CryptoHaven loses $1.78 million in 'address poisoning' scam during routine wallet rotation

Digital asset custody and treasury-management firm CryptoHaven lost $1,786,204 in USDC on Friday after a member of its operations team fell victim to an address poisoning scam — not during an unusual or rushed transfer, but in the middle of a routine wallet-rotation procedure the firm performs every quarter.

The loss was first flagged by blockchain analytics accounts monitoring large stablecoin outflows, and later confirmed by CryptoHaven in a statement over the weekend. According to two people familiar with the matter, the transfer was part of a scheduled migration of treasury funds from an older wallet into a freshly generated one.

As a matter of standard operational security, CryptoHaven periodically retires its active treasury wallets and migrates balances into new ones — a practice meant to limit exposure if an older address is ever compromised. The migration that took place Friday was, by all accounts, indistinguishable from the ones the team had run several times before.

That predictability, security researchers say, is exactly what the attackers were counting on.

How the attack worked

In the days leading up to the scheduled rotation, an automated bot generated a wallet address engineered to mirror the first and last characters of the firm's wallets. Because most wallet interfaces and block explorers abbreviate long addresses — showing only a prefix and suffix — the spoofed address looked virtually identical to a legitimate one at a glance.

The attacker then sent CryptoHaven a near-zero “dust” transaction from the look-alike address. The transfer moved no meaningful value; its sole purpose was to plant the fraudulent address inside the firm's on-chain transaction history, where it would sit waiting.

When the rotation began, the treasury operator followed the team's usual workflow. After generating the new destination wallet, they pulled the address to fund it the way they had in past migrations — by copying it from a recent transaction in the wallet's history rather than re-verifying it against the freshly generated key. They selected the poisoned entry.

Following a routine internal approval, the full balance being migrated — $1,786,204 in USDC — moved instead to the attacker's address.

“This is the cruelest version of the scam,” said one researcher who reviewed the transaction trail. “The victim was doing the right thing — rotating wallets to be safer. The attacker just made sure the wrong address was sitting in history at the exact moment the operator reached for it.”

Tracing the funds

On-chain data reviewed for this report shows the stolen USDC was swapped into ether (ETH) within minutes and dispersed across a series of intermediary wallets. Several of those addresses then interacted with a sanctioned crypto mixer, a common step in laundering proceeds before they reach an off-ramp. As of publication, none of the funds had been recovered.

CryptoHaven's response

In its statement, CryptoHaven said the loss was “contained to a single treasury migration transaction” and emphasized that no client custody assets or private keys were compromised. The firm said it has engaged a blockchain forensics provider, notified major exchanges in an effort to flag the destination addresses, and filed a coordinated report with law enforcement.

The company added that it has paused all wallet-rotation activity and is rebuilding the procedure around a hard-coded whitelist that requires every migration destination to be verified against the freshly generated key — and confirmed through a second, out-of-band channel — before any transfer can be approved.

“The irony isn't lost on us,” a CryptoHaven spokesperson said. “A process we run to reduce risk became the attack surface. Copying a destination from transaction history was a shortcut baked into our migration runbook, and that shortcut is gone.”

The bigger picture

Address poisoning has become one of the most cost-effective scams in crypto because it scales effortlessly. Bots dust thousands of high-balance wallets and wait for a single copy-paste error to pay off — no phishing, no malware, no stolen keys required.

What makes CryptoHaven's case notable is the timing. Wallet rotation is widely promoted as a security best practice, but it is also one of the few moments a treasury team deliberately sends a large balance to a brand-new address — one the team cannot recognize from memory. That combination makes routine migrations a high-value window for poisoning attacks.

Address poisoning exploits no vulnerabilities in code or cryptography. It takes advantage of user habits, namely the reliance on partial address matching and copy-pasting from transaction history. CryptoHaven's loss is a reminder that a good security habit, executed through a sloppy workflow, can become the very vulnerability it was meant to close.