In what security researchers are calling one of the most expensive individual errors in on-chain history, an unidentified cryptocurrency trader lost $49,999,950 in USDT on Friday, December 19, 2024, to a sophisticated “address poisoning” scam. The attack, flagged by the blockchain security firm SlowMist, highlights a growing trend of “low-tech, high-impact” fraud that bypasses traditional cybersecurity defenses by exploiting human psychology rather than software vulnerabilities. Unlike complex smart contract exploits, this attack relied entirely on the victim’s habit of copying and pasting wallet addresses from their own transaction history.
The Anatomy of a Poisoning Attack
The heist began when a scammer identified the high-net-worth wallet and used a “vanity address generator” to create a fraudulent wallet that shared the same first and last six characters as the victim’s legitimate destination. The attacker then sent a negligible amount of cryptocurrency — essentially “dust” — to the victim’s wallet. This transaction caused the scammer’s address to appear at the very top of the victim’s recent transaction logs. When the trader went to move 50 million USDT later that day, they inadvertently copied the “poisoned” address from their history, believing it to be their own verified wallet. Because most users only verify the beginning and end of long cryptographic strings, the subtle middle-section differences went unnoticed until the funds were already confirmed on the blockchain.
Rapid Laundering via Tornado Cash
Following the successful theft, the attacker moved with professional speed to obfuscate the paper trail. Within 30 minutes of receiving the $50 million, the scammer utilized MetaMask Swap to convert the USDT into the decentralized stablecoin DAI, a move likely designed to prevent Tether from blacklisting the funds at the smart contract level. The DAI was then immediately swapped for approximately 16,690 Ethereum (ETH). Blockchain sleuths tracked the final leg of the journey as the stolen ETH was funneled into Tornado Cash, a non-custodial privacy mixer that breaks the link between the sender and receiver. The victim has since issued a public plea to the attacker, offering a $1 million bounty for the return of the funds, though the use of Tornado Cash suggests the perpetrator is unlikely to engage in negotiations.
This incident has reignited a debate over the “usability vs. security” tradeoff in self-custody wallets. Critics argue that the current practice of displaying full hex addresses in transaction histories is a UI failure that invites this specific type of exploitation. In response to the $50 million loss, several prominent wallet providers, including Gem Wallet, have announced new “Anti-Poisoning” features scheduled for early 2026. These updates will include automatic flagging of “vanity-matched” addresses and a “Verified Contact Only” mode that hides transactions from unknown senders in the main history view. Until these tools are standardized, security experts urge all users — regardless of transaction size — to utilize Ethereum Name Service (ENS) domains or hard-coded “address books” rather than relying on the copy-paste function from transaction logs.
