$70 Million Wrapped Bitcoin Stolen in Address Poisoning Attack Targeting Ethereum Users

On May 3, 2025, blockchain security analysts uncovered a devastating address poisoning attack that resulted in the theft of approximately $70 million worth of Wrapped Bitcoin (WBTC) from an unsuspecting Ethereum user. The incident, flagged by on-chain security monitor Scam Sniffer, represents one of the largest single-victim phishing losses recorded in 2025, underscoring the persistent and evolving threat posed by address spoofing campaigns across the crypto ecosystem.

The Exploit Mechanics

Address poisoning—also known as address spoofing—is a deceptive technique in which attackers generate wallet addresses that closely resemble those a victim frequently transacts with. The fraudulent addresses share the same first and last several characters as the legitimate recipient, making them nearly indistinguishable at a glance. Attackers seed the victim’s transaction history with these look-alike addresses by sending small token transfers, ensuring the fake addresses appear in the wallet’s recent activity.

When the victim later initiates a transfer, they often copy the address from their transaction history rather than manually verifying the full string. In this case, the victim was tricked into sending a massive WBTC transaction to a spoofed address that mimicked their intended recipient. Given that WBTC was trading near Bitcoin’s price of approximately $95,891 at the time, the stolen amount represented hundreds of wrapped BTC tokens. The attack exploited no smart contract vulnerability—instead, it weaponized human behavior and the limitations of how most users interact with wallet interfaces.

Affected Systems

The attack targeted the Ethereum network, where WBTC operates as an ERC-20 token backed 1:1 by Bitcoin. The victim’s wallet had recently interacted with WBTC contracts, and the attacker used this transaction pattern to craft convincing spoofed addresses. Address poisoning attacks typically exploit the default display settings of popular wallet applications and block explorers, which truncate long hexadecimal addresses to show only the first four and last four characters. This truncation makes visually distinguishing between legitimate and poisoned addresses extremely difficult without explicit verification.

This incident is part of a broader surge in address-based scams throughout 2025. Blockchain analytics indicate that phishing and address poisoning attacks have accelerated significantly, with losses from such scams contributing to the over $333 million lost to crypto crime in April 2025 alone. The sophistication of these attacks has increased as attackers deploy automated tools to generate vanity addresses that match target patterns within seconds.

The Mitigation Strategy

Preventing address poisoning attacks requires a multi-layered approach. First, users must verify the complete wallet address—every single character—before confirming any transaction, especially large transfers. Second, wallet developers should implement address book features with verified entries, eliminating the need to copy addresses from transaction histories. Third, the crypto community is increasingly adopting ENS (Ethereum Name Service) domains and Unstoppable Domains as human-readable alternatives to hexadecimal addresses, reducing the attack surface for spoofing.

Several security tools now offer real-time address checking. Scam Sniffer, the same platform that flagged this WBTC attack, provides browser extensions that cross-reference destination addresses against known malicious patterns. Hardware wallet users benefit from on-device confirmation screens that display full addresses, creating an additional verification layer that software wallets cannot replicate.

Lessons Learned

The $70 million WBTC theft reinforces a critical truth in the cryptocurrency space: the most sophisticated security infrastructure can be rendered useless by a single moment of human error. Address poisoning succeeds not because of technical brilliance but because it exploits the gap between what users see and what is actually happening. As Bitcoin trades above $95,000 and the total crypto market cap exceeds $3.2 trillion, the financial stakes of even minor lapses in verification have never been higher.

The incident also highlights the urgent need for wallet developers to rethink how addresses are displayed and selected. Truncated address displays, while cleaner, create a false sense of security. The industry must prioritize UX designs that make verification intuitive rather than burdensome.

User Action Required

Every crypto user should take immediate steps to protect against address poisoning. Set up an address book in your wallet for frequent recipients and use it exclusively. Enable any available address verification features. Consider registering an ENS domain for your primary wallet. For transactions exceeding $10,000, perform a test send of a small amount first and confirm receipt before executing the full transfer. If you use a hardware wallet, always verify the full address on the device screen before signing. The five seconds it takes to check an address can save millions.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.