On May 26, 2025, a crypto investor experienced a shocking loss of $2.6 million USDT after being deceived by a sophisticated phishing scam not once, but twice in a three-hour span. This incident highlights a potentially critical gap in the verification processes used by even seasoned traders when assessing wallet addresses during transactions.
The targeted attacks drained the investor’s funds in two separate transactions, first taking $843,000 followed by a subsequent withdrawal of $1.75 million. The incident has prompted urgent discussions regarding the methods that even experienced traders employ to confirm wallet addresses during on-chain operations.
The Mechanics: Zero-Value Transfers and Onchain Phishing
ALERT
Cyvers, a crypto compliance firm, reported that the scam involved zero-value transfers utilizing Ethereum’s transferFrom function to create transactions from the victim’s wallet to fraudulent addresses without requiring a private key signature or any user authorization.
These transactions, which carried no actual value, were easily added to the blockchain without triggering conventional security notifications.
In this scheme, the scammer’s wallet address appeared in the victim’s transaction history. Observing an outbound transaction associated with a known address can mislead users into trusting it, leading them to mistakenly believe it is legitimate if they encounter it again.
During follow-up transactions, users may inadvertently copy and paste this spoofed address, resulting in the direct transmission of assets to the fraudster.
Zero-value transfers represent an advanced form of the traditional address poisoning scam, where scammers dispatched tiny amounts of cryptocurrency from addresses closely resembling legitimate contacts, often mimicking familiar starting and ending characters.
Victims who depend on pattern recognition or partial address confirmation tend to be more susceptible to falling for such tactics.
Zero-value transfers enhance this deception, as they effectively integrate the false transaction into a user’s visible transaction history, which increases credibility.
Blockchain security firm Elliptic revealed in 2023 that around 150 scammers executed over 176,000 Ethereum and BNB Chain transactions using this method since November 2022.
While these transactions bear no value, initiating them incurs significant gas fees. Scammers have expended over $710,000 on these fees while netting more than $1.5 million in illicit returns, achieving an overall profit of nearly $800,000, averaging around $5,500 for each offender.
In a relevant case from May 2024, a victim of a highly sophisticated address poisoning scam successfully recovered most of the $71 million in stolen WBTC, aided by quick action from blockchain security firm Match Systems and exchange Cryptex.
A victim who fell prey to a sophisticated ‘address poisoning’ attack has successfully recovered almost all of the stolen funds.#Hack #Scamhttps://t.co/GJEcS0BfvN
— Finance Newso.com (@Finance Newso) May 12, 2024
Broader Impact and Defensive Measures Against Phishing Scams
The emergence of zero-value transfer scams has laid bare troubling vulnerabilities within user behavior and the presentation of transaction data in wallet interfaces.
A report from January 2025 indicated that over 270 million address poisoning attempts occurred on the BNB Chain and Ethereum from July 2022 to June 2024. Out of these attempts, approximately 6,000 proved successful, leading to losses surpassing $83 million.
Jameson Lopp highlighted alarming trends in Bitcoin address “poisoning” attacks, where attackers replicate wallet addresses.#BitcoinPoisoning #Bitcoin #BitcoinScamhttps://t.co/NlBdbV0sSe
— Finance Newso.com (@Finance Newso) April 7, 2025
In response to these challenges, the crypto community has begun to evolve its defensive strategies. In 2023, Etherscan introduced a new feature that automatically conceals zero-value token transfers, aiming to protect users from misleading transaction records.
Update: Zero-value token transfers are now hidden by default. In recent times, ‘address poisoning’ attacks have phished unsuspecting users and spammed others. With this update, you won’t have to see these transfers anymore! Before 
After pic.twitter.com/F93pWDUJ7a
— etherscan.eth (@etherscan) April 10, 2023
While users can still opt to view these transfers, this default setting aims to diminish confusion and prevent phishing schemes from reaching the average wallet owner.
Providers of crypto wallets, such as Trezor, have also issued alerts about address poisoning. They emphasize that although these scams are increasingly pervasive, they do not compromise private keys or internal wallet security.
Rather, these scams exploit human error and behavioral tendencies, preying on users’ visual recognition of addresses, leading them to copy and paste from transaction logs without proper verification.
The cryptosphere continues to face a challenge as users navigate these deceptive tactics, emphasizing the need for greater awareness and education among digital asset holders.
