An Ethereum investor has suffered a costly mistake after accidentally sending more than $12 million worth of crypto to a fraudulent wallet, highlighting the growing risk of so-called “address poisoning” scams on public blockchains.
According to blockchain analytics firm Lookonchain, the victim lost 4,556 sETH – valued at roughly $12.4 million at the time – after copying the wrong wallet address while attempting to transfer funds to Galaxy Digital.
The investor was a frequent user of Galaxy Digital’s deposit address and had previously sent funds there multiple times without issue. Attackers took advantage of this behavior by generating a malicious “poison” address designed to closely resemble Galaxy Digital’s real deposit wallet. The fake address shared the same first and last four characters, making it visually convincing at a glance.
To set the trap, the attacker repeatedly sent small “dust” transactions to the victim’s wallet. These transactions appeared in the account’s history alongside legitimate transfers to Galaxy Digital. When the investor later initiated a large deposit, they copied the address directly from their transaction history, unknowingly selecting the attacker’s lookalike address instead of the real one.
Within seconds, the funds were irreversibly transferred to the fraudulent wallet.
Address poisoning exploits a common habit among crypto users: copying previously used addresses from transaction histories for convenience. Because blockchain addresses are long and unreadable, many users only verify the first and last few characters, which is exactly what attackers rely on.
Once a transaction is confirmed on the Ethereum network, it cannot be reversed, even if the destination is clearly fraudulent. In this case, the attacker successfully walked away with millions in a single transfer.
The incident serves as another warning that even experienced investors are vulnerable to simple operational mistakes. As crypto values rise, address poisoning scams have become more frequent, targeting wallets known to handle large sums.
Security experts consistently advise users to whitelist verified addresses, double-check full wallet strings, and avoid copying addresses from transaction histories.
