A crypto trader has lost nearly $50 million after falling victim to an address poisoning scam, highlighting ongoing security risks in self-custody and onchain transactions. The incident was flagged by blockchain security firm Web3 Antivirus and quickly circulated across the crypto community.
According to the researchers, the victim initially sent a small test transaction of around $50 in USDT to confirm a destination address. Shortly afterwards, the trader sent the remaining balance, roughly $49,999,950 USDT, but unknowingly copied a poisoned address that closely resembled the legitimate one.
How the scam worked
Address poisoning exploits the way users copy wallet addresses from transaction histories. Scammers send small transactions from addresses engineered to look almost identical to a real address, often matching the first and last characters. When users later copy the address from their wallet interface or history, they may unknowingly select the fake one.
In this case, the scammer’s address appeared similar enough that the victim did not notice the difference before approving the large transfer. Once the funds were sent, they could not be reversed.
After receiving the USDT, the attacker reportedly moved quickly to convert the funds into DAI using decentralized exchanges. This step reduced the chances of recovery, as USDT issued by Tether can sometimes be frozen when linked to theft, while DAI cannot be centrally blocked.
Blockchain trackers later observed the funds being routed through additional addresses, likely to further obscure the trail.
A recurring security failure
Security experts say the case underscores a persistent weakness in everyday crypto usage rather than a technical flaw in blockchains themselves. Address poisoning scams rely on human behavior, particularly manual verification habits and over-reliance on copy and paste.
While many wallets now warn users about address reuse and suspicious patterns, these alerts are not foolproof. Large transfers remain especially vulnerable when users skip full address verification or fail to use address books and whitelisting tools.
The incident also highlights the limits of onchain recovery. Once funds move through decentralized exchanges and into non-custodial assets, enforcement options narrow rapidly.
What it means for users and regulators
Losses of this scale reinforce calls for stronger wallet-level protections, clearer user interfaces, and better education around self-custody risks. They also add pressure on regulators and infrastructure providers to consider safeguards that do not compromise decentralization.
For individual users, the lesson is blunt. Always verify full wallet addresses, avoid copying from transaction history, and use test transactions as confirmation, not validation. In crypto, a single mistake can still cost millions.