In December 2025, a crypto user withdrew $50 million in USDT from Binance and attempted to transfer it to their own wallet. They followed best practice — sending a small test transaction first to confirm the destination address. The test arrived safely. Then they sent the full amount. It went to someone else.1
The attack is called address poisoning, and it exploits something most people do without thinking: copying a wallet address from their transaction history. Here is how it works. An attacker monitors the blockchain for high-value transactions. When they spot a target, they generate a wallet address that matches the first and last several characters of the intended destination — the only characters most wallets and block explorers display. They send a tiny 'dust' transaction to the target from this spoofed address. Now the attacker's address appears in the victim's transaction history, looking nearly identical to the real one.
The victim, trusting their history, copies the wrong address and sends their funds to the attacker. In the December 2025 case, the attacker converted $50 million in USDT to DAI within minutes — a strategic move because Tether can freeze USDT in flagged wallets, but decentralized DAI has no such mechanism. The DAI was then converted to approximately 16,690 ETH and deposited into Tornado Cash to break the transaction trail.1 The entire laundering sequence took less than 30 minutes.
This isn't niche. Academic researchers studying Ethereum and BSC identified 270 million on-chain poisoning attempts targeting 17 million victims over a two-year period.2 Of those, 6,633 incidents resulted in confirmed losses exceeding $83.8 million. Zero-value transfer techniques — which require no private key signatures — have accounted for a significant portion of these losses. In a single week in August 2025, address poisoning netted $1.6 million.3
Clipboard hijacking adds a second layer of danger. Malware silently running on a compromised device monitors the clipboard for cryptocurrency address patterns. When you copy a legitimate address, the malware instantly replaces it with an attacker-controlled address.4 Because wallet addresses are long alphanumeric strings that humans rarely verify character by character, the swap goes unnoticed. In early 2025, researchers documented fake CAPTCHA attacks that installed clipboard-hijacking malware — turning ordinary copy-paste actions into theft vectors.
The defenses are simple in theory but require discipline in practice. First and most important: never copy addresses from transaction history. Always copy from a verified source — your own address book, a bookmarked address, or your hardware wallet's display. Second, verify the entire address, not just the first and last characters. Third, use wallets that display full addresses and support address whitelisting. Fourth, run anti-malware tools that detect clipboard manipulation. Fifth, for large transfers, always send a test transaction and verify receipt on a block explorer using the full address before sending the remainder.
Address poisoning exploits no vulnerability in code or cryptography. It exploits a human habit: the tendency to verify incompletely and trust past experience. In a system where transactions are irreversible, that habit is worth $83.8 million and counting.