What Happened in the $50 Million USDT Transfer?
One of the largest individual onchain losses this year stemmed from a single transaction mistake. A crypto user mistakenly sent nearly $50 million in USDt to a scam address after copying a poisoned wallet address from their transaction history.
Onchain investigator Web3 Antivirus reported that the victim transferred 49,999,950 USDT after interacting with a malicious look-alike address. The incident followed a familiar pattern: the user first sent a small test transaction of 50 USDT to the correct destination. Minutes later, the full amount was sent — but to a different address controlled by the attacker.
Blockchain data shows the funds had just been withdrawn from Binance, indicating the wallet was active and under direct management at the time. The error was not caused by a protocol failure or exploit, but by a deceptive manipulation of transaction history.
Investor Takeaway
How Address Poisoning Tricks Even Experienced Users
Address poisoning scams rely on attackers sending small transactions from wallet addresses designed to closely resemble a legitimate recipient. These spoofed addresses are injected into a victim’s transaction history, waiting to be mistakenly reused.
In this case, the malicious address shared the same opening characters and last digits as the intended wallet. Cos, founder of blockchain security firm SlowMist, highlighted how minor the difference was. “You can see the first 3 characters and last 4 characters are the same,” he wrote.
Wallet interfaces often truncate addresses for readability, displaying only the beginning and end of the string. This design choice, combined with user habit, creates a narrow window for attackers. When funds are copied from transaction history instead of verified manually, the poisoned address can easily slip through.
Another onchain analyst described the incident bluntly: “This is the brutal reality of address poisoning, an attack that doesn’t rely on breaking systems, but on exploiting human habits.”
How the Funds Were Moved and Obscured
Once the USDT landed in the attacker’s wallet, the response was immediate. The stolen stablecoins were swapped for other assets within minutes. Onchain traces show the funds were converted first into DAI, then into Ether, before being split across multiple wallets.
Roughly 16,680 ETH was eventually routed through Tornado Cash, the privacy mixer previously sanctioned by U.S. authorities. The conversion from USDT to decentralized assets reduced the chance of intervention, as centralized issuers can freeze stablecoins in flagged addresses.
The victim later posted an onchain message offering a $1 million whitehat bounty in exchange for the return of 98% of the funds. “We have officially filed a criminal case,” the message said, adding that law enforcement and cybersecurity agencies had already gathered intelligence related to the attacker’s activity.
Why This Fits a Larger Pattern in 2025
The loss adds to what has already been a record year for crypto-related theft. According to Chainalysis, total losses in 2025 have exceeded $3.4 billion, the highest annual figure since 2022. The jump was driven less by frequent small hacks and more by a handful of extremely large incidents.
Just three events accounted for nearly 69% of the total amount stolen this year. The largest was the $1.4 billion Bybit breach, which alone made up almost half of all losses. Address poisoning attacks, while simple, continue to rank among the most effective tactics when large balances are involved.
Similar incidents have occurred before. In May 2024, an Ethereum user lost $71 million worth of wrapped bitcoin to an address poisoning scam. In that case, most of the funds were later recovered following onchain negotiations. Whether a similar outcome is possible here remains unclear, given the rapid movement into Tornado Cash.
Investor Takeaway
Can Wallet Design Reduce These Losses?
Security experts have long argued that wallet interfaces play a role in enabling address poisoning. Casa co-founder and chief security officer Jameson Lopp has pointed to the scale of the problem, citing tens of thousands of suspected cases across blockchains since 2023.
“I think it would be easy for wallets to say ‘Oh, this came from a similar looking address,’ and throw up a big red flag: do not interact,” Lopp said previously.
Until such safeguards become standard, address poisoning is likely to remain effective. The attack requires no malware, no protocol access, and no timing advantage — only patience and a user willing to trust their transaction history.
For large holders and institutions alike, the incident serves as a reminder that onchain security failures are not always technical. Sometimes, the most expensive exploits come down to a single copied line of text.
