Crypto user loses $600K in costly address poisoning attack

A simple copy and paste error caused an unlucky trader to lose $600,000 today, February 17, after blockchain security firm Cyvers discovered the latest incident in what has become a nonstop wave of address poisoning attacks this year.

Cyvers Alerts discovered the attack using its real-time blockchain monitoring system and found out that the victim was targeted using zero-value transfers. 

Zero-value transfers refer to a technique where attackers send fake transactions to a victim’s wallet to contaminate their transaction history with a similar address. Once the vectors have been planted, the poisoned address sits in the victim’s history, waiting for the moment they try a quick copy and paste instead of manually inputing or verifying each character of the wallet’s address. 

Typically, victims lose all the assets involved in that transfer because of the irreversibility of blockchain transfers.

$600k loss joins avalanche of address poisoning attacks in 2026

The $600,000 incident is one of many. Address poisoning attacks have escalated rapidly in frequency and scale, and this year alone has already produced several high-profile losses that paint an alarming picture of the threats the industry currently faces.

In December 2025, a crypto trader lost $50 million in USDT after copying a fake address from their history, the second-largest address poisoning loss ever recorded. Apparently, the victim had withdrawn the funds from Binance, sent a $50 test transaction to the correct address, and then minutes later, copied the poisoned address for a full $50 million transfer. 

The attacker then converted the stolen USDT to DAI tokens and then approximately 16,690 ETH within 30 minutes, channeling most of it through Tornado Cash to hide their trail. The victim offered a $1 million bounty for recovery of 98% of the funds, and threatened criminal charges if the terms were not met.

January 2026 was no different. On January 16, a victim lost $514,000 in USDT after sending a $5,000 test transaction to a poisoned address ending in “f3e6F”, which was a near identical match to their intended recipient ending in “D3E6F”, before following it up with the full transfer minutes later. 

Two weeks later, another victim lost $12.25 million after sending 4,556 ETH to an attacker-controlled address copied from a contaminated transaction history. ScamSniffer, who flagged this incident, observed that the two addresses were basically identical in the visible characters, with the only difference lost in the hidden middle sections that most wallets abbreviate.

This month’s victim has now joined a pattern of losses that has cost users millions of dollars in less than 3 months, primarily due to more cunning attacks and a user base that still relies on abbreviated address displays and copy-paste habits for routine transactions.

Over one million poisoning attempts on Ethereum daily

According to reports by Cyvers specialists, over one million poisoning attempts are made every single day on the Ethereum network alone. 

Another study discovered at least seven distinct attack groups actively running address poisoning campaigns on Ethereum, with some groups reusing their fake addresses on both Ethereum and the Binance Smart Chain at the same time. 

The study confirmed that attackers prefer to target high-value wallets with frequent transaction histories, and that they usually run statistical analyses of USDT and USDC balances to figure out the most profitable potential victims before deploying their fake transactions.

“More users and institutions are leveraging automated tools for crypto transactions, some of which may not have built-in verification mechanisms to detect poisoned addresses” Cyvers’ CEO stated. He added that “the growing sophistication of attackers and the lack of pre-transaction security measures” are the primary drivers of the increase.

Industry stakeholders have also started voicing their opinions. Some have publicly called on wallet developers to block poisoned addresses by default following the $50 million loss in December. 

As Cryptopolitan reported on December 24, 2025, CZ proposed a blueprint to protect cryptocurrency users from fraudulent transactions.

“Our industry should be able to completely eradicate this type of poison attacks, and protect our users,” CZ wrote on Binance’s social platform. “All wallets should simply check if a receiving address is a ‘poison address’, and block the user.”

Other wallet providers are now exploring pre-execution risk assessments that simulate a transaction before it is signed, and show users exactly where their funds will go before asking them to confirm. 

Some researchers also advocated for whitelisting frequently used addresses directly in the wallet’s settings to eliminate reliance on transaction histories entirely.

The smartest crypto minds already read our newsletter. Want in? Join them.