OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Feb 15, 2026· 5 min read

One Wrong Paste, $50 Million Lost to Address Poisoning

A crypto user withdrew $50 million and sent it to an attacker's address that looked nearly identical to their own. Address poisoning is the simplest, cheapest, and most effective attack in crypto — and it works because of how you copy and paste.

Key takeaways

  1. A single crypto user lost $50 million in USDT to an address poisoning attack in December 2025 — the funds were laundered through Tornado Cash within 30 minutes
  2. Academic research identified 270 million on-chain address poisoning attempts targeting 17 million victims, with confirmed losses exceeding $83.8 million
  3. The attack exploits a basic user habit: copying wallet addresses from transaction history instead of verifying the full address string
  4. Clipboard hijacking malware adds a second vector — silently replacing copied addresses with attacker-controlled ones

In December 2025, a crypto user withdrew $50 million in USDT from Binance and attempted to transfer it to their own wallet. They followed best practice — sending a small test transaction first to confirm the destination address. The test arrived safely. Then they sent the full amount. It went to someone else.1

The attack is called address poisoning, and it exploits something most people do without thinking: copying a wallet address from their transaction history. Here is how it works. An attacker monitors the blockchain for high-value transactions. When they spot a target, they generate a wallet address that matches the first and last several characters of the intended destination — the only characters most wallets and block explorers display. They send a tiny 'dust' transaction to the target from this spoofed address. Now the attacker's address appears in the victim's transaction history, looking nearly identical to the real one.

The victim, trusting their history, copies the wrong address and sends their funds to the attacker. In the December 2025 case, the attacker converted $50 million in USDT to DAI within minutes — a strategic move because Tether can freeze USDT in flagged wallets, but decentralized DAI has no such mechanism. The DAI was then converted to approximately 16,690 ETH and deposited into Tornado Cash to break the transaction trail.1 The entire laundering sequence took less than 30 minutes.

This isn't niche. Academic researchers studying Ethereum and BSC identified 270 million on-chain poisoning attempts targeting 17 million victims over a two-year period.2 Of those, 6,633 incidents resulted in confirmed losses exceeding $83.8 million. Zero-value transfer techniques — which require no private key signatures — have accounted for a significant portion of these losses. In a single week in August 2025, address poisoning netted $1.6 million.3

Clipboard hijacking adds a second layer of danger. Malware silently running on a compromised device monitors the clipboard for cryptocurrency address patterns. When you copy a legitimate address, the malware instantly replaces it with an attacker-controlled address.4 Because wallet addresses are long alphanumeric strings that humans rarely verify character by character, the swap goes unnoticed. In early 2025, researchers documented fake CAPTCHA attacks that installed clipboard-hijacking malware — turning ordinary copy-paste actions into theft vectors.

The defenses are simple in theory but require discipline in practice. First and most important: never copy addresses from transaction history. Always copy from a verified source — your own address book, a bookmarked address, or your hardware wallet's display. Second, verify the entire address, not just the first and last characters. Third, use wallets that display full addresses and support address whitelisting. Fourth, run anti-malware tools that detect clipboard manipulation. Fifth, for large transfers, always send a test transaction and verify receipt on a block explorer using the full address before sending the remainder.

Address poisoning exploits no vulnerability in code or cryptography. It exploits a human habit: the tendency to verify incompletely and trust past experience. In a system where transactions are irreversible, that habit is worth $83.8 million and counting.

The address in your clipboard might not be the address you copied. Verify everything. OPNorange teaches the habits that keep irreversible transactions going where you intend.

Sources

  1. [1]CoinDesk / The Block / Web3 Antivirus, December 20, 2025
  2. [2]Arxiv, 'Blockchain Address Poisoning,' January 2025
  3. [3]Naoris Protocol, August 2025
  4. [4]Infohub Kenya / Ledger Academy, 2025
  5. [5]CertiK / Chainalysis, Crypto Crime Report 2025

More in Threats

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price