🖥 Copy-paste mistake cost $12.4M
A user tried to send 4,556 ETH ($12.4M) to a Galaxy Digital deposit, but pasted a poisoned address and wired the funds straight to an attacker
How address poisoning works
◽️ Attacker generates an address that matches the first/last 4–6 chars of a known deposit/wallet.
◽️ Sends a 0-value / dust transaction to “plant” that fake address in your history.
◽️ Victim copies from recent transactions, sees familiar edges, and sends the real transfer.
◽️ Your brain checks 0x123…ABCD, not the middle - scammers design for that.
How to avoid it
◼️ Never copy recipient addresses from transaction history.
◼️ Use an address book / whitelist for frequent destinations.
◼️ Verify middle characters, not just the start/end.
◼️ For large transfers: small test tx first, then the rest.
$12.4M lesson: the most expensive UI is “recent transactions” ✏️
