDT after copying a spoofed address from their transaction history, marking one of the year’s largest UX-driven thefts.
The $50 Million Typo
A single interface failure and a moment of complacency just cost a crypto whale 49,999,950 USDT. In one of the largest individual thefts of 2025, a sophisticated “address poisoning” bot tricked a high-net-worth user into copying a spoofed wallet address, instantly routing $50 million to an attacker who has already begun laundering the funds through Tornado Cash.
The theft, identified by on-chain security firm Scam Sniffer, highlights a critical vulnerability not in the blockchain itself, but in user habits. The victim (0xcB80…0819) intended to move funds to a legitimate address (0xbaf4…f8b5). Instead, they sent the funds to a look-alike address (0xBaFF…f8b5) that had been injected into their transaction history seconds earlier.
“The attacker generated a vanity address matching the first 4 and last 4 characters of the intended recipient in under 60 seconds. This is industrial-scale griefing.”
How the Poison Works
This was not a private key hack. The attack vector exploited the human tendency to verify only the “bookends” of a hexadecimal string. Here is the exact sequence:
- The Signal: The victim sent a valid 50 USDT test transaction to their own secondary wallet.
- The Poison: An automated bot detected the transfer and instantly generated a “vanity address” (0xBaFF…f8b5) that mimicked the victim’s destination.
- The Bait: The bot sent a 0 USDT “dust” transfer to the victim. This malicious entry appeared at the top of the victim’s transaction history.
- The Trap: Assuming the top entry was their previous test transaction, the victim copied the poisoned address and signed the $50 million transfer.
The attacker immediately swapped the USDT for approximately 16,800 ETH (with Ether trading near $2,975) and began dispersing the funds.
Institutional Context: The UI Crisis
This incident, following a similar $70 million WBTC theft in May, forces a re-evaluation of wallet UX standards. While the blockchain executed the code perfectly, the interface failed the user. Leading wallets typically truncate addresses (e.g., “0x123…abc”), masking the middle characters where the discrepancy lies. Institutional custody solutions are likely to force whitelisting protocols to prevent ad-hoc transfers of this magnitude.
Security firms like PeckShield and CertiK have flagged over $3.4 billion in stolen assets this year, but “user error” exploits like poisoning are rising because they bypass smart contract audits entirely.
The Aftermath
The stolen ETH is currently moving through mixing services, rendering recovery unlikely. For the market, the message is clear: in an immutable ledger system, a UI shortcut is a liability. Verify every character.
