A crypto investor has lost a staggering $2.6 million in stablecoins after falling victim to two back-to-back zero-transfer phishing scams—both executed within just three hours. The exploit highlights the growing sophistication of on-chain phishing tactics and the persistent risks posed by “address poisoning” scams in decentralized finance.
According to blockchain security firm Cyvers, the attack unfolded on May 26, beginning with the victim unknowingly sending $843,000 worth of USDT to a fraudulent address. Hours later, a second transaction worth $1.75 million was sent to the same attacker—suggesting the victim may have mistaken the previously spoofed address as familiar and trusted.
At the center of this scheme is a technique called zero-transfer phishing. It allows malicious actors to initiate transactions that transfer zero tokens from a victim’s wallet to an address under their control—without requiring the victim’s private key. These transactions are then embedded in the victim’s wallet history, giving the appearance of a legitimate outgoing transaction. Later, when the user refers to their transaction history, they may unknowingly send real funds to the impersonated address.
This isn’t the first time the method has been deployed with devastating consequences. In 2023, a similar zero-transfer scam resulted in the theft of $20 million in USDT, prompting Tether to blacklist the scammer’s wallet in a rare intervention.
Zero-Transfer Scams Expand on Old Tricks
The recent surge in zero-transfer phishing attacks marks a dangerous evolution of the well-known address poisoning scam—a method that continues to wreak havoc across Ethereum, BNB Chain, and other major blockchains. Unlike traditional phishing campaigns, this variant leverages on-chain mechanics and user habits to deceive even experienced crypto holders.
At its core, address poisoning involves sending small amounts of crypto from a wallet address that mimics a trusted one—usually by matching the beginning and end characters. The goal is to trick the recipient into later copying and pasting the spoofed address during a real transaction, unintentionally sending funds to the scammer.
Zero-transfer phishing pushes this concept further. Instead of sending funds, attackers create transactions that transfer zero tokens from a victim’s wallet to a malicious address. Because the transfer involves no assets, it doesn’t require user authorization—but still appears in the victim’s wallet history. This allows scammers to “poison” the transaction record without triggering suspicion, increasing the odds that a victim mistakenly trusts and reuses the fake address.
Over $83M Lost to Poisoning Scams
This growing threat is not hypothetical. A January 2025 report revealed more than 270 million poisoning attempts occurred across Ethereum and BNB Chain between mid-2022 and mid-2024. At least 6,000 of these were successful, resulting in a combined loss of over $83 million in digital assets.
In response, crypto security firms are racing to counteract the trend. Webacy and Trugard recently announced the development of an AI-powered detection system designed to flag poisoned addresses with a reported 97% accuracy—based on real-world testing scenarios.
As the zero-transfer variant spreads, experts warn that user vigilance, smarter wallet interfaces, and detection tools are essential to protect against increasingly stealthy and psychological phishing techniques.
Quick Facts
- Investor loses $2.6 million in two USDT transfers
- Both phishing scams occurred within three hours
- Zero-transfer phishing embeds fake entries in wallet history
- Over $83 million lost to similar scams since 2022
- Security firms develop AI tools to detect poisoned addresses
