Crypto trader loses $50M USDT to address poisoning scam

A crypto user has lost $50 million worth of USDT after falling for an “address poisoning” scam, copying the scammer’s address from their own transaction history.

Crypto security expert Web3 Antivirus spotted the unlucky victim’s outgoings earlier today. The user first sent a test transaction of almost $50 worth of USDT to a crypto address beginning “0xbaf,” and ending with “F8b5.”

However, they then sent almost $50 million worth of USDT to a suspiciously similar address that starts with “0xBaF,” and ends with “f8b5.”

The full scam address, “0xBaFF2F13638C04B10F8119760B2D2aE86b08f8b5,” has a different body from the recipient of the test transaction, suggesting that the sender failed to check beyond the first few digits of the address.

Read more: Refund of $70M ‘address poisoning’ scam ongoing, over 50% returned

The redirected funds have since been converted into the unfreezable stablecoin Dai, sent onwards to another address, and are now being swapped into wrapped ether via “Rizzolsver: Uniswap X.”

How does crypto poisoning work?

An address poisoning scam works by sending small amounts of crypto, known as “dust,” from an address that’s similar to the target’s recipient.

These small traces of crypto appear in the victim’s transactions — hence the “poisoning” — and can trick them into accidentally copying and pasting that address instead of the legitimate one they intended to send to.

In one instance, someone accidentally sent $70 million to a poisoned address. They then began attempting to negotiate with the scammer, offering to let them keep 10% of their funds.

Read more: How to stay safe on-chain: Three crypto users lose $876K within hours

The scammer eventually returned more than half of the stolen funds to the victim.

Two more victims lost over $200,000 collectively last year after copying the wrong deposit address and sending the crypto to the poisoned address.