Copy-paste error causes Ethereum investors to lose $12.4 million

An Ethereum user lost 4.556 ETH, worth over $12.4 million, after accidentally sending funds to a fake address created by hackers in an “address poisoning” scam.

According to analyzed data, the attacker created a wallet address with the same starting and ending characters as the legitimate Galaxy Digital receiving address. Then, the hacker sent small transactions into the victim’s wallet to make this fake address appear in the transaction history, making it look familiar and trustworthy.

Due to frequent transaction habits and the desire to act quickly, the victim opened the transaction history, copied the fake address without checking the entire string of characters. This copy–paste mistake caused all 4.556 ETH to be transferred directly into the attacker’s wallet.

Address poisoning scams are increasing in the crypto space, as hackers exploit users’ tendency to only check the first and last few characters of a wallet address. Previously, at the end of 2025, another investor lost up to $50 million in a similar manner, even after attempting to transfer a small amount first. This initial test transaction was exploited by hackers to create a fake address that closely resembled the real one, leading the victim to send the remaining funds to the wrong address.

Experts advise users not to copy addresses from transaction history but to verify the entire wallet address before sending funds. Additionally, using ENS or saving trusted addresses in a wallet’s contact list can reduce risks. Some investors also suggest splitting large transactions into smaller parts instead of transferring all funds at once to limit potential losses in case of errors.