After $50M USDT Theft, Binance’s CZ Pushes Wallets to Block Poison Addresses by Default

Changpeng “CZ” Zhao has renewed calls for stronger, industry-wide defenses against address poisoning scams.

In a recent post, the former Binance CEO argued that such attacks are solvable through better wallet-level protections.

Combating Address Poisoning Attacks

CZ said wallets should automatically check whether a receiving address is associated with known poisoning activity and block users from sending funds to it. He noted that this is feasible through on-chain queries and also urged the creation of real-time security alliances that maintain shared blacklists of malicious addresses. This will allow wallets to flag risks before transactions are signed.

The crypto exchange founder added that Binance Wallet already issues warnings when users attempt to send funds to poison addresses and suggested that spam micro-transactions used to pollute transaction histories should be filtered out entirely from wallet interfaces.

Trader Loses $50M in USDT

His reaction comes days after a high-profile incident in which a crypto trader lost nearly $50 million in USDT after falling victim to an address poisoning attack, according to on-chain investigators. Data shared by Lookonchain revealed that on December 20, the victim mistakenly transferred 49,999,950 USDT to a scammer-controlled address shortly after withdrawing the funds from Binance.

As is common practice, the trader first sent a 50 USDT test transaction to what they believed was their own wallet. An attacker, using an automated script, then generated a spoofed address that closely resembled the legitimate one. The spoofed address matched the first five and last four characters while differing in the middle, precisely the section many wallets shorten with ellipses.

The scammer sent small transactions from this lookalike address to poison the victim’s transaction history. Roughly 26 minutes after the test transfer, the victim appears to have copied the spoofed address from their history and sent the full $50 million sum.

According to SlowMist, the attacker rapidly laundered the funds by swapping USDT to DAI, then converting it into around 16,690 ETH before depositing most of it into Tornado Cash, in a bid to complicate recovery efforts. The victim later posted an on-chain message offering a $1 million whitehat bounty for the return of the funds.

Last May, a crypto investor lost roughly $68 million worth of wrapped bitcoin (WBTC) after falling victim to the scam. Blockchain data showed the victim mistakenly sent more than 1,150 WBTC to a hacker-controlled wallet after copying an address from their transaction history.

The post After $50M USDT Theft, Binance’s CZ Pushes Wallets to Block Poison Addresses by Default appeared first on CryptoPotato.