An Ethereum user fell victim to an address poisoning scam on Sunday, resulting in the loss of nearly $700,000 worth of the USDT stablecoin.
Experts warn this rising form of scam is easy to fall victim to if users aren’t militant in fully checking the address that they’re sending funds to.
What is address poisoning?
For address poisoning to work, malicious actors create an address that looks strikingly similar to an address that the victim has interacted with recently. The attacker will then send a small amount of tokens to the victim, with the goal of deceiving them into thinking the attacker’s address is the one they just interacted with.
“Let’s say your deposit address is 0x11223344556677889900. On your wallet it will look like: 0x1122…9900,” 0xToolman, pseudonymous on-chain sleuth at Bubblemaps, told Decrypt. “Scammers then create an address with the public key 0x1122aaaaaaaaaaaaaa9900. Although it’s different, it still looks like 0x1122…9900 in your wallet or [on] Etherscan, making you think it’s the right address, while it’s belonging to the scammer.”
On Sunday, a malicious attacker sent a transaction of 0 USDT from a wallet that looked almost identical to a Binance wallet that the victim had sent a test transaction of 10 USDT to, just seconds prior.
“The victim likely copied what appeared to be a legitimate address from their transaction history, trusting it because they had just successfully completed a test transfer moments before,” a spokesperson for security firm PeckShield told Decrypt.
Scammers use specialized software to generate thousands of wallet addresses that match commonly used deposit addresses, in this case a Binance wallet, PeckShield added.
“It’s all automated. They use a spray-and-pray tactic, blasting out thousands of fake transactions,” Hakan Unal, Senior Blockchain Scientist at security firm Cyvers, explained. “Even if just 0.1% fall for it, hitting one high-value wallet makes it worth it. Super low effort, high reward.”
This is what led to the victim sending 699,990 USDT to the attacker. Soon after receiving the funds, blockchain investigation firm AMLBot told Decrypt, the scammer swapped the USDT to DAI to prevent Tether from freezing the funds.
As a decentralized stablecoin, DAI cannot freeze funds connected to malicious activity, AMLBot said, like Tether can with USDT. It appears the scammer has since passed the funds through multiple wallets to hide their tracks.
Address poisoning spreads
Address poisoning scams are on the rise, Cyvers warned Decrypt. Last year, one crypto trader lost over $70 million due to an address poisoning scam, in what Cyvers believed was the largest of its type. More recently, on Friday, a victim lost $467,000 worth of DAI after falling for the scam.
🚨ALERT🚨Our system has detected an address poisoning attack resulting in a $467K $DAI loss.
The victim unknowingly sent funds to the scammer’s address.
💡 Stay Safe:
Always double-check the full wallet address before sending funds.
Enable AI-powered security tools to detect… pic.twitter.com/zH1EIvSaTF— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 25, 2025
Fortunately, they can be avoided by paying extra attention when transferring funds.
“We suggest users always perform double or triple verification of full wallet addresses before initiating any transfers,” the PeckShield spokesperson told Decrypt. “Never trust truncated addresses (e.g., 0x123…abc)—always demand full address visibility. Conduct character-by-character validation when copying deposit addresses.”
“Cross-reference all transactions on blockchain explorers like Etherscan for additional confirmation,” the spokesperson said, adding that users should “never copy addresses from transaction history or unverified messages.”
