A crypto investor lost $2.6 million in stablecoins after falling victim to two phishing scams within three hours, according to crypto firm Cyvers on May 26. The attacker used a method called zero-value transfer, which tricks users by sending fake zero-amount transactions to their wallets.
Zero-value transfers work by sending zero tokens from the victim’s wallet to a fake attacker’s address. These transactions do not move any real tokens and do not need the victim’s private key. But they still show up in the victim’s transaction history, making the attacker’s address look trustworthy.
Because the attacker’s address appears in the victim’s history, the victim may trust it and send real funds to that address later. This method is an advanced form of address poisoning. Attackers use wallet addresses that look very similar to the victim’s, often sharing the same first and last characters, to confuse users.
Address poisoning is a growing problem. A recent study showed over 270 million poisoning attempts on blockchains like BNB Chain and Ethereum from mid-2022 to mid-2024. About 6,000 attempts succeeded, causing losses of more than $83 million.
To fight this, some crypto security companies use AI tools to detect poisoning scams. These tools claim a 97% success rate in spotting attacks.
