In a massive security breach for the crypto community, an Ethereum whale lost 4,556 ETH (approximately $12.4 million) to a sophisticated “address poisoning” attack on January 30, 2026.
The victim, identified by blockchain security firms as a regular user of Galaxy Digital deposit addresses, was tricked by a fraudulent address that shared the same first and last four characters as the legitimate one.
The Anatomy of the $12.4M Theft
This incident is one of the largest “address poisoning” thefts in history, following a similar $50 million loss by a different trader just last month.
The “Dusting” Phase: Approximately 32 hours before the theft, the attacker “dusted” the victim’s wallet—sending a tiny, near-zero value transaction.
The Trap: This malicious transaction appeared in the victim’s transaction history. The attacker used a vanity address generator to create a wallet address that visually mimicked the victim’s usual destination (Galaxy Digital).
The Fatal Error: When the investor went to move their funds, they copied the address directly from their recent transaction history rather than a verified address book. Because wallet interfaces often truncate the middle of addresses (e.g.,
0x1234...abcd), the victim didn’t notice the discrepancy.The Sweep: The entire 4,556 ETH was sent to the attacker, who immediately began moving the funds through mixers to obfuscate the trail.
The “Poisoning” Pandemic
Address poisoning has become a primary vector for high-value thefts because it exploits human psychology and UI design rather than technical vulnerabilities in the blockchain itself.
| Feature | How It Works |
| Targeting | Scammers monitor on-chain data for high-frequency, high-value transfer patterns. |
| Vanity Addresses | Tools are used to create addresses with matching prefixes and suffixes (e.g., 0xd674...). |
| UI Exploitation | Attackers rely on the fact that most users only check the first and last few digits. |
Critical Defense Measures
Blockchain security firm Scam Sniffer and analysts have urged institutional and retail investors to overhaul their transaction protocols:
Stop History Copying: Never copy a recipient address from your transaction history.
Address Books: Only use “hard-coded” or whitelisted addresses from your wallet’s internal address book.
Full Verification: Always verify the entire 42-character string, particularly the middle characters.
Batching & Tests: For multi-million dollar moves, perform a small test transaction first, even if you’ve sent to that address before.
ENS Usage: Utilizing the Ethereum Name Service (ENS) to replace complex strings with human-readable names (e.g.,
galaxy.eth) can significantly reduce copy-paste errors.
“If I were to send $12 million, I would probably send it in batches of $100,000 at a time. It’s about prioritizing safety over convenience.” — Mark Huber, Crypto Security Analyst
