Address Poisoning Goes Industrial: $62M Drained in Two Hits
A ScamSniffer report reveals a 207% surge in signature phishing and two massive wallet drains, exposing the critical vulnerability of truncated addresses.
Two clicks. That is all it took for two separate investors to lose a combined $62 million in December and January, according to a new report by blockchain security firm ScamSniffer. The losses confirm a dangerous shift in crypto crime: attackers are moving away from complex code exploits toward industrial-scale "address poisoning," a tactic that weaponizes user habit against the clipboard.
The $62 Million Mistake
The report details two massive casualty events. On December 20, a user lost $50 million USDT after copying a spoofed address from their transaction history. Less than a month later, in January, another victim signed away $12.25 million (4,556 ETH) in a virtually identical attack.
In both cases, the mechanism was low-tech but highly effective. Attackers spammed the victims’ wallets with zero-value "dust" transfers using vanity addresses generated to match the first and last alphanumeric characters of the victims’ legitimate counterparties. When the users went to repeat a previous transaction, they inadvertently copied the attacker's address from their history, failing to verify the middle characters obscured by standard wallet UI truncation.
"Two victims. $62M gone. Funds were sent to look-alike addresses that had been quietly planted inside the victims' recent activity records.", ScamSniffer
Industrial Scale & Low Fees
This is not isolated. ScamSniffer data shows signature phishing, a related vector where users sign malicious approvals, surged 207% in January alone, resulting in $6.27 million in additional losses. The report attributes the spike in activity to recent network conditions; lower gas fees following network upgrades have made it economically viable for attackers to blanket the chain with millions of poisoning transactions.
On-chain analysis suggests an automated, high-volume approach. Attackers are now deploying GPU-generated vanity addresses and batch smart contracts to seed roughly 270 million poisoning attempts across Ethereum and BSC. The campaigns specifically target active, high-value wallets, calculating that even a sub-1% success rate yields an outsized ROI when the average victim holds six-figure balances.
The UX Vulnerability
The persistence of address poisoning highlights a critical failure in wallet UX rather than cryptographic security. Hardware wallets and 2FA offer zero protection against a user voluntarily sending funds to the wrong address. Regulators are taking note; upcoming U.S. policy drafts have begun citing these specific "wallet drain" mechanics as justification for stricter custodial liability standards.
For market participants, the only defense remains rigorous verification: never trust the clipboard, and verify every character of an address before broadcast.
