- A routine test transfer ended with almost 50 million USDT sent to a scammer’s wallet
- The attacker used a subtle address poisoning trick exploiting copy‑paste habits and truncated wallet views
- On‑chain data shows the funds were quickly swapped to ETH and routed through multiple wallets and Tornado Cash
- Experts urge users to verify full addresses, use whitelists and hardware wallets, and split large transfers
What started as a routine crypto transfer turned into one of the year’s most striking on‑chain mishaps, when a user accidentally sent almost 50 million USDT to a scammer’s wallet because of a copy‑paste mistake. The case, uncovered by several on‑chain analysts, has quickly become a textbook example of how a tiny lapse in attention can wipe out a fortune in the crypto ecosystem.
Behind the headlines there was no sophisticated exploit against a protocol or exchange. Instead, the loss stemmed from a classic “address poisoning” scam that preys on human habits: relying on truncated wallet addresses, copying from transaction history, and assuming that a recent transfer record is inherently trustworthy.
A routine test transfer that turned into disaster
The incident began with what many traders would consider a sensible precaution: the victim first sent a small test amount of 50 USDT to confirm the destination before moving the full balance. That initial transfer went through successfully to the correct wallet, giving the user confidence to proceed with a much larger transaction.
In the background, the scammer was watching. Shortly after the test payment landed, the attacker dispatched a tiny “dust” transaction from a malicious wallet whose address was crafted to look almost identical to the legitimate recipient. This dust payment ensured the fake address appeared prominently in the victim’s recent transaction list.
Later, when the user went back to send the full amount, they copied an address from their history, assuming it was the same one they had just used. Instead of double‑checking the entire string, they relied on the familiar pattern at the beginning and end of the address, a habit that many seasoned crypto users share.
In a matter of moments, nearly 49.999.950 USDT were sent from the victim’s wallet straight into the attacker’s hands. Once the transaction was confirmed on‑chain, there was no built‑in way to undo or cancel it, turning a simple oversight into a multi‑million‑dollar loss.
How the address poisoning trick actually worked
On‑chain data reveals the sequence in detail. The victim initially transferred 50 USDT to a legitimate wallet, for example the address 0xbaf4…f8b5, which had been used over roughly two years mainly for handling USDT flows. Moments later, the attacker sent a dust transaction of about 0.005 USDT from a forged address deliberately designed to mimic that original one.
The malicious wallet, such as 0xbaff…f8b5, matched the first three and last four characters of the real address. Security researcher Cos, founder of SlowMist, highlighted that this subtle similarity was more than enough to fool even an experienced user, especially when most wallets truncate addresses to show only the beginning and end.
Many popular wallets prioritize a clean interface and shorten full addresses into a compact format, displaying something like “0xbaf4…f8b5”. That convenience is exactly what address poisoners exploit: when a user scrolls through their transaction history, the fake and real addresses can look indistinguishable at a glance.
The victim, relying on this truncated view, copied the poisoned address from their recent activity instead of re‑selecting or manually verifying the original recipient. With one paste and one confirm, nearly 50 million USDT were dispatched in a single transaction from the victim’s wallet to the scammer’s clone address.
Analysts later noted that the wallet had been active for about two years and that the funds had recently been withdrawn from Binance, suggesting that it was being managed actively rather than being a dormant account caught off guard.
What happened to the stolen 50 million USDT on‑chain
Once the huge transfer hit the attacker’s address, the response was swift and methodical. Instead of leaving the funds in USDT, the scammer began converting the stablecoins to Ether (ETH) through decentralized exchanges, fragmenting the trail into multiple swaps.
From there, the ETH was split across several different wallets. Portions of the proceeds were routed through Tornado Cash, a privacy tool that mixes funds from many users to obscure transaction paths. By cycling the assets through a mixer, the attacker made it far harder for investigators or the victim to trace or recover the funds.
On‑chain intelligence firms and independent analysts publicly documented the flow of the stolen USDT, noting that the pattern followed a familiar playbook: large theft, rapid swaps into ETH, distribution across new wallets, then partial laundering through privacy protocols.
While some stablecoin issuers, including Tether, have occasionally frozen assets tied to high‑profile hacks, there has been no sign so far that a reversal is imminent in this case. Without such intervention, the transaction remains what it is on any blockchain: final and irreversible.
Address poisoning: a growing threat built on human habits
The technique behind this incident is part of a broader wave of address poisoning scams, also described as address spoofing. Rather than directly attacking smart contracts, exchanges or wallets, these schemes rely on psychology and user behavior.
Scammers monitor public blockchain activity, searching for wallets that handle large balances or frequent transfers. Once a promising target is spotted, the attacker sends a small transaction from a look‑alike address. That payment then appears in the target’s transaction history or address book.
When the victim later initiates a new transfer, they may choose the wrong entry from the list, trusting that anything in their history must be safe. Because the first and last characters match, and because the amount of the previous transaction seems familiar, the address passes a casual visual check.
Blockchain security reports indicate that, across Ethereum and its layer‑2 networks, address poisoning scams have already accounted for losses of well over 100 million dollars in recent years. Many of the victims are not newcomers but rather users comfortable enough to move large amounts of crypto in a few clicks.
The 50 million USDT mishap now counts as one of the largest individual on‑chain losses tied to this specific technique, eclipsing smaller USDT poisoning cases and rivaled only by a handful of major attempts involving other assets, such as multi‑tens‑of‑millions in wrapped Bitcoin where partial recoveries occasionally occurred.
Why test transfers alone no longer guarantee safety
For years, sending a small “test” amount before a major transfer has been a standard safety habit in crypto. In this case, however, the attackers managed to turn that protective step into part of the trap. The successful 50 USDT test payment provided a false sense of security that the address in the user’s history was trustworthy.
The key weakness was not the test transaction itself, but the workflow that followed. Once the user confirmed that the small payment had arrived, they went back to their wallet interface and copied an address from the recent transactions list instead of confirming the recipient through a saved contact or verified source.
Because the scammer had already inserted a dust transaction from a near‑identical address, the poisoned entry sat side by side with the legitimate one. Depending on the wallet’s interface, it may have been difficult to tell which was which at a quick glance, especially under time pressure.
This episode highlights that, while test transfers still have value, they are not a complete safeguard against address poisoning. Large transfers may require multiple layers of checks: verifying the address out of band, comparing the full string, or using whitelisted entries instead of ad‑hoc copies from the activity feed.
In practice, the more money is involved, the more extra seconds of verification matter. When the transfer size approaches the tens of millions, relying solely on a routine test transaction can leave users exposed to highly targeted, carefully timed scams.
Wider context: billions lost to crypto hacks and scams
This incident unfolded against a backdrop of escalating losses across the crypto sector. Industry trackers have reported that total funds drained by hacks, breaches and scams climbed into the billions of dollars in 2025, reaching one of the highest annual tallies since 2022.
Analyses attribute much of this jump not to a surge in small‑scale attacks, but to a handful of headline‑grabbing incidents hitting large centralized and decentralized platforms. In some tallies, just three major exploits accounted for close to 70% of the year’s total stolen funds.
Among these, the roughly 1.4 billion dollar hack of the Bybit exchange stood out, representing nearly half of certain aggregated loss figures on its own. Although that case involved a direct compromise of exchange infrastructure rather than individual address poisoning, both events underscore how quickly massive amounts of value can vanish in the digital asset space.
The 50 million USDT lost through a copy‑paste error might seem small compared with multi‑billion‑dollar exchange breaches, yet it sends a different kind of message: even without a platform failure or smart‑contract bug, one user’s momentary oversight can produce losses on the scale of a mid‑sized institutional hack.
For regulators, service providers and everyday users, these numbers reinforce the need to balance innovation with a more mature approach to basic operational security, especially around how people interact with wallet addresses and confirmations.
Key lessons and practical protections for crypto users
Security specialists stress that preventing similar incidents starts with addressing everyday habits. The first recommendation is to avoid copying addresses from the transaction history whenever possible. Instead, users are encouraged to rely on saved, verified contacts or manually pasted addresses from trusted channels.
Another critical step is to verify the entire wallet address rather than glancing only at the first few and last characters. While this may feel tedious, especially on mobile devices, it dramatically reduces the chance that a near‑match spoofed address will slip through unnoticed.
Where supported, users can maintain whitelists of trusted recipients inside exchanges and wallets, so that large transfers are only allowed to pre‑approved addresses. This adds a layer of friction but makes it much harder for a poisoned address to be used by mistake.
Hardware wallets that show the full address on a dedicated, secure screen can also play a substantial role in defense. They force the user to confirm that the recipient matches exactly what they expect, rather than relying solely on what appears in a browser extension or mobile app.
Finally, for very large amounts, security professionals suggest splitting transfers into smaller chunks across several transactions. While this does not eliminate the risk of address poisoning, it can limit the damage if an error does occur, turning a catastrophic single loss into a more manageable one.
The saga of the 50 million USDT lost to a copy‑paste mistake underlines how fragile crypto transactions can be when a simple reliance on truncated wallet views overrides caution. A simple reliance on truncated wallet views, a quick selection from the history list and a single confirmation were enough to move a life‑changing sum into a scammer’s wallet, with no straightforward path to recovery. As more value flows through blockchains and address poisoning scams become ever more refined, the difference between keeping and losing a fortune may come down to a few extra seconds spent double‑checking every character on the screen.
