A cryptocurrency dealer has misplaced greater than $12 million price of Ethereum ($ETH) after mistakenly sending funds to a fraudulent pockets tackle, in what blockchain knowledge suggests was a profitable address-poisoning assault.
On-chain information present the sufferer tackle, recognized as 0xd674, had a longtime sample of transferring massive sums of $ETH to a Galaxy Digital deposit pockets, based on insights shared by Lookonchain on January 31.
A sufferer (0xd674) misplaced 4556 $ETH($12.4M) as a consequence of a copy-paste tackle mistake.
Sufferer 0xd674 ceaselessly transfers funds to Galaxy Digital through
0x6D90CC…dD2E48.The attacker generated a poison tackle with the identical first and final 4 characters as Galaxy Digital’s deposit tackle… pic.twitter.com/oXI3exESzE
— Lookonchain (@lookonchain) January 31, 2026
This repeated conduct seems to have been exploited by an attacker who generated a malicious tackle designed to intently resemble Galaxy Digital’s reputable deposit tackle, matching the identical opening and shutting characters.
Transaction historical past signifies the attacker repeatedly despatched small-value transfers to the sufferer’s pockets over time.
To this finish, the mud transactions induced the poisoned tackle to seem alongside reputable locations within the pockets’s latest exercise, growing the probability of confusion throughout future transfers.
Roughly 11 hours earlier than the loss was detected, the dealer initiated one other Ethereum switch meant for Galaxy Digital.
Failure to confirm tackle
As an alternative of manually verifying the vacation spot, the tackle was copied straight from the transaction historical past. Consequently, 4,556 $ETH, valued at round $12.4 million on the time of the transaction, was despatched to the attacker-controlled pockets.
Notably, the switch was executed in a single outbound transaction, with the funds leaving the sufferer’s pockets instantly and no subsequent corrective transactions recorded.
The poisoned tackle efficiently acquired the Ethereum, and there was no indication of restoration efforts or fund reversal, according to the irreversible nature of blockchain settlements.
Total, the incident highlights the rising prevalence of address-poisoning assaults, the place malicious actors exploit visible similarities in pockets addresses fairly than vulnerabilities in good contracts or protocols.
Such assaults depend on consumer error fairly than technical exploits, making even skilled merchants susceptible when dealing with high-value transfers.
Featured picture through Shutterstock
