$50 million stolen – all because the address wasn't carefully checked.

Author: Eric, Foresight News

Early yesterday Beijing time, an on-chain analyst named Specter discovered a case where nearly 50 million USDT were transferred to a hacker address due to a lack of careful verification of the transfer address.

According to the author's investigation, the address (0xcB80784ef74C98A89b6Ab8D96ebE890859600819) withdrew 50 USDT from Binance around 13:00 Beijing time on the 19th as a test before a large withdrawal.

Approximately 10 hours later, the address withdrew 49,999,950 USDT from Binance in one go. Combined with the previously withdrawn 50 USDT, the total withdrawal amounted to exactly 50 million.

Approximately 20 minutes later, the address that received 50 million USDT first transferred 50 USDT to 0xbaf4…95F8b5 for testing purposes.

Less than 15 minutes after the test transfer was completed, the hacker address 0xbaff…08f8b5 transferred 0.005 USDT to the address that received the remaining 49,999,950 USDT. The address used by the hacker and the address that received the 50 USDT have very similar beginnings and endings, making it a clear "address poisoning" attack.

Ten minutes later, when the address starting with 0xcB80 was preparing to transfer the remaining 40 million USDT, it may have inadvertently copied the previous transaction—the address where the hacker "poisoned" the funds—directly sending nearly 50 million USDT into the hacker's hands.

Given that the address used multiple exchanges and Cobo's custody service, and the ability to quickly contact all parties to track down the hacker within 24 hours of the incident, the author speculates that the address most likely belongs to an organization rather than an individual.

"Carelessness" Leads to a Big Mistake

The only explanation for the successful "address poisoning" attack is "carelessness." Such attacks can be avoided simply by double-checking the address before transferring funds, but clearly, the protagonist of this incident skipped this crucial step.

Address poisoning attacks began to emerge in 2022, and the story originated from "premium address" generators, tools that can customize the beginning of EVM addresses. For example, I myself can generate an address starting with 0xeric to make the address more distinctive. This tool was later discovered by hackers to have a design flaw that allowed them to brute-force private keys, leading to several major financial thefts. However, the ability to generate customized beginnings and endings also gave some malicious individuals a "cunning idea": by generating addresses with beginnings and endings similar to users' commonly used transfer addresses, and then transferring funds to other addresses that users frequently use, some users might carelessly mistake the hacker's address for their own and unwittingly send on-chain assets into the hacker's pocket.

Past on-chain information shows that addresses starting with 0xcB80 were a key target for address poisoning attacks before this attack, and these attacks began nearly a year ago. This type of attack essentially involves hackers betting that you will eventually fall for it due to carelessness or negligence. It is precisely this easily detectable attack method that makes careless individuals fall victim time and again.

Previous on-chain information shows that addresses starting with 0xcB80 were a key target for hackers before this attack, and the address poisoning attacks began nearly a year ago. Essentially, this attack method is the hackers betting that you will eventually fall for it due to carelessness or negligence. It is precisely this easily detectable attack method that makes careless individuals fall for it one after another.

Regarding this incident, F2Pool co-founder Wang Chun tweeted his sympathy for the victim, stating that last year, to test whether his address had been compromised, he transferred 500 bitcoins to a hacker, who then stole 490 bitcoins. Although Wang Chun's experience was unrelated to address poisoning attacks, he likely wanted to express that everyone makes mistakes, and the victim's carelessness should not be blamed; instead, the blame should be placed on the hacker.

$50 million is not a small amount, but it is not the largest amount stolen in this type of attack.

In May 2024, an address transferred over $70 million worth of WBTC to a hacker's address due to a similar attack. However, the victim eventually recovered almost all of the funds through on-chain negotiation with the assistance of security company Match Systems and the CryptoX exchange. In this case, however, the hacker quickly converted the stolen funds into ETH and transferred them to Tornado Cash, so whether they can be recovered remains uncertain. Jameson Lopp, co-founder and chief security officer of Casa, warned in April that address poisoning attacks are spreading rapidly, with as many as 48,000 such incidents occurring on the Bitcoin network alone since 2023. These attack methods, including fake Zoom meeting links on Telegram, are not sophisticated, but it is precisely this "simple" approach that makes people lower their guard. For those of us living in a dark forest, being more vigilant is never a bad thing.