On May 26, 2025, a crypto investor was tricked out of $2.6 million in USDT due to a sophisticated on-chain phishing scheme. The loss was confirmed by blockchain compliance firm
What Happened?
The scam started when the user mistakenly sent 843,000 USDT to the wrong wallet address. Just three hours later, the same user transferred another 1.75 million USDT to that very same address—bringing the total loss to $2.6 million.
But how could someone make such a devastating mistake twice? The answer lies in a sneaky trick known as the zero-value transfer scam.
What Is a Zero-Value Transfer Scam?
A zero-value transfer scam is a type of crypto address poisoning that doesn’t require access to your private keys or seed phrases. Instead, it exploits human error and confusion around wallet addresses.
Scammers know this, so they:
-
Monitor blockchain transactions to identify addresses a user interacts with.
-
Create lookalike wallet addresses that mimic the beginning and end of a legitimate one.
-
Send zero-value transactions to the user’s wallet using these fake addresses.
The trick? These bogus addresses then appear in the user’s transaction history. When the user goes back to send crypto again, they might accidentally copy the scammer’s fake address instead of the correct one.
Other Forms of Address Poisoning
Address poisoning isn’t limited to zero-value transfers. Here are several other sneaky tactics used by scammers:
Impersonation
Scammers mimic trusted figures or protocols, such as influencers or verified DeFi projects, to trick users into trusting their lookalike addresses.
QR Code Attacks
Fake wallet addresses are hidden in QR codes shared on social media or even posted in physical places. Scanning the wrong one can lead to irreversible losses.
Clipboard Malware
Some malware can hijack your clipboard and replace a copied wallet address with a scammer’s. This type of attack is especially dangerous because it’s nearly invisible to users.
Smart Contract Exploits
Poorly designed or unaudited smart contracts can be manipulated to redirect funds. Attackers exploit bugs like reentrancy or input validation errors to substitute legitimate addresses with their own.
How Much Has Been Lost to Address Poisoning?
The numbers are staggering:
-
February 2025: $1.8 million lost
-
March 2025: $1.2 million lost
-
May 2025: $2.6 million in a single incident
How to Stay Safe: Tips to Avoid Crypto Scams
Protecting your funds from these kinds of attacks requires vigilance and smart habits. Here are best practices every crypto user should follow:
Always review the entire address—not just the first and last few characters—before sending.
Generate a new wallet for each transaction to limit traceability.
Don’t post your wallet addresses publicly. This lowers the chance of being targeted.
Small, unexpected deposits may be a red flag for an ongoing scam attempt.
Choose wallets with scam-detection tools like phishing protection and address alerts.
Don’t scan wallet QR codes from strangers or untrusted sources. Manually verify whenever possible.
Browser extensions like Wallet Guard or Scam Sniffer help block malicious sites and scripts.
Use services like ENS (Ethereum Name System) to register a human-readable address. This eliminates the need to deal with confusing alphanumeric addresses altogether.
If you’re interacting with dApps or smart contracts, make sure they’ve been audited and tested.
Final Thoughts
Address poisoning scams are a fast-growing threat in Web3. With nearly $90 million in confirmed losses across major blockchains in recent years, it’s more important than ever to stay cautious, stay educated, and stay secure. Don’t let a small oversight cost you everything.
