A cryptocurrency user has lost nearly US$50 million after mistakenly transferring funds to a spoofed wallet address, highlighting the growing risks of address-poisoning scams in the crypto ecosystem.
According to blockchain analytics platform Lookonchain, the victim initially conducted a small test transfer of US$50, which allowed the attacker to carry out an address-poisoning attack.
The scammer generated a wallet address that matched the first and last four characters of the victim’s legitimate address a visual trick designed to exploit how most crypto wallets shorten addresses for display.
Believing the spoofed address to be correct, the victim copied it from transaction history and proceeded to transfer the remaining US$49,999,950. As blockchain transactions are irreversible, the funds were permanently lost.
Security experts warn that address-poisoning scams have surged in 2025, with attackers deliberately exploiting user habits such as copying addresses from previous transactions. They continue to urge users to verify entire wallet addresses, especially when handling large transfers.
Industry observers have called for stronger safeguards, including address whitelisting, smart-contract protections, and broader user education. In recent months, exchanges and regulators have stepped up collaboration to combat crypto fraud.
In May 2025, Coinbase worked with law-enforcement agencies to disrupt a major spoofing operation that had resulted in losses exceeding US$20 million.
Separately, Binance recently warned users to avoid unofficial livestream links following reports of cloned broadcasts being used to distribute malicious content. Source: TradingView
HackWarn Analysis
How the Scam Worked
The attacker exploited a common wallet design feature that shortens addresses for readability. By creating a wallet with matching first and last characters, the scammer ensured the fake address looked legitimate when copied from transaction history.
Why This Scam Is Increasing
Address-poisoning attacks require no hacking only user error. As crypto transactions are irreversible, attackers focus on psychological manipulation and visual similarity rather than technical exploits.
Key Safety Takeaways
Users should never copy addresses from transaction history, always verify the full wallet address, and use whitelisted or saved addresses for large transfers.
Even small test transactions can expose users to spoofing attempts.
