Binance founder Changpeng “CZ” Zhao is using a $50 million address poisoning theft as a rallying cry for wallet-level defenses, urging the industry to add real-time blacklist checks and dust filtering after an investor misrouted 49,999,950 USDT in a single Ethereum transaction on December 19, on-chain data from Etherscan shows.
The loss came from wallet 0xcB80784e... to an address now labeled Fake_Phishing1691332, via the Tether USDT contract, with 49,999,950 USDT leaving the victim for a gas fee under $1. The transfer settled at 15:32:59 UTC on December 19 and has over 41,000 confirmations, locking in one of the largest single on-chain user mistakes of the year.
Security firms traced the sequence before the main transfer. The victim first sent a 50 USDT test from 0xcB8078... to their own address 0xbaf4b1aF7E3B560d937DA0458514552B6495F8b5. Shortly after, an attacker generated a vanity address 0xBaFF2F13638C04B10F8119760B2D2aE86b08f8b5 that shared the same first and last characters, then seeded the victim’s history with a tiny transfer, according to incident summaries from Blockchain.News and KuCoin’s flash alert desk.
When the user returned to push size, they copied the lookalike entry from their wallet history instead of the original destination and fired the full 49,999,950 USDT to the attacker-controlled address. Most retail and pro wallets collapse the middle of addresses on-screen, which let the spoofed prefix and suffix pass a quick visual check.
SlowMist and other on-chain monitors tracked the laundering path. Within roughly 30 minutes of receiving the funds, the attacker swapped the entire 50 million USDT stack into DAI via MetaMask Swap, then converted that DAI into about 16,690 ETH and funneled roughly 16,680 ETH into Tornado Cash, a pattern documented in analyses of the incident by multiple security teams and regional media that reproduced SlowMist’s transaction graph.
The victim later broadcast an on-chain message to the attacker offering a $1 million “white-hat” bounty if 98% of the funds return within 48 hours, with a threat to escalate through international law enforcement if that deadline passes, according to reporting from CoinMarketCap’s Academy and Coinpaper, both of which reviewed the embedded message.
CZ’s “poison address” blueprint
On December 24, CZ published a Binance Square post titled “Let’s Eradicate the Poison Scams”, arguing that address poisoning should become a solved problem at the wallet layer. He called for every major wallet to query chain data and shared reputation lists before sending.
“Our industry should be able to completely eradicate this type of poison attacks, and protect our users.”
In that post, CZ laid out three concrete steps. First, he wants wallets to check whether a recipient is a known “poison address” and block or hard-warn users before they sign. He framed this as a simple blockchain query backed by shared threat feeds rather than any consensus change. Second, he called on “security alliances” to maintain real-time blacklists of poisoning wallets so any client can check them pre-send. Third, he told wallet developers to stop showing dust and spam transfers in normal history views, filtering out low-value transactions that exist only to plant fake addresses.
CZ pointed to Binance Wallet as a live example. According to his post and follow-up coverage from Cryptopolitan and Cointelegraph, Binance already tags suspect recipients and throws a warning screen when a user tries to send into an address linked to poisoning activity or other fraud.
He reiterated the message on X, posting a call to “completely eradicate this type of poison address attacks” on December 24 and linking both the $50 million case and his Square write-up in a thread at x.com/cz_binance/status/2003793650908815499.
Address poisoning is no outlier
The theft slots into a broader pattern rather than a freak accident. A January 2025 academic study linked by Cointelegraph found more than 270 million address poisoning attempts on Ethereum and BNB Chain between July 2022 and June 2024, including roughly 6,000 successful hits that produced over $83 million in losses. The paper also showed success rates below 0.03%, which still left attackers with huge returns because each win moved six or seven figures.
In August 2025, Cointelegraph tallied more than $1.6 million lost to address poisoning in a single week, outpacing the entire preceding month, as scammers targeted whales with chains of dust transactions and lookalike addresses. Scam Sniffer data cited by Cointelegraph’s latest coverage of CZ’s proposal put November phishing losses at $7.7 million across 6,344 victims, before this one trade alone multiplied December’s damage.
CertiK’s 2024 Web3 security review already ranked phishing as the top attack vector by value, with over $1 billion stolen across 296 incidents, and singled out address poisoning and zero-value transfer tricks as core techniques instead of fringe tactics. The same report noted that Binance’s security team had rolled out an “antidote” algorithm that flagged around 15 million poisoned addresses even before this month’s heist.
Market shrugs, wallets feel the pressure
BNB barely reacted to either the theft or CZ’s call to action. The token traded around $837 on Thursday, down less than 1% over 24 hours, according to real-time pricing data, while USDT held its usual $1 peg. The chain and its native token escaped direct blame. The focus landed on wallet UX, address hygiene and shared threat intelligence instead.
The address history behind the theft suggests the attacker watched a known USDT-heavy wallet that frequently moved size through Binance. That aligns with a May 2025 case where another victim lost $2.6 million in stablecoins across two zero-value transfer scams in three hours, which Cointelegraph traced to a similar pattern of spoofed histories and partial-address checks that failed under pressure.
Whether CZ’s blueprint gains traction now depends less on Binance and more on how fast other major wallets, exchanges and custody stacks agree on blacklist governance. The same Security Alliance network that CertiK and samczsun support for incident response already handles hack tickets across chains. CZ’s post effectively asks that type of group to publish machine-readable, real-time feeds that any wallet can consult before users hit send.
For traders who move size, the $50 million USDT misfire clears any doubt about stakes. One copy-paste from the wrong line in history, and the entire balance left in a single ERC‑20 transfer to 0xBaFF2F...f8b5. The attacker paid under a dollar in gas to take it.
