A single Ethereum user has lost nearly $50 million in USDT after falling victim to an “address poisoning” attack, marking one of the largest individual losses to social engineering in 2025. The funds were immediately liquidated into Ether and funneled through Tornado Cash.
The Poisoned Click
The incident occurred on December 20, immediately following a routine safety measure that backfired. The victim, operating from wallet 0xcB80…0819, sent a $50 test transaction to their intended destination to verify the address. Within minutes, an automated script detected the activity and generated a “vanity address” (0xBaFF…f8b5) mimicking the first and last characters of the victim’s intended target.
The attacker then sent a dust transaction to the victim’s wallet, inserting the fraudulent address into the top of their transaction history. When the victim moved to transfer the full 49,999,950 USDT, they copied the poisoned address from their history rather than the verified source. The funds were gone in one block.
Laundering at Speed
On-chain data confirms the attacker wasted no time. The 50 million USDT was swapped for DAI and subsequently converted into approximately 16,690 ETH (valued at ~$49.6 million with ETH trading around $2,975). The bulk of these funds—16,680 ETH—was deposited into the sanctioned mixer Tornado Cash in an attempt to sever the on-chain trail.
This is your final opportunity to resolve this matter peacefully. You are hereby required to return 98% of the stolen assets… You may retain USD 1,000,000 as a white-hat bounty.
The victim sent the above message via an input data transaction, threatening to “escalate the matter through legal international law enforcement channels” if the deadline passes. At press time, the attacker has not responded.
Institutional Context
This exploit highlights a persistent vulnerability in crypto UX: the reliance on truncated addresses. While protocols remain secure, the interface layer, where users verify only the first four and last four characters, continues to be a high-yield attack vector for scammers. Security firms like SlowMist and PeckShield have flagged a sharp rise in these automated vanity address attacks targeting high-net-worth wallets.
