Investor lost millions in USDT phishing scam

On May 26, 2025, a crypto investor fell victim to a series of onchain phishing attacks. Crypto compliance firm Cyvers announced that the victim lost a total of $2.6 million worth of cryptocurrencies.

It all started when the user sent 843,000 Tether USDt (USDT) to an address other than the intended recipient. Just three hours later, the user sent 1.75 million USDT more to the same address. The result: All of it was lost in hours.

Cyvers announced loss of $2.6 million

But how did the user make this mistake? According to Cyvers, the user became the target of a zero-value transfer scam.

How does a zero-value transfer scam work?

Zero-value transfer is a deceptive scam method that takes advantage of user confusion and can be carried out with no private key access required.

Crypto wallet addresses are made up of alphanumeric characters. Though the character count varies for each blockchain, it is never less than 26. In USDT’s case, it ranges from 34 to 42.

Dealing with lengthy, randomly strung characters is a confusing and risky task that might result in severe losses in case of misspelling, as crypto transactions cannot be reversed due to blockchain’s immutable nature. Therefore, users usually resort to copying wallet addresses when sending cryptocurrencies.

In zero-value transfer scams, malicious actors abuse exactly this practice. They search through the targeted wallet and identify addresses it has interacted with. Scammers then create a vanity address that shares the same initial and last characters with an interacted address and send a transaction that doesn’t contain any value.

The idea is to place the phony address in the targeted wallet’s transaction history. The user looking to send crypto to a familiar address again might scroll back through past transactions and accidentally copy the scammer’s fake address. As a result, the user unknowingly sends a transaction to the scammer with no way to recover the lost cryptocurrencies.

Zero transfer attack flow

A zero-token transfer exploit is just one tactic of address poisoning, an umbrella term for scams that rely upon tricking and don’t require attackers to take control of seed phrases or private keys.

Did you know? The current crypto address landscape resembles the pre-Domain Name System (DNS) era of the internet. Before DNS, users had to type numerical IP addresses to access websites. There are some blockchain solutions available that work similarly to DNS and make wallet addresses human-readable, such as Ethereum Name System (ENS).

Other tactics of crypto address poisoning

Mimicking legitimate addresses is a widely used method for address poisoning and can also be carried out by sending minimal amounts of crypto to the targeted address to gain credibility.

Scammers also use sophisticated tactics of crypto wallet phishing and ones that blend them with crypto hack methods, such as:


  • Impersonation: This method works similarly to zero-value transfer; the difference is that attackers mimic high-trust entities like a public figure or a protocol rather than randomly selected addresses. They create a vanity address that resembles the address of such entities and place the fake address in the victim’s wallet transaction history to fool users who only glance at the start and end of an address. Social engineering strategies, such as impersonation on social media, may also accompany this method.
  • QR codes: This tactic exploits the convenience of scanning wallet addresses via QR codes by creating fake ones. Scammers distribute these fake QR codes through social media or stick them in physical locations to trick unwary users. QR codes may also lead to lookalike addresses of legitimate ones, making detection even harder.
  • Interception through malware: This type of address poisoning involves hacking through malware. Once attackers manage to install malware on a victim’s device, they can hijack the clipboard and replace the copied wallet address with their own. The victim unknowingly pastes the attacker’s address and sends crypto to it instead of the intended recipient.
  • Smart contract exploit: Poorly coded and unaudited smart contracts are prone to address poisoning. Attackers can take advantage of bugs and flaws in the contract, such as improper input validation and reentrancy, to trick the contract into using a fake address or change a critical variable mid-transaction. As a result, contract users could be sending crypto to the attacker rather than the legitimate address.

The cost of crypto address poisoning attacks

Address poisoning in 2025 has cost investors millions so far. February saw $1.8 million in losses, while March lost $1.2 million due to this crypto scam method. In May, a single incident surpassed the two aforementioned months with a $2.6-million loss.

The attacks incur severe losses on major blockchains like Ethereum and BNB Chain. Between 2022 and 2024, around 17 million addresses were poisoned on Ethereum, with zero-transfer attacks making up 7.2 million of the number. Out of these, 1,738 attempts became successful and caused users to lose nearly $80 million.

Over the same period, BNB Chain was hit by nearly 230 million address poisoning attempts. Users of the blockchain suffered a total of $4.5 million in losses due to 4,895 successful attacks.

The numbers reveal that address poisoning is a serious threat that cannot be ignored. But how can users prevent being a victim of this scam tactic?

How to stay safe against crypto address poisoning attacks

Address poisoning is a sneaky Web3 security threat that is hard to detect, but there are some precautions users can take to stay safe.

Of course, the most obvious safety measure is to make double-checking a habit. Always double-check the recipient wallet address entirely before signing a transaction.

Other than this, users can take precautions, such as:

  • Using new addresses: Create new addresses for each transaction. This reduces the likelihood of becoming a victim of attackers who check transaction history to carry out crypto phishing.
  • Keeping wallet addresses private: Refrain from sharing your wallet addresses publicly. Such addresses are easier targets for malicious actors.
  • Ignoring small transactions: Be cautious about small crypto transfers. There is a good chance they are addressing poisoning attempts.
  • Using safe crypto wallets: Use a reputable wallet with phishing protection features. Some wallets flag suspicious addresses or alert you when you paste a known scam address.
  • Following updates: Monitor blockchain scam alerts. Platforms focusing on Web3 security, such as Cyvers, PeckShield and CertiK, as well as well-known figures like ZachXBT, provide timely alerts about scams, hacks and suspicious activity that can help users avoid interacting with spoof addresses.
  • Verifying addresses: Manually verify wallet addresses when scanning QR codes. Avoiding scanning them from untrusted sources is also an effective measure.
  • Using antivirus software: Install anti-malware software and browser extensions. Tools like Wallet Guard or Scam Sniffer can block known malicious scripts and fake sites.
  • Considering name systems: Use blockchain naming system solutions whenever possible. Transacting with human-readable addresses is a safer option that significantly reduces the likelihood of address poisoning.
  • Using safe smart contracts: Use audited and thoroughly tested smart contracts to prevent being a victim of exploits.