{"id":92449,"date":"2025-12-20T16:44:43","date_gmt":"2025-12-20T13:44:43","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=92449"},"modified":"2025-12-22T10:55:31","modified_gmt":"2025-12-22T07:55:31","slug":"investor-loses-nearly-50-million-in-address-spoofing-attack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/investor-loses-nearly-50-million-in-address-spoofing-attack\/","title":{"rendered":"Investor Loses Nearly $50 Million in Address Poisoning Attack"},"content":{"rendered":"<p>A user mistakenly sent 49,999,950 <a href=\"https:\/\/forklog.com\/en\/news\/what-is-tether-usdt\">USDT<\/a> to a fraudulent address after copying it from a compromised transaction history.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8\ud83d\udc94 A victim lost ~$50M after copying the wrong address from contaminated transfer history. <a href=\"https:\/\/t.co\/ur4SJ0cvN0\">https:\/\/t.co\/ur4SJ0cvN0<\/a> <a href=\"https:\/\/t.co\/6K5ftJzC1G\">pic.twitter.com\/6K5ftJzC1G<\/a><\/p>\n<p>\u2014 Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) <a href=\"https:\/\/twitter.com\/realScamSniffer\/status\/2002178397536190549?ref_src=twsrc%5Etfw\">December 20, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\u00a0<\/p>\n<p>The malicious scheme involves inserting addresses into the victim&#8217;s transaction list that resemble legitimate ones.<\/p>\n<p>The investor initially sent a test transaction of 50 USDT to the correct wallet. Minutes later, he transferred the main amount, copying the data from a history already tainted by a 0.005 USDT transfer. The similarity between the attacker&#8217;s address and the recipient&#8217;s was sufficient to deceive, as the first three and last four characters matched.<\/p>\n<p>According to on-chain data, the victim&#8217;s wallet had been actively used for the past two years, primarily for transactions in <a href=\"https:\/\/forklog.com\/en\/news\/what-are-stablecoins\">Tether&#8217;s stablecoin<\/a>. Shortly before the loss, the funds were withdrawn from Binance.\u00a0\u00a0<\/p>\n<p>Subsequently, the attacker exchanged the stolen assets for Ethereum, split the funds among several wallets, and partially sent them to the crypto mixer Tornado Cash.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">How to lose $50M in under an hour. This is one of the largest on-chain scam losses we\u2019ve seen recently.<\/p>\n<p>A single victim lost $50M in <a href=\"https:\/\/twitter.com\/search?q=%24USDT&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$USDT<\/a> to an address poisoning scam. The funds had arrived less than 1h earlier.<\/p>\n<p>The user first sent a small test tx to the correct address. Mins\u2026 <a href=\"https:\/\/t.co\/Umsr8oTcXC\">pic.twitter.com\/Umsr8oTcXC<\/a><\/p>\n<p>\u2014 Web3 Antivirus (@web3_antivirus) <a href=\"https:\/\/twitter.com\/web3_antivirus\/status\/2002043421368693140?ref_src=twsrc%5Etfw\">December 19, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThis is one of the largest blockchain scam cases we have seen recently,\u201d commented Web3 Antivirus experts.<\/p>\n<\/blockquote>\n<p>As reported by Chainalysis, since the beginning of 2025, hackers have stolen cryptocurrencies <a href=\"https:\/\/forklog.com\/en\/news\/losses-from-crypto-hacks-reached-3-4bn-in-2025\">worth over $3.4 billion<\/a>. One trend has been the increasing frequency of personal wallet hacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A user mistakenly sent 49,999,950 USDT to a fraudulent address after copying it from a compromised transaction history.<\/p>\n","protected":false},"author":1,"featured_media":92450,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"User sent 49,999,950 USDT to a fraudulent address from compromised transaction history.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1246],"class_list":["post-92449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-scammers"],"aioseo_notices":[],"amp_enabled":true,"views":"215","promo_type":"1","layout_type":"1","short_excerpt":"User sent 49,999,950 USDT to a fraudulent address from compromised transaction history.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=92449"}],"version-history":[{"count":3,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92449\/revisions"}],"predecessor-version":[{"id":92474,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92449\/revisions\/92474"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/92450"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=92449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=92449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=92449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}