A single victim was scammed two times within three hours, losing a total of $2.6 million in stablecoins.

According to data shared on May 26 by crypto compliance firm Cyvers, the victim sent 843,000 worth of USDt (USDT), followed by another 1.75 million USDt around three hours later.

A single victim was scammed two times within three hours, losing a total of $2.6 million in stablecoins, according to data shared by crypto compliance firm Cyvers.

The victim sent 843,000 worth of USDt (USDT), followed by another 1.75 million USDT around three hours later, the firm said on May 26. The scam used a method known as a zero-value transfer, a sophisticated form of onchain phishing.

A zero-value transfer occurs when an attacker exploits the token transfer From function to transfer zero tokens from the victim’s wallet to a spoofed address. Since the amount transferred is zero, no signature by the victim’s private key is necessary for onchain inclusion.

The victim will then see the incoming transaction in their history, and may trust this address since it is included in their transaction history, making them think it’s a known or safe recipient. They may then send real funds to the attacker’s address in a future transaction.

In one high-profile case, a scammer using a zero-transfer phishing attack managed to steal $20 million worth of USDT before getting blacklisted by the stablecoin’s issuer in the summer of 2023.

A zero-value transfer is an evolution of address poisoning, a tactic where attackers send small amounts of cryptocurrency from a wallet address that resembles a victim’s real address, often with the same starting and ending characters. The goal is to trick the user into accidentally copying and reusing the attacker’s address in future transactions, resulting in lost funds.

The technique exploits how users often rely on partial address matching or clipboard history when sending crypto. Custom addresses with similar starting and ending characters can also be combined with zero-value transfers.

A January study by TRGARD found that over 270 million poisoning attempts occurred on BNB Chain and Ethereum between July 1, 2022, and June 30, 2024. Of those, 6,000 attempts were successful, leading to losses over $83 million.

The report followed crypto cybersecurity firm Trugard and onchain trust protocol Webacy announcing an artificial intelligence-based system for detecting crypto wallet address poisoning. The new tool has a success score of 97%, tested across known attack cases.