This week, another victim fell to the increasingly clever crypto scams . A single user lost $20,000 worth of BSC-USD (a stablecoin from the exchange Binance that is pegged to the U.S. dollar) in a double address poisoning attack. Data flagged by the scam alerting service Cyver show that this user was targeted not just once but twice in the span of a single hour. In each instance, they sent $10,000 to two different bad addresses—both of which were designed to look like the user’s real address. This episode highlights the enduring danger of address poisoning in decentralized systems. It serves as a clear reminder that even the most mundane crypto transactions can be perilous if sound verification practices are not followed. The Mechanics of Address Poisoning Address poisoning is a form of clever trickery that scammers use to carry out their schemes. They send worthless transactions from addresses that look very similar to the ones that a target has previously interacted with. The idea is to get the target to think they’ve been sent a transaction and, when they go to look at their transaction history, to get them to use a poisoned address in future transactions. If you know you haven’t sent a transaction to the address in your history, then somebody might be trying to scam you. The common user practice of using past transaction history to recycle wallet addresses is what this scam relies upon. It mimics the appearance of a legitimate address, usually by matching the first character and the last character of the address you would expect to see. It certainly doesn’t match the middle, which is the part of the address that actually matters, especially if we’re talking about using your eyes to tell the difference between a valid and a scam wallet. Knowing that we tend to trust the first and last characters, it would appear that scammy addresses follow the principle of a good magic trick. In this specific instance, the victim committed two expensive blunders. The first transaction was for $10,000 sent to a phony address. Just one hour later, the same victim sent another $10,000 to a different scammer, using the same hoax to get the money. This quick, double-dipping took place because the crooks were watching the victim’s wallet so closely they must have been salivating to go in for another hit after the first one worked so well. It also makes you wonder how many times the same scammer has done this with other not-so-smart victims. ALERT Today, our system detected 20K $BSC -USD lost due to address poisoning scams. A single victim was targeted twice by two different scammer addresses. First, victim mistakenly sent 10K $BSC -USD to a scammer. Just 1 hour later, victim sent another 10K $BSC -USD to a second… pic.twitter.com/OTU07UAyLK — Cyvers Alerts (@CyversAlerts) May 30, 2025 BSC Ecosystem and Security Concerns Among the fastest and most used blockchain platforms in the world, the Binance Smart Chain (BSC) boasts rapid transaction times and a nominal fee structure. Largely for these reasons, it has drawn the attention of bad actors holding malicious intentions. Address poisoning, a technique used by a number of blockchain bad actors, poses a very real threat to BSC users. BSC, like other Layer 1 chains, has a decentralized nature; that is, it is not controlled from a single place. Instead, it is run by numerous independent operators all over the world. This brings with it a familiar set of advantages and enables many of the functions of a blockchain. But it also brings some disadvantages—primarily, perhaps, that the end user is responsible for the custody of funds held in, and for the movement of funds to and from, BSC. Although detection systems and real-time alerts might be improved by platforms like Cyver and other firms specializing in blockchain security, these firms cannot stop a transaction from happening in the first place. They can only issue a warning after the fact or in real-time, if they’re really good, flag a suspicious pattern that just happens to be associated with the transaction in question. And in the realm of security, where a system can be only as good as its last update, alerts and warnings are not even a close second to prevention. Best Practices for Users: How to Stay Safe Losing $20,000 in BSC-USD to address poisoning is a recent, painful lesson, but one that offers takeaways for the wider crypto community. First and foremost: never copy wallet addresses directly from transaction history. Always use verified, manually saved addresses, or better yet, use wallet features that allow for whitelisting or address tagging. The second step is to turn on the anti-phishing tools and browser add-ons that look at the addresses you are trying to visit and let you know if they are not what they are supposed to be, like if they are really close to the name of a legit site but not quite right, or if they’re just plain old scammer sites. A lot of wallets and interfaces now have this functionality built in, but it’s up to you to use it and keep it updated. For the third point, verify that the addresses are correct down to each character before you dispatch any meaningful amount of cryptocurrency. A moment’s worth of carefulness could conserve thousands in not having to replace lost funds. Finally, keep yourself updated. Crypto develops quickly, and so do the schemes of bad actors. Following alert services like Cyver, reading up on the latest scams, and keeping an overall suspicious disposition are musts for safely navigating the crypto world. The ecosystem keeps on growing and maturing, and so must the behavior and protective practices of its users. Today’s incident is yet another reminder that in the decentralized world, security is not just a feature—it is a personal responsibility. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
