Even Wang Chun Wasn’t Immune: $50M “Tuition” and Why Address Poisoning Keeps Succeeding

YaelYael
/Dec 22, 2025

Key Takeaways

• Address poisoning exploits human behavior rather than cryptographic flaws.

• Users should verify the full address string before sending funds.

• Implementing an address book and hardware wallet verification can mitigate risks.

• The $50 million incident underscores the importance of operational security in cryptocurrency transactions.

A near–$50 million USDT loss on December 20, 2025 has reignited debate about the most low‑tech, high‑impact scam in crypto: address poisoning. On‑chain sleuths on X reported that a victim copied a look‑alike destination from recent activity and sent 49,999,950 USDT to a spoofed wallet—an error the attacker exploited within minutes. Public data on Etherscan confirms the receiving address has since been flagged for phishing, and investigators note the victim had just withdrawn funds from Binance before the mis‑send. Coverage by major outlets corroborates the flow of funds and the address‑similarity trap. (etherscan.io)

What actually happened in the $50M case

  • The victim first sent a 50 USDT “test” to the correct address ending in …F8b5.
  • A scammer quickly generated a vanity address matching the same first few and last few characters and “poisoned” the victim’s history with a dust transfer.
  • Minutes later, the victim copied the poisoned address from their history and pushed the full 49,999,950 USDT, landing in the attacker’s wallet.
    Multiple incident recaps align on these steps and the specific pair of look‑alike addresses involved. (blockchain.news)

From there, the attacker moved to break any potential freeze path by converting stablecoins and obfuscating flows. Several analyses indicate the funds were swapped from USDT to DAI, then into ETH before being funneled through Tornado Cash, a pattern consistent with minimizing freeze risk and adding laundering friction to recovery. (phemex.com)

You can follow the on‑chain trail directly: victim wallet 0xcB80784…0819 and attacker wallet 0xBaFF2F…08f8b5 on Ethereum. (etherscan.io)

Why address poisoning keeps working

Address poisoning doesn’t break cryptography; it exploits human habit and UI shortcuts:

  • Most wallets shorten addresses, so users verify only the prefix/suffix. Poisoners generate vanity addresses that match those characters and seed the victim’s history with tiny transfers. The next time the victim copies from history, they may grab the attacker’s address. See the official explainer from the MetaMask Help Center. (support.metamask.io)
  • Ethereum’s mixed‑case checksum (EIP‑55) helps detect typos, not look‑alikes that are valid but different. Understanding EIP‑55 and when its signal applies is key—checksums won’t save you from a convincingly similar, fully valid address. (eips.ethereum.org)

“Even veterans get caught”: Wang Chun’s cautionary tale

F2Pool co‑founder Wang Chun wrote on X that he suspected a private key leak in 2024 and “tested” the hypothesis by sending 500 BTC to the suspect address—490 BTC were taken while 10 BTC were left behind. The disclosure underscores that operational missteps (not just protocol bugs) still drive outsized losses. Multiple crypto media summarized his post and the address he shared. (theblockbeats.info)

“Why not just freeze USDT?”

USDT can be frozen at the token‑issuer level, but freezes aren’t instant and attackers actively race that clock. Research this year highlighted delays and procedural windows in blacklisting on major networks—creating time for attackers to swap into unfreezable assets or route through mixers. That’s precisely why some poisoners convert to DAI or ETH before laundering. (cointelegraph.com)

The bigger 2025 context: personal wallets under pressure

Chainalysis’ year‑end preview shows crypto theft topping $3.4 billion in 2025, with a notable surge in personal wallet compromises even as DeFi exploits stayed comparatively muted. A handful of massive incidents dominate totals, but user‑level mistakes like address poisoning are increasingly costly in aggregate. (chainalysis.com)

A practical, battle‑tested playbook to defeat address poisoning

Use this defense‑in‑depth checklist whenever you move size:

  1. Verify the full string, not just the first/last characters. If you can’t eyeball every character, don’t send. MetaMask’s guidance is blunt: never copy from transaction history when moving funds. (support.metamask.io)
  2. Maintain an address book/allowlist. Create named, trusted contacts for recurring payees and lock withdrawals to those entries where possible.
  3. Confirm on a hardware screen. Always display and approve the destination on the device itself so malware, clip‑board hijackers, or poisoned history can’t silently change where you’re sending.
  4. Out‑of‑band verification. For large transfers, ask your counterparty to sign a short message from their address or validate via a pre‑agreed secure channel (PGP, Signal).
  5. Transaction simulation and risk checks. Use reputable tools to simulate swaps and detect suspicious “to” addresses or phishing approvals before signing.
  6. Consider ENS or other human‑readable naming for repeat flows, but still verify that the resolved address matches your contact record at signing time.
  7. Team SOPs for institutions. Require dual control on withdrawals, address allowlists, and screenshots from the hardware screen attached to every approval ticket.

For OneKey users

If you already use OneKey, lean on the device‑screen workflow:

  • Verify the recipient address on the OneKey display before you sign. Clear‑signing on the device prevents the app or a poisoned history from substituting a look‑alike address at the last moment.
  • Use contacts/allowlists in the app for recurring recipients. For high‑value operations, pair this with multi‑approval policies.
  • Keep firmware and the OneKey App up to date; OneKey’s open‑source stack and attestation checks help ensure the software you run is authentic.

This doesn’t make you invincible—nothing does—but it makes address poisoning dramatically harder to pull off in practice.

Final thoughts

Address poisoning is a reminder that crypto’s biggest failure mode is often operational, not technical. The $50 million USDT case shows how a single copy‑paste from recent history can erase years of work. If you move size, adopt a paranoid mindset: treat addresses like bank wiring details and verify them out‑of‑band and on‑device, every time.

References: incident recap and on‑chain data, wallet‑safety guidance, and 2025 macro trends. See Cointelegraph’s report, Etherscan address records, MetaMask’s address‑poisoning guide, EIP‑55, Chainalysis’ 2025 overview, and Chinese‑language summaries of Wang Chun’s disclosure on BlockBeats. (cointelegraph.com)

If you don’t already have a hardware wallet and disciplined workflow, now is the time to build one. For OneKey users, always “verify on device,” save trusted contacts, and require multi‑step checks for large transfers—these simple habits directly neutralize address poisoning’s core trick.

Secure Your Crypto Journey with OneKey

View details for Shop OneKeyShop OneKey

Shop OneKey

The world's most advanced hardware wallet.

View details for Download AppDownload App

Download App

Scam alerts. All coins supported.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

Crypto Clarity—One Call Away.