A crypto trader has lost nearly $50 million in USDT after inadvertently transferring funds to a wallet controlled by scammers in a sophisticated address poisoning attack.

According to on-chain analytics firm Lookonchain, the trader withdrew close to $50 million in USDT from Binance on December 20. The funds were for transfer to the trader’s personal wallet.

As a safety measure, the victim first sent a small 50 USDT test transaction. This step is widely considered best practice, allowing users to confirm address accuracy before moving large sums. However, the precaution unexpectedly became the opening that attackers needed.

Security firms explained that immediately after the test transfer, an attacker deployed an automated script to generate a fraudulent wallet address closely resembling the intended recipient.

The spoofed address matched the first five and last four characters of the legitimate wallet. Crucially, the differences appeared only in the middle section. Many wallet interfaces truncate this portion with ellipses for a better user experience. But this limits visibility and increases confusion.

To reinforce the deception, the attacker sent small transactions from the fake address to the victim. This maneuver placed the fraudulent address into the victim’s transaction history, making it appear familiar and trustworthy.

Etherscan data shows the initial test transaction occurred at 3:06 UTC. Then, approximately 26 minutes later, at 3:32 UTC, the victim transferred 49,999,950 USDT.

Investigators believe the trader copied the destination address directly from the transaction history. Unfortunately, the victim was unaware that the copied address belonged to the attacker rather than the intended wallet. Consequently, that single error finalized the scam, irreversibly transferring control of the funds.

According to blockchain security firm SlowMist, the attacker moved swiftly after receiving the funds. Within 30 minutes, the entire USDT balance was swapped for DAI using MetaMask’s Swap feature.

This conversion was strategic. While Tether can freeze USDT linked to illicit activity, DAI operates without centralized enforcement mechanisms.

Following the swap, the attacker exchanged the DAI for approximately 16,690 ETH. Subsequently, around 16,680 ETH was funneled into Tornado Cash, a crypto mixer designed to obscure transaction trails.

30 mins after receiving 50M $USDT, the scammer took action:
• Swapped 50M $USDT to $DAI via MetaMask Swap
• Swapped all $DAI to 16,690 $ETH
• Deposited 16,680 $ETH into Tornado Cash

The scammer addresses:
0xbaff2f13638c04b10f8119760b2d2ae86b08f8b5… https://t.co/ySGWtg3VIB pic.twitter.com/3BsWndrrJC

— SlowMist (@SlowMist_Team) December 20, 2025

To recover the stolen assets, the victim communicated with the attacker via an on-chain message and offered a $1 million bounty for white-hat hacking. In exchange, the trader requested the return of 98% of the funds.

The message stated that a criminal case had already been filed and claimed that law enforcement, cybersecurity agencies, and multiple blockchain protocols were assisting in the investigation.

The incident mirrors a similar case from May 2024, when an Ethereum user lost $71 million in Wrapped Bitcoin (WBTC) through an address poisoning attack.

In that instance, most of the funds were eventually recovered following on-chain negotiations facilitated by Match Systems and the Cryptex exchange.

However, investigators caution that outcomes may vary. In this case, the rapid movement of funds into Tornado Cash complicates any recovery efforts.

Earlier this year, Casa co-founder and Chief Security Officer Jameson Lopp warned that address poisoning attacks were becoming increasingly common across blockchain networks. His research identified roughly 48,000 suspected incidents on Bitcoin alone since 2023.

Lopp suggested that wallet providers could reduce risk by flagging addresses that closely resemble previous recipients. Such alerts, he argued, could prevent users from unknowingly interacting with malicious wallets.

Ultimately, the attack adds to a year marked by unprecedented losses in the cryptocurrency sector. According to Chainalysis, total thefts surpassed $3.4 billion in 2025, exceeding the previous year’s total.

Notably, nearly 44% of that total stemmed from a single breach. In February, the Bybit exchange lost $1.4 billion in a hack attributed to North Korean threat actors. Blockchain analytics firm Elliptic later described that incident as the largest crypto theft ever recorded.