Changpeng ‘CZ’ Zhao, the co-founder of Binance, has urged the cryptocurrency industry to strengthen its defenses against a type of scam called address poisoning attacks. CZ believes these scams can be stopped by improving how cryptocurrency wallets work and adding more security measures.
What Are Address Poisoning Attacks?
Address poisoning is a scam used to trick people into sending their cryptocurrency to fake addresses. Scammers create addresses that look very similar to the ones used by the victims. This often confuses people and can lead to huge financial losses. CZ wants to make sure wallets can automatically check if an address is associated with any scams and block transactions to these suspicious addresses.
He explained that this can be achieved by checking information on the blockchain—like a public record for cryptocurrency transactions. CZ also suggested creating a system where companies and wallets share information about known scam addresses in real-time. This would allow wallets to alert users before they make a mistake.
Binance Already Taking Steps
CZ shared that Binance Wallet already warns users if they are about to send money to addresses involved in scams. He also suggested improvements like hiding unwanted small transactions that scammers send to confuse the transaction history in wallets.
“We can completely stop these address poisoning attacks,” CZ confidently said.
How a Trader Lost $50 Million in USDT
Recently, CZ spoke about these scams after a crypto trader lost nearly $50 million in a cryptocurrency called Tether (USDT), following a poisoning attack. On December 20, data revealed by Lookonchain—a blockchain investigation tool—showed how this happened.
The victim withdrew the $50 million from Binance and wanted to transfer it to their wallet. Like many crypto traders, they sent $50 as a test to make sure the transaction worked. However, a scammer used a special trick to create a fake wallet address that looked almost identical to the victim’s wallet address. For example, the beginning and end of the address were the same, but the middle was slightly different. Since many wallets shorten addresses for easier reading, it was hard for the trader to notice the difference.
These scammers also sent tiny transactions (like spamming) to make the fake address appear in the victim’s transaction history. The trick worked: 26 minutes after the small $50 test transfer, the trader accidentally copied the scam address and sent a massive $50 million transaction to it.
What Happened to the Stolen Money?
Once the funds were sent, the scammer immediately moved the stolen USDT through different cryptocurrency types to make it harder to trace. According to a security firm, SlowMist, the scammer converted the USDT into a cryptocurrency called DAI, and then swapped it into around 16,690 units of Ether (ETH). They deposited most of this money into Tornado Cash, a tool that makes it almost impossible to trace these transactions.
To try to get his money back, the victim posted a message on the blockchain offering a $1 million reward (called a whitehat bounty) to anyone who could return his lost funds.
This Has Happened Before
This isn’t the first time such a scam has occurred. In May of last year, another crypto investor lost even more money—around $68 million worth of wrapped bitcoin (WBTC)—to an address poisoning attack. Like the recent victim, this person copied a fake address from their transaction history, thinking it was safe, and sent their funds to it.
Final Thoughts
These kinds of scams highlight why it’s super important for crypto wallets and platforms to add more safety features. As scammers get clever, it’s up to the cryptocurrency industry to stay one step ahead. By improving wallet designs and creating shared security systems, CZ believes we can stop poisoning scams from happening entirely.