A high-value crypto wallet associated with the entity known as “Silly Tuna” was drained of approximately $24 million in aEthUSDC on March 5, 2026, in what security analysts have described as a carefully executed address poisoning attack. The incident, first flagged by blockchain security firm PeckShield, highlights the growing sophistication of social engineering-based attacks targeting even experienced crypto users holding significant portfolios.
TL;DR
- A wallet linked to “Silly Tuna” lost approximately $24 million in aEthUSDC through an address poisoning attack
- The attacker created a spoofed address with matching prefix and suffix characters to deceive the victim
- After draining funds, the attacker swapped a significant portion into DAI and consolidated approximately $20 million across two staging wallets
- Stolen funds were then bridged in smaller tranches to Arbitrum in an effort to obscure the transaction trail
- Bitcoin traded at approximately $68,136 and Ethereum at $1,979 at the time of the attack
Understanding Address Poisoning
Address poisoning is a form of attack that exploits the way users interact with their cryptocurrency wallets rather than any technical vulnerability in the blockchain itself. In this type of attack, the perpetrator generates a wallet address that closely mimics a legitimate recipient address by matching its first few and last few characters. The attacker then sends a small transaction — often a zero-value token transfer — from the spoofed address to the victim’s wallet.
This transaction appears in the victim’s transaction history. When the victim later intends to make a legitimate transfer to the real address, they may inadvertently copy the spoofed address from their recent activity, believing it to be the correct destination. Because humans naturally focus on the beginning and end of long hexadecimal strings while skimming over the middle characters, the deception can be remarkably effective.
In the case of the Silly Tuna wallet attack, the victim likely copied the spoofed address from their transaction history and executed a transfer of approximately $24 million in aEthUSDC directly to the attacker’s wallet. The transaction was irreversible by the time the deception was discovered.
The Attacker’s Laundering Strategy
Following the successful drain, the attacker moved quickly to secure and obfuscate the stolen funds. On-chain analysis reveals a multi-stage laundering strategy that demonstrates careful planning. The attacker first swapped a significant portion of the stolen aEthUSDC into DAI, a move likely designed to reduce exposure to any potential freezing or blacklisting mechanisms that stablecoin issuers might deploy.
Approximately $20 million was consolidated across two staging addresses under the attacker’s control. This consolidation step suggests preparation for further obfuscation rather than an immediate cash-out attempt. The attacker subsequently bridged smaller tranches of the stolen funds to Arbitrum, a technique known as cross-chain fragmentation. By distributing the stolen assets across multiple chains and wallets, the attacker aimed to complicate on-chain tracing efforts and delay detection by blockchain monitoring tools.
This laundering pattern is consistent with tactics observed in other high-value crypto thefts, where attackers prioritize breaking the transaction trail before eventually moving funds through mixers or privacy-focused protocols.
A Growing Pattern of User-Targeted Attacks
The Silly Tuna incident is part of a broader trend identified in March 2026, where attacks targeting user behaviour — rather than smart contract code — accounted for a significant share of total crypto losses. According to a monthly report by blockchain analytics firm Nominis, approximately $178.1 million was lost across major crypto incidents in March 2026, representing a sharp increase from approximately $49.3 million in February.
Private individuals remained the most frequently targeted victims throughout the month, with attackers primarily relying on phishing techniques, malicious permit signatures, and social engineering. Authorisation abuse continued to dominate as the primary attack vector, with multiple incidents involving victims unknowingly approving transactions that granted attackers direct access to their funds.
Notably, social engineering and interaction-based exploits caused more cumulative damage in March than smart contract vulnerabilities, reinforcing a shift in the threat landscape toward attacks that exploit human psychology and trust rather than code-level weaknesses.
How to Protect Yourself from Address Poisoning
Address poisoning attacks are particularly dangerous because they require no interaction with the victim beyond the initial deception. However, several precautions can significantly reduce the risk:
First, always verify the full destination address when making transfers, not just the first and last few characters. While hexadecimal addresses are long and difficult to read in full, checking even a few additional characters in the middle can reveal a spoofed address.
Second, consider using address book features built into most modern wallets. By saving verified addresses and selecting recipients from a stored contact list rather than copying from transaction history, users can eliminate the primary vector for address poisoning attacks.
Third, be wary of unexpected small transactions or token transfers appearing in your wallet history. These are often the first sign that an address poisoning attempt is underway. If you notice unfamiliar micro-transactions, avoid interacting with the sending addresses.
Fourth, use hardware wallets for large holdings. Devices like Ledger or Trezor display the full destination address on their built-in screens, providing an additional verification step that software wallets alone cannot offer.
Finally, consider enabling whitelist features that restrict outgoing transfers to pre-approved addresses only. This adds a layer of friction that can prevent accidental transfers to attacker-controlled wallets.
Why This Matters
The $24 million Silly Tuna wallet drain is a stark reminder that in cryptocurrency, security is not just a technical problem — it is a human problem. As blockchain protocols themselves become more secure and audited, attackers are increasingly pivoting to exploit the weakest link in the chain: the user. Address poisoning, phishing, and malicious permit signatures require minimal technical sophistication to execute but can yield devastating returns when they succeed.
The incident also highlights the irreversible nature of blockchain transactions. Unlike traditional banking, where fraudulent transfers can sometimes be reversed or frozen, cryptocurrency transactions are final once confirmed. This fundamental characteristic of blockchain technology means that prevention is not just the best defence — it is the only defence. Education, vigilance, and the adoption of security best practices remain the most effective tools for protecting digital assets in an increasingly hostile landscape.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research and practise proper security hygiene when managing cryptocurrency assets.
Address poisoning is such a devious tactic because it relies on the standard habit of copying from transaction history. It’s wild that a whale handling $24M wouldn’t have a more robust verification process, but these attackers are getting really good at matching the start and end of addresses. Stay safe out there and always use address books!
24M lost to a copy paste error. EIP-55 checksums help but most people dont even check those. we need better UX not better humans
addr_verify_ better UX wont help when the attack exploits visual pattern matching in human brains. we need protocol level address verification not UI patches
EIP-55 checksums help for ETH but most mobile wallets hide them entirely. we need the UX layer to flag matching prefix/suffix addresses as suspicious automatically
Another day, another massive exploit on ETH. While everyone focuses on smart contract bugs, social engineering and UI exploits like this are doing just as much damage. I honestly don’t know how we expect mass adoption when a single copy-paste error can lead to a total loss of funds. We need better wallet standards immediately.
CryptoCynic_99 mass adoption requires better wallet standards but also better education. most victims are experienced users who got complacent
Man, I feel for the victim, but this is why I always send a tiny test transaction first, no matter what. Even if the gas fees are high, it’s worth the peace of mind when you’re moving life-changing money. These hackers are getting way too creative with the poison transactions lately, it’s getting scary.