On May 26, 2025, a crypto investor lost a total of $2.6 million in USDT after falling victim twice within a span of three hours to a sophisticated phishing scam leveraging zero-value transfers on the Ethereum blockchain. The scam manipulated Ethereum’s transaction history by inserting zero-value token transfers that appeared as legitimate outbound transactions from the victim's wallet to a spoofed address.
This tactic, known as "address poisoning," works by using Ethereum’s transferFrom function to create transactions that do not require private key signatures or user authorization, but still show up in the wallet's transaction history. The victim, seeing the spoofed address in their transaction logs, mistakenly sent substantial real funds to the attacker’s wallet.
The attack first siphoned $843,000 USDT and shortly after an additional $1.75 million USDT. This scam is an evolution of older address poisoning techniques and has been noted by blockchain security firms like Cyvers and Elliptic. Since November 2022, roughly 176,000 such zero-value transactions have been initiated by scammers, costing victims losses above $83 million across Ethereum and BNB Chain.
To mitigate these types of phishing scams, platforms like Etherscan have introduced features hiding zero-value transfers by default to prevent misleading transaction display. Wallet providers and security experts warn users to not rely solely on visual transaction history or partial address matching to verify recipients.
Despite requiring significant gas fees, scammers have made substantial net profits using these false address appearances to trick even experienced traders. The incident highlights a critical blind spot in user verification behaviors and calls for enhanced security awareness and blockchain analytics tools to combat such on-chain deception.
