Original Title: “$50 Million Stolen, All Because of Not Carefully Checking the Address”
Original Author: Eric, Foresight News
In the early hours yesterday Beijing time, on-chain analyst Specter discovered a case where nearly 50 million USDT was transferred to a hacker’s address due to not carefully verifying the transfer address.
According to the author’s investigation, this address (0xcB80784ef74C98A89b6Ab8D96ebE890859600819) withdrew 50 USDT from Binance around 13:00 Beijing time on the 19th for a test before making a large withdrawal.
Approximately 10 hours later, the address withdrew 49,999,950 USDT from Binance in one go, plus the previously withdrawn 50 USDT, totaling exactly 50 million.
About 20 minutes later, the address that received 50 million USDT first transferred 50 USDT to 0xbaf4…95F8b5 for testing.
Less than 15 minutes after the test transfer was completed, the hacker’s address 0xbaff…08f8b5 transferred 0.005 USDT to the address holding the remaining 49,999,950 USDT. The address used by the hacker closely resembled the one that received the 50 USDT in both the beginning and end, indicating a clear “address poisoning” attack.
10 minutes later, when the address starting with 0xcB80 attempted to transfer the remaining over 40 million USDT, likely due to negligence, it copied the address from the previous transaction—the one used by the hacker for “poisoning”—and directly sent nearly 50 million USDT into the hacker’s hands.
With $50 million in hand, the hacker began money laundering just 30 minutes later. According to SlowMist monitoring, the hacker first exchanged USDT for DAI via MetaMask, then used all the DAI to purchase approximately 16,690 Ethereum, leaving 10 ETH and transferring the remaining Ethereum to Tornado Cash.
Around 16:00 Beijing time yesterday, the victim addressed the hacker on-chain, stating that a formal criminal complaint had been filed and substantial reliable intelligence about the hacker’s activities had been gathered with the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols. The victim offered the hacker to keep $1 million and return the remaining 98% of the funds, promising no further action if complied; otherwise, legal action would be pursued for criminal and civil liability, and the hacker’s identity would be exposed. However, as of now, the hacker has not responded.
According to data compiled by the Arkham platform, this address has large transaction records with Binance, Kraken, Coinhako, and Cobo addresses. Binance, Kraken, and Cobo require no introduction, while Coinhako may be a relatively unfamiliar name. Coinhako is a Singapore-based cryptocurrency exchange founded in 2014, which obtained a Major Payment Institution license from the Monetary Authority of Singapore in 2022, making it a regulated exchange in Singapore.
Given the address’s use of multiple exchanges and Cobo’s custody services, as well as its ability to quickly coordinate with various parties to track the hacker within 24 hours of the incident, the author speculates that this address likely belongs to an institution rather than an individual.
“Carelessness” Leads to a Major Mistake
The only explanation for the success of the “address poisoning” attack is “carelessness.” Such attacks can be avoided simply by double-checking the address before transferring, but clearly, the protagonist of this incident skipped this crucial step.
Address poisoning attacks began appearing in 2022, originating from “vanity address” generators—tools that allow customization of the beginning of EVM addresses. For example, the author could generate an address starting with 0xeric to make it more personalized.
This tool was later exploited by hackers, who discovered that due to design flaws, private keys could be brute-forced, leading to several significant fund theft incidents. However, the ability to generate addresses with customized beginnings and endings also gave malicious actors a “clever idea”: by creating addresses similar to the beginnings and endings of addresses users commonly transact with and transferring funds to other addresses the user frequently uses, some users might, due to carelessness, mistake the hacker’s address for their own and actively send on-chain assets into the hacker’s pocket.
Historical on-chain information shows that the address starting with 0xcB80 was a key target for hacker poisoning even before this attack, with address poisoning attempts beginning nearly a year ago. This attack method essentially relies on hackers betting that you will eventually become careless or inattentive and fall for it. Ironically, it is this seemingly obvious attack method that continues to ensnare “careless” victims one after another.
Regarding this incident, F2Pool co-founder Wang Chun tweeted sympathy for the victim, mentioning that last year, to test whether his address had a private key leak, he transferred 500 Bitcoin, only to have 490 Bitcoin stolen by hackers. Although Wang Chun’s experience is unrelated to address poisoning attacks, he likely intended to convey that everyone has moments of “foolishness,” and instead of blaming the victim’s carelessness, the focus should be on the hackers.
$50 million is no small amount, but it is not the largest loss from such attacks. In May 2024, an address transferred over $70 million worth of WBTC to a hacker’s address due to a similar attack, but the victim eventually recovered almost all funds through on-chain negotiations with the assistance of security firm Match Systems and exchange Cryptex. However, in this incident, the hacker quickly exchanged the stolen funds for ETH and transferred them to Tornado Cash, making it uncertain whether recovery will be possible.
In April, Casa co-founder and Chief Security Officer Jameson Lopp warned that address poisoning attacks are rapidly spreading, with as many as 48,000 such incidents occurring on the Bitcoin network alone since 2023.
Including fake Zoom meeting links on Telegram, these attack methods are not sophisticated, but it is precisely this “simple” approach that can lull people into complacency. For those of us in the dark forest, staying vigilant is never a mistake.
