A cryptocurrency user lost $50 million worth of USDT after falling for an address poisoning scam in a massive on-chain exploit.
The theft, discovered by Web3 security company Web3 Antivirus, occurred after the user sent a $50 test transaction to confirm the destination address before transferring the rest of the funds.
Charging…
Within minutes, a scammer created a wallet address that closely resembled the destination, matching the first and last characters, knowing that most wallets abbreviate addresses and only display prefixes and suffixes.
The scammer then sent the victim a small amount of “powder” to poison their transaction history. Apparently believing that the destination address was legitimate and correctly entered, the victim copied the address from his transaction history and ended up sending $49,999,950 USDT to the scammer’s address.
These small dust transactions are often sent to addresses with large holdings, poisoning transaction histories in an attempt to catch users in copy-and-paste errors, like this one. The robots that make these transactions cast a wide net in the hopes of succeeding, which they did in this case.
Blockchain data shows stolen funds were later exchanged for ether and moved across multiple wallets. Since then, several addresses involved have interacted with Tornado Cash, a licensed cryptocurrency mixer, in an attempt to obfuscate the transaction trail.
In response, the victim posted a chain message demanding the return of 98% of the stolen funds within 48 hours. The message, backed up with legal threats, offered the attacker $1 million as a white hat reward if the assets were returned in full.
Failure to comply, the message warns, will trigger legal escalation and criminal charges.
“This is your last chance to resolve this matter peacefully,” the victim wrote in the message. “If you do not comply, we will escalate the matter through international legal law enforcement channels.”
Address poisoning does not exploit vulnerabilities in code or cryptography, but rather takes advantage of user habits, i.e. reliance on partial address matching and copy-pasting of transaction history.
