Single Address Loses $24M in Sophisticated Poisoning Attack
Security firm PeckShield reported that a single crypto wallet holder lost approximately $24 million in aEthUSDC through an address poisoning attack. This type of scam involves an attacker sending a zero-value transaction to a target's wallet from a specially created address that mimics the start and end characters of a frequently used address in the victim's transaction history. The goal is to trick the user into copying the fraudulent address from their history for a subsequent, large transaction, thereby sending the funds directly to the scammer.
Attacker Bridges 20M in Stolen DAI to Arbitrum
Following the theft, the attacker moved quickly to launder the proceeds. The $24 million in aEthUSDC was swapped for approximately 20 million DAI. PeckShield identified that these funds are currently held in two attacker-controlled wallets, with addresses beginning with 0xdCA9 and 0xd0c2. The perpetrator has initiated the process of bridging these stolen funds to the Arbitrum network, a common tactic used to obscure the money trail and access different decentralized finance (DeFi) ecosystems for further laundering.
Theft Exposes Persistent User-Level Security Gaps
The $24 million exploit serves as a stark reminder of the persistent security challenges facing DeFi users. Unlike smart contract exploits that target protocol code, address poisoning preys on human error and the design of wallet interfaces that often display truncated addresses. This incident reinforces the vulnerability of even experienced users to increasingly sophisticated social engineering scams. It highlights an urgent need for investors to adopt stringent security practices, such as verifying full addresses and using hardware wallets, and for wallet developers to introduce clearer warnings and verification mechanisms to prevent such costly mistakes.
Edgen Crypto·Mar 05 2026, 03:20
