A cryptocurrency trader accidentally sent $12 million worth of Ethereum (ETH) to a fraudulent wallet, falling victim to what appears to be a successful address poisoning attack.
Blockchain records indicate that the trader, identified by the wallet address 0xd674, had been transferring significant amounts of ETH to Galaxy Digital’s deposit address regularly. An insight shared on January 31 highlighted this pattern.
The victim lost 4,556 ETH—about $12.4 million—due to a simple copy-and-paste mistake when inputting the address. They frequently sent funds to Galaxy Digital, and the attacker cleverly created a fake address that mirrored the legitimate one by matching its first and last four characters.
Transaction history reveals that the attacker had been sending small amounts to the victim’s wallet over time. These so-called “dust transactions” cluttered the recent activity in the wallet, increasing the chance of making errors in future transfers.
Interestingly, around 11 hours before the loss was realized, the trader had initiated another transfer to Galaxy Digital. Unfortunately, rather than verifying the address manually, they simply copied it from their transaction history. Consequently, 4,556 ETH was transferred to the attacker’s account in one swift transaction, with no subsequent changes to the wallet recorded.
The counterfeit address successfully received the Ethereum, and due to the unchangeable nature of blockchain transactions, there seem to be no recovery efforts or reversals in sight.
This situation underscores the alarming frequency of address poisoning attacks, highlighting how malicious individuals exploit the visual similarities between wallet addresses. These attacks capitalize on human error rather than technical vulnerabilities, leaving even seasoned traders exposed when handling large transfers.
