Key Takeaways
- The incident occurred on May 26 and involved two separate transfers—$843,000 followed by another $1.75 million—within just three hours.
- A recent report revealed that over 270 million poisoning attempts were made on Ethereum and BNB Chain from mid-2022 to mid-2024
A crypto investor lost $2.6 million in Tether (USDt) in two back-to-back transactions after falling victim to a zero-value transfer phishing attack—an increasingly common and deceptive onchain scam tactic, as per cybersecurity firm Cyvers.
The incident occurred on May 26 and involved two separate transfers—$843,000 followed by another $1.75 million—within just three hours. Analysts at Cyvers confirmed that both transfers were the result of a single victim being duped by the same scam technique.
The attack made use of a zero-value transfer, a phishing method that doesn’t require access to a user’s private keys. Instead, scammers exploit the “from” function in token transfer contracts to simulate transactions from the victim’s wallet to an attacker-controlled address—without actually moving funds. These transactions show up in the victim’s wallet history, falsely lending credibility to the attacker’s address.
Believing the attacker’s wallet to be a trusted contact—especially if it appears to match previously used addresses—the victim may inadvertently send actual funds to the spoofed destination.
This scam leverages user habits, such as copying and pasting addresses from recent transactions or relying on clipboard memory, rather than carefully verifying full addresses.
The method has already made headlines in previous incidents. In mid-2023, one scammer reportedly used the same tactic to steal $20 million in USDT before being blacklisted by the token issuer.
New research published in January 2025 revealed that more than 270 million poisoning attempts were made on Ethereum and BNB Chain from mid-2022 to mid-2024. Of those, around 6,000 succeeded, causing losses of over $83 million.
In response, crypto firms have started developing tools to counter the trend. Trugard and Webacy, two Web3 security companies, recently launched an AI-based system designed to detect and block suspicious wallet poisoning attempts. The tool has reportedly achieved a 97% detection rate across confirmed attack cases.
The latest $2.6 million loss adds to growing concerns over phishing techniques in decentralized finance, where victims have no recourse once funds are transferred to fraudulent addresses