A crypto investor lost $2.6 million in stablecoins after falling victim to a double phishing scam, highlighting rising risks in digital asset security.
Concerns over address poisoning tactics were raised when a victim fell for two zero-value transfer phishing scams in three hours, losing $2.6 million in stablecoins.
One victim lost $2.6 million in stablecoins after being conned twice in three hours.
Data released by the crypto compliance company Cyvers on May 26 shows that the victim transmitted USDT $1.00 (843,000) and then USDT 1.75 million approximately three hours later. According to Cyvers, the scam employed a sophisticated on-chain phishing called a zero-value transfer.
An on-chain phishing method, “zero-value transfers,” deceives users into giving actual money to attackers by abusing token transfer features. The attackers use the token transfer function to move zero tokens from the victim’s wallet to a fake address.
Since no money has been moved, the victim’s private key does not need to be signed to include the chain. The departing transaction will therefore be recorded in the victims’ history.
Because this address appears in their transaction history, the victim might assume it is a known or secure receiver and trust it. They might transfer money to the attacker’s address in a subsequent transaction.
In one well-known instance, a scammer used a zero-transfer phishing assault to steal $20 million worth of USDT before being banned by the stablecoin’s issuer in the summer of 2023.
Address poisoning in an advanced form
Address poisoning, a technique in which attackers send small amounts of cryptocurrency from a wallet address that mimics a victim’s actual address, frequently using identical opening and ending letters, is said to have evolved into a zero-value transfer. Deceiving the user into inadvertently copying and using the attacker’s address in subsequent transactions will result in money loss.
The method takes advantage of the fact that users frequently rely on clipboard history or incomplete address matching while sending crypto. Zero-value transfers can also be coupled with custom addresses with comparable beginning and ending characters.
Growing threat across blockchains
A January 2025 study found that between July 1, 2022, and June 30, 2024, more than 270 million poisoning attempts occurred on Ethereum and BNB Chain. Six thousand efforts succeeded, resulting in damages of over $83 million.
The study was released after the announcement of an AI-based solution for identifying crypto wallet address poisoning by on-chain trust protocol Webacy and crypto cybersecurity firm Trugard. Tested on known assault scenarios, the new tool reportedly has a 97% success rate.
