Sloppy Crypto Transfer Costs Investor $3.08B: Details

An unnamed cryptocurrency holder recently lost over $3 million in PYTH tokens after mistakenly transferring them to a scammer’s wallet.

The mistake happened when the victim, relying on their transaction history, copied and used a fake deposit address.

The high cost of a small mistake

According to a November 25 post by blockchain analysts Lookonchain, an unknown fraudster created an address whose first four characters exactly match the victim’s deposit wallet. They then sent the victim 0.000001 SOL, worth about $0.00025, which caused the fake account to appear in their transaction history.

Without taking due care, the affected individual copied the spoofed address directly from the transaction history, as the first four characters match. They then sent 7 million PYTH tokens worth about $3.08 million to the criminal without checking the unique identifier.

Security experts refer to these attacks as “tackle poisoning.” They take advantage of a common habit among crypto users: relying on transaction histories to copy unique wallet identifiers instead of retrieving them from official sources or trusted contacts. While it may seem convenient, the practice is often risky.

Anti-scam platform Scam Sniffer recently highlighted another case where a user allegedly lost $129 million after copying the wrong address from their transfer history. In this case, the fraudulent account had the same last six characters as the correct account.

In many wallets, only the first six and last six characters of an address are displayed, meaning it may take more than a cursory glance to confirm its veracity. Fortunately for that person or entity, the scammer returned the stolen funds within an hour.

In May, an Ethereum user lost 1,155 wrapped Bitcoin (wBTC) worth $68 million, while several Safe Wallet owners had $2 million stolen from them using the same trick in December last year.

Understanding address poisoning

Bad actors typically use two methods to execute address poisoning: zero-value transfers and fake tokens. In zero-value transfers, the fraudster uses real token contracts, but makes very low-value transactions to show deceptive activity in a potential victim’s on-chain transaction history.

Conversely, the fake token method involves creating token contracts to mimic real tokens like USDT or USDC. Fraudsters then look for genuine token transactions, and when they see one, they transfer their fake tokens to the address the transaction originated from. This gives the user the impression that they sent funds to a certain account when, in fact, they did not.

The user may then confuse the forged token transfer with the real one they made when viewing their wallet history or using a blockchain explorer. When they want to repeat a transaction, they can send money to the scammer’s wallet by inadvertently copying and pasting the fake address.

SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).

LIMITED OFFER for CryptoPotato Readers on Bybit – Use this link to register and open a FREE $500 position with any currency!