$50M USDT Lost in Address Poisoning On-Chain Scam
- A $50M USDT was lost after a user copied a poisoned wallet address from the transaction history.
- The scam relied on dust transfers and lookalike addresses, not a protocol exploit.
- Charles Hoskinson said account-based blockchain models enable address poisoning risks.
A cryptocurrency user who fell for an address poisoning scam has lost almost $50 million in USDT. The exploit happened via a series of on-chain transactions and was eventually discovered by a blockchain security company. The case stands out due to the scale of the loss and the absence of any protocol breach or smart contract exploit involved.
The theft was first detected by Web3 Antivirus, which flagged abnormal transaction behavior. According to on-chain data, the victim accidentally sent $49,999,950 USDT to a hacker’s wallet. The payment was preceded by a small test payment for the purpose of confirming the destination address. The last transaction went to another wallet.
Hoskinson Compares Account-Based Chains With UTXO Systems
The incident prompted commentary from Charles Hoskinson. He stated that such losses are closely tied to account-based blockchain models. These systems rely on persistent addresses and visible transaction histories. That structure allows attackers to manipulate what users see when copying addresses.
Hoskinson contrasted this with UTXO-based blockchains such as Bitcoin and Cardano. In those systems, transactions consume and create discrete outputs. Wallets construct payments from specific outputs rather than reused account endpoints. A persistent address history to poison does not exist in the same form.
The victim’s wallet had been active for about two years and was mainly used for USDT transfers. Shortly after funds were withdrawn from Binance, the wallet received close to $50 million. The user sent a $50 test transaction to the intended recipient. Minutes later, the remaining balance was transferred using an incorrect address.
Investigators say the scammer anticipated this behavior. After the test transfer, the attacker generated a new wallet address designed to closely resemble the legitimate destination. The first and last characters were the same. Since many wallets shorten addresses in transaction histories, the fraudulent address appeared visually similar to the real one.
How Address Poisoning Used Dust Transfers to Steal $50M
To reinforce the deception, the attacker sent a tiny dust transaction to the victim’s wallet. This action inserted the fake address into the transaction history. When the user later copied the address from prior activity, the poisoned entry was selected. The funds were then transferred directly to the attacker’s wallet without further verification.
Address poisoning scams operate at scale. Automated bots distribute dust transactions to wallets holding large balances. The goal is to exploit routine copy-and-paste habits during future transfers. Most attempts do not succeed. A single mistake, however, could lead to a substantial loss, as demonstrated in this case.
Related: Hong Kong Teens Jailed After HKD 2M USDT Exchange Scam Case
Blockchain records show the stolen USDT was quickly swapped for Ether on the Ethereum network. The assets were then moved through a series of intermediary wallets. Several of these addresses later interacted with Tornado Cash. The mixer is commonly used to obscure transaction trails.
The movement of funds suggests an effort to complicate tracking rather than immediate liquidation. No recovery of the assets has been confirmed. The attacker has not publicly responded. Monitoring of the related addresses continues through on-chain analysis.
After the incident, the victim wrote an on-chain note to the attacker. The message demanded that 98% of the stolen funds be returned within 48 hours. It pledged $1 million as a white-hat bounty if the assets were returned in their entirety. The communication also threatened legal escalation and criminal charges.
Security analysts emphasize that this was not a protocol flaw. No cryptographic safeguards were bypassed. The loss resulted from interface design combined with common user habits. Address poisoning scams exploit partial address matching and reliance on transaction history. In less than an hour, those factors led to a $50 million loss.
