Careless Crypto Transfer Costs Investor $3.08M: Details

An unnamed cryptocurrency holder recently lost more than $3 million worth of PYTH tokens after erroneously transferring them to a scammer’s wallet.

The mistake happened when the victim, relying on their transaction history, copied and used a fake deposit address.

The High Cost of a Small Mistake

According to a November 25 post by blockchain analysts Lookonchain, an unknown fraudster created an address whose first four characters were an exact match to the victim’s deposit wallet. They then sent the victim 0.000001 SOL, worth about $0.00025, which caused the fake account to appear on their transaction history.

Without taking due care, the affected individual copied the forged address directly from the transaction history, seeing as the first four characters matched. They then sent 7 million PYTH tokens valued at about $3.08 million to the criminal without double-checking the unique identifier.

Security experts refer to these attacks as “address poisoning.” They exploit a common habit among crypto users: relying on transaction histories to copy the unique wallet identifiers instead of retrieving them from official sources or trusted contacts. While it may seem convenient, the practice is often risky.

Anti-scam platform Scam Sniffer recently highlighted another case where a user allegedly lost $129 million after copying the wrong address from their transfer history. In that instance, the deceptive account had the same last six characters as the correct one.

In many wallets, only the first six and last six characters of an address are usually displayed, meaning more than a cursory look may be needed to confirm their veracity. Luckily for that individual or entity, the scammer returned the stolen funds within an hour.

In May, an Ethereum user lost 1,155 wrapped Bitcoin (wBTC) worth $68 million, while several Safe Wallet owners had $2 million stolen from them using the same trick in December last year.

Understanding Address Poisoning

Bad actors commonly use two methods to execute address poisoning: zero-value transfers and fake tokens. In zero-value transfers, the con artist uses actual token contracts but makes very low-value transactions to display misleading activity in a potential victim’s on-chain transaction history.

Conversely, the fake token method involves creating sham token contracts to mimic real tokens like USDT or USDC. The swindlers then look out for genuine token transactions, and when they see one, they transfer their phony tokens to the address from which the transaction originated. This gives the user the impression that they sent funds to a certain account when, in fact, they didn’t.

The user may then mistake the counterfeit token transfer for the real one they made when they look at their wallet history or use a blockchain explorer. When wanting to repeat a transaction, they may send money to the scammer’s wallet by unintentionally copying and pasting the bogus address.