- TransferFrom: is a function that lets someone move your crypto tokens to another wallet, but only if you first gave them permission to do so.
- Poisoning attacks: are scams that fake past transactions in your wallet history to trick you into trusting and sending crypto to a scammer’s address.
- Zero-value transfer: is a blockchain transaction that sends 0 tokens, used to create a fake record in someone’s transaction history without actually moving any money.
On May 26, 2025, a crypto investor lost $2.6 million in USDT after being tricked twice in just three hours by a phishing scam. The scammers made the investor believe they were sending money to a trusted address by faking the transaction history.
According to a report from blockchain security company Cyvers, the scammers used a function on Ethereum called transferFrom to send zero-value transactions from the victim’s wallet to fake addresses. These fake transactions made it look like the victim had previously sent money to these addresses, even though they hadn’t. This trick didn’t need the victim’s private key or permission, making the scam hard to spot.
The victim first lost 843,000 USDT, and just three hours later, unknowingly sent another 1.75M USDT to the same scammer bringing the total loss to around 2.6M USDT.
How did the scammer manage to trick the victim?
This attack works by placing the scammer’s wallet address in the victim’s transaction history. Users who see the address logged as an outbound transaction are more likely to trust it, mistaking it for a previously interacted or known address.
In simple; The scammer used a trick called a zero-value transfer. They sent a fake transaction from the victim’s wallet to their own address, but with 0 tokens.
This didn’t move any real tokens, but it made it look like the victim’s wallet had sent something to the scammer’s address. So when the victim checked their transaction history, they saw that address and thought, “I’ve sent money here before, so it must be safe,” and ended up sending real money.
Although these transactions don’t move any funds, they still require gas fees to execute. The scammers have spent over $710,000 on these fees but managed to steal more than $1.5 million, making a net profit of nearly $800,000 which comes out to around $5,500 in profit per attack.
A January 2025 report revealed over 270 million address poisoning attempts occurred on BNB Chain and Ethereum between July 2022 and June 2024. Out of these, about 6,000 attempts were successful, resulting in losses exceeding $83 million.