$50 Million Crypto Lost in Seconds: Anyone Can Copy-Paste

What Actually Happened

A user accidentally transferred $50 million in USDT because of a copy-paste error. The user did not know they were copying a wallet address from their transaction history and, as such, did not have any indication that this would happen. This was not an example of a smart contract being attacked or a hacked key or phishing site. This was simply a case of a user copying and pasting a wallet address and it cost him more than most people will earn in their lifetime. Users often see address poisoning as something ridiculous until they understand how this method exploits a user's behavior.

The attacker did not hack anything; they sent a small amount of money from an address that looked very similar to the victim's usual address. The victim unknowingly copied the wrong wallet address for his $50 million transfer and sent the money to the poisoned address, instead of the correct one. According to Web3 Antivirus, the victim sent a small value test transaction to the legitimate address before sending the full $50 million transfer to the poisoned address a few minutes later, and did not notice the mistake until he noticed that the money was gone.

Afterwards, the attacker traded the $50 million of stolen USDT to ETH, then sent the ETH to several different wallets. Eventually, part of that ETH was sent to Tornado Cash. This method has been used successfully in the past. Attacks that exploit a user's habits generally have a greater chance of success than attacks based on exploiting a technological vulnerability.

How Address Poisoning Works

Address poisoning occurs because wallet address strings (i.e., hexadecimal representations of funds) are very long and complex, which makes them challenging to verify. For instance: Ethereum addresses are 42 characters long, and Solana has a significantly longer address format. When people are trying to distinguish an address, most will only look at the first three or four letters and the final three or four letters with the belief that these are unique enough. Attackers exploit this disadvantage by creating similar wallet addresses that have identical prefix and suffix sequences. By utilizing brute force computing techniques, attackers are capable of generating millions of potential wallet addresses until they locate a wallet with identical prefix and suffix sequences as a target. Specifically, 'Address Grind' or 'Vanity Address Generation' can produce lookalike addresses within hours or days, depending upon the attacker's available computing capability.

To initiate this process, attackers typically send a very small amount of money (a few pennies) from what appears to be a lookalike address. Victims can find the stolen transaction. The most important aspect of the attack is the nearly identical appearance of the snake-like address to that of the real wallet address.

According to Cos, the founder of SlowMist Security Research, the initial three letters and the final four letters of the malware's address are identical. This slight alteration of the traditional system of using hexadecimal letters in an octet format can also lead to a false sense of trust among the most experienced cryptocurrency users.

As for why users send money in a particular way, it has to do with how users behave when they send coins. For instance, users spend hours or even days constructing a money-sending pattern by looking up their previous transactions and copying the address of their most recent recipient and pasting that into their new transaction. The user assumes that they only see actual addresses in their transaction history. Address poisoning disrupts this process by injecting malicious addresses into trusted resources.

Why Experience Doesn't Protect You

For the last two years, a victim had been using her wallet to send USDT, and prior to losing the funds in this case, she regularly transferred funds in and out of CEX (centralized exchanges). Having withdrawn a large amount of money in and out of many exchanges/wallets for several years shows that the user actively controlled the movement of their money.

Address poisoning is an attack that targets workflow efficiency rather than knowledge deficiencies; thus, it doesn't matter if you have been transacting with cryptocurrencies for many years, because you have become so familiar and comfortable with transacting with cryptocurrencies, that the speed at which you perform these transactions creates an opportunity for someone to exploit that familiarity.

As EyeOnChain pointed out in his analysis about address poisoning, "The unfortunate reality of address poisoning is that it does not require a technical break-in of systems or programs, but rather takes advantage of the individual habits of individuals."

In this particular case, the victim had been advised by numerous sources to send a small test transaction prior to sending a larger transaction; this is generally good advice. In this situation, the victim's test transaction was successful because the test transaction went to the correct address. However, within a matter of minutes, the victim copied the poisoned address from the previous transaction's history rather than creating a new entry in their address book or going back to the initial source of the address. Such false confidence increases the likelihood of losing funds.

The Bigger Picture: $3.4 Billion in 2025 Losses

The total loss from this latest crypto hack exceeded $50 million, reinforcing why 2022 remains the worst year for crypto-related losses since tracking began. That year alone saw $3.4 billion stolen, with three major breaches accounting for 69% of the total. One incident, a single, large-scale infrastructure compromise made up nearly half of all funds lost, highlighting how catastrophic centralized failures can be when they occur.

While headlines tend to focus on massive infrastructure breaches, the reality is that most individual users lose funds quietly through address poisoning and social engineering. Large infrastructure attacks require complex execution and deep system access, but address poisoning is far simpler and far more repeatable. Its consistency, not its sophistication, is what makes it so effective against everyday users.

From the attacker's perspective, the economics of simplifying the hacking process favor the attacker. Hacking an exchange generally requires considerable expertise, extensive time and sometimes insider knowledge of the exchange's security measures. On the other hand, an attacker can create a poisoned transfer by using lookalike addresses and dust transactions. An attacker simply needs to develop a script to carry out this type of attack. The scalability of this type of attack is virtually limitless. One attacker is capable of poisoning thousands of wallets at very little cost.

As for detection, it is all but impossible to detect a poisoned address prior to its impact. The poisoned transfer is a completely valid blockchain transaction. It will look like a regular transaction to both nodes and wallets. The poisoned transfer does not violate any protocol rules and therefore security systems cannot reliably flag them as being compromised. The poisoned transfer is only successful when the victim makes the mistake of doing something with the poisoned transfer several days, weeks or even months after it was created.

What Protects Users (and What Doesn't)

Hardware wallets don't solve this problem. Copying addresses from transaction history still happens. The only difference is signing the transaction on a Ledger instead of a hot wallet. Hardware protects private keys, not copy-paste accuracy.

Wallet address books help, but few people use them consistently. Manually adding recipients slows transactions and removes crypto's perceived convenience. Users rely on transaction history because it's faster.

Some wallets warn users about once-used or unfamiliar addresses. Warning fatigue sets in quickly. When every transaction includes gas fee notices, network warnings, and approval prompts, users click through without reading.

The safest approach is to manually verify every character of every address before every transaction. This is slow, uncomfortable, and unrealistic. Comparing 42-character Ethereum addresses defeats the efficiency crypto is meant to provide.

Other solutions require behavior changes most users resist: Using ENS or other human-readable address systems; Maintaining strict address books; Enforcing mandatory delays between test and full transfers; Using multi-signature wallets with independent verification.

Each adds friction. Safety is friction, but crypto promises speed.

The Core Trade-Off of Irreversible Blockchain Transactions

The central security paradox of crypto is revealed by address poisoning. While the irreversibility, absence of intermediaries, and ability to control their funds enable users to use crypto effectively, they also leave no room for error as mistakes cannot be undone.

For instance, if one made an error with their transaction in the traditional banking system, they could reverse the transaction or at least freeze it or take legal action against it, however, in the world of crypto, there is no way to do so, as once a transaction has taken place, it is completed, regardless of whether or not it was a mistake.

The use of address poisoning is simple, inexpensive, and provides a great return on investment for attackers, and they have all the time in the world to wait for people to slip up. Address poisoning will continue to be used as long as it is easy to execute and pays out when someone makes a mistake with their crypto transaction(s).

For every aspect of the transaction process, including history, the user will need to verify that it is accurate before proceeding. It is important to note that while the markets and available tools improve, humans will continue to make mistakes for the foreseeable future. Protocols that developers create cannot eliminate human error from the transaction process; however, developers can and should implement measures to reduce the frequency of errors occurring.