A single victim was scammed two times within three hours, losing a total of $2.6 million in stablecoins.

According to data shared on May 26 by crypto compliance firm Cyvers, the victim sent 843,000 worth of USDt (USDT), followed by another 1.75 million USDt around three hours later. Cyvers said the scam used a method known as a zero-value transfer, a sophisticated form of onchain phishing.

Source: Cyvers Alert

Zero-value transfers are an onchain phishing technique that abuses token transfer functions to trick users into sending real funds to attackers. The attackers exploit the token transfer From function to transfer zero tokens from the victim’s wallet to a spoofed address.

Since the amount transferred is zero, no signature by the victim’s private key is necessary for onchain inclusion. Consequently, the victims will see the outgoing transaction in their history.

The victim may trust this address since it is included in their transaction history, mistaking it as a known or safe recipient. They may then send real funds to the attacker’s address in a future transaction.

In one high-profile case, a scammer using zero transfer phishing attack managed to steal $20 million worth of USDT before getting blacklisted by the stablecoin’s issuer in the summer of 2023.

Related: Hackers using fake Ledger Live app to steal seed phrases and drain crypto

Advanced form of address poisoning

A zero-value transfer is considered an evolution of address poisoning — a tactic where attackers send small amounts of cryptocurrency from a wallet address that resembles a victim’s real address, often with the same starting and ending characters. The goal is to trick the user into accidentally copying and reusing the attacker’s address in future transactions, resulting in lost funds.

The technique exploits how users often rely on partial address matching or clipboard history when sending crypto. Custom addresses with similar starting and ending characters can also be combined with zero-value transfers.

Related: Industry exec sounds alarm on Ledger phishing letter delivered by USPS

Threat growing across blockchains

A January 2025 study found that over 270 million poisoning attempts occurred on BNB Chain and Ethereum between July 1, 2022, and June 30, 2024. Of those, 6,000 attempts were successful, leading to losses over $83 million.

The report follows crypto cybersecurity firm Trugard and onchain trust protocol Webacy announcing an artificial intelligence-based system for detecting crypto wallet address poisoning. The new tool purportedly has a success score of 97%, tested across known attack cases.

Magazine: Crypto scam hub expose stunt goes viral, Kakao detects 70K scam apps: Asia Express