A recent incident in the world of cryptocurrency has left a seasoned investor reeling after losing a staggering $2.6 million USDT in a sophisticated phishing scam. The attack, which occurred on May 26, 2025, saw the victim fall victim twice within a span of just three hours to a scheme that manipulated Ethereum’s transaction history through zero-value transfers.
The mechanics of this attack are both intricate and alarming. According to a report by crypto compliance firm Cyvers, the scammers utilized Ethereum’s transferFrom function to create transactions from the victim’s wallet to spoofed addresses without requiring any private key signature or user authorization. As these transactions involved no real value, they were seamlessly added to the blockchain without triggering any security alerts.
This method of attack works by inserting the scammer’s wallet address into the victim’s transaction history. When users see this address listed as an outbound transaction, they are more likely to trust it, mistaking it for a previously interacted or known address. Subsequently, when they copy and paste the spoofed address in follow-up transactions, they unknowingly send tangible assets directly to the attacker.
Zero-value transfers represent an advanced evolution of the traditional address poisoning scam. In the past, scammers would send small amounts of cryptocurrency from addresses closely resembling the victim’s legitimate contacts, relying on users’ tendencies to recognize patterns or perform partial address verification.
The rise of zero-value transfer scams has exposed a critical vulnerability in user behavior and how wallet interfaces present transaction data. A recent report revealed over 270 million address poisoning attempts on BNB Chain and Ethereum between July 2022 and June 2024, resulting in losses exceeding $83 million.
In response to these threats, the crypto ecosystem has begun implementing defensive measures. Etherscan, for example, introduced a feature in 2023 that hides zero-value token transfers by default to shield users from misleading transaction records. While users can still opt to view these transfers, the default setting aims to reduce confusion and prevent phishing attempts from reaching the average wallet owner.
Crypto wallet providers like Trezor have issued warnings about address poisoning, emphasizing that these phishing scams do not compromise private keys or internal wallet security. Instead, they exploit human error and behavioral patterns, targeting users who recognize addresses by appearance or copy-paste from transaction logs without proper verification.
Ultimately, the devastating double-hit suffered by the crypto investor serves as a stark reminder of the importance of verifying wallet addresses thoroughly and staying vigilant against sophisticated phishing scams in the ever-evolving landscape of digital assets.