Meet the Top 101 in Crypto
Security
Complexity Icon Easy
5 min read

Crypto Whale Loses $220K in Scam — Attacker Returns Most, Keeps $17K

Published 25 March 2026
Elizaveta Savenko
Authors

Key Takeaways

  • A TON whale accidentally sent approximately $220,000 in TON to a scammer using address poisoning, but received some of his money back.
  • The attacker used a lookalike address to “poison” the whale’s transaction history before attaching a note of apology.
  • Since users copy addresses from the past transaction history rather than checking each character, these attacks are successful.
  • Losses can be prevented by simple habits that include test transfers, address books, and thorough checks.

Imagine watching a large sum of money disappear from your wallet with a single click, only to have the thief play “Robin Hood”, returning with nearly all of the stolen money. This is what happened to a TON whale in March 2026. The scammer has stolen money and then returned most of it with a note that read, “Sorry, the money is too much. I know it’s your hard-earned funds.”

There are many things in this story that raise questions, but the most important one is: How could a seasoned investor lose a fortune in seconds? The answer lies in a deceptive tactic known as address poisoning.

Address poisoning played a growing role, with one study identifying more than 270M attempts that targeted 17M wallets and produced confirmed losses exceeding $83M on Ethereum and BNB Chain alone. This article explores the breakdown of the whale’s six-figure error and steps to take to shield your digital vault.

TON Whale’s Expensive Mistake And Lucky Day

Early March 2026, the whale was prepared to send 126,000 TON, valued at roughly $220,000 at the time. Little did the whale know that the scammer had earlier sent a transaction from an address that matched the beginning and end characters of a real recipient the whale frequently sent money to.

So, when the whale later opened the recent activity tab and copied what appeared to be a familiar address, the money went directly to the attacker.

Usually, this is where the money is gone forever. However, this fraudster came up and, as a “compensation,” kept 10,000 TON, that is about $17,000, and gave back the remaining 116,000 TON, or roughly $203,000.

How does Address Poisoning work?

Address poisoning, sometimes referred to as address spoofing or dusting in this context, doesn’t harm wallets or private keys. It tricks users into approving the improper transaction themselves.

Scammers use GPU tools to build “vanity” addresses that look just like the first 4-8 and last 4-6 characters of real addresses users interact with. They then typically send an insignificant value (typically 0.000001 token or a fake token impersonating USDT) to your wallet, causing the phoney address to appear right next to your regular contacts in the brief preview most wallets provide.

When you’re in a hurry to transmit rent, pay a contractor, or transfer funds between exchanges or simply repeat the same withdrawals every now and then, you can instinctively copy the poisoned address. Unless the fraudster chooses to return it, the money is gone forever.

Example of poisoned transaction history filled with dust entries
Example of poisoned transaction history filled with dust entries | Credit: Ledger.com

How Address Poisoning Attacks Actually Work Step by Step

To see why even professionals get fooled, observe how simple the trick is:

  • Research: Attacker scans block explorers or social mentions for active whales or frequent traders. Software creates thousands of lookalike addresses (example: legitimate 0x1234…ABCD becomes 0x1234…AECD).
  • Poison: Tiny transfer lands in your history, often disguised as “Received 0 USDT” or a worthless token. On fast networks like TON or Solana, a scammer can “poison” your history for less than a cent. 
  • Trigger: User initiates a large outgoing transfer and selects the poisoned entry from the dropdown or paste field.
  • Exit: When money arrives, the attacker may use mixers to launder it or, in rare cases, return the majority of it with a letter.

In the 2024 Ethereum case, one whale nearly lost $68M in WBTC. The attacker returned the principal but pocketed $3 million in price appreciation. The TON event followed the exact same script.

Visual breakdown of how dust transactions poison history
Visual breakdown of how dust transactions poison history | Credit: TRMLabs.com

How to Protect Yourself From Address Poisoning

The primary targets are whales with big balances, as a single error can net scammers millions of dollars in a single transaction. However, even the most security-conscious traders and holders are at risk.

Just one habit has to be altered to be safe from address poisoning: never trust your transaction history. Other safe tips include:

  • Tip 1: Send a $5-$10 test transaction first and confirm receipt before the big one (yes, it costs extra gas but saves thousands).
  • Tip 2: Don’t just check the first 5 and last 5 characters. Check a few random characters in the middle of the address.
  • Tip 3: Use full-address display wallets or extensions that show 12+ characters by default and flag visual twins.
  • Tip 4: Enable transaction previews and review every character on the final confirmation screen. Hardware wallets typically force this extra step.
  • Tip 5: Ignore unknown incoming dust; many wallets now let you hide or blur them (Trezor and Trust Wallet added this in 2026).

Why This TON Whale Story Is Applicable to Average Crypto Users

The TON whale story demonstrates two truths at once: frauds are constantly developing, but human compassion (or fear of on-chain tracing) can still result in partial reimbursements.

With $17B lost to scams in 2025 and address poisoning campaigns on a record high, the risk is no longer “if” but “when” you encounter one.

FAQs

What is address poisoning in simple terms?

It is a trick that places fake similar-looking wallet addresses in your transaction history so you copy the wrong one by mistake.

Can address poisoning steal your private keys?

No, it only works if you manually confirm and send the funds yourself; your keys stay safe.

How do I stop address poisoning?

Although you can’t restrict people from sending you crypto, you can prevent scams by never copying addresses from your “Recent Activity” list.

What should I do if money were stolen via address poisoning?

Blockchain has no “undo” button, and attackers rarely return the funds like they did with the TON whale.

Disclaimer: The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Elizaveta Savenko

Curious about how technology and crypto reshape global finance, Elizaveta Savenko explores blockchain, AI, decentralized systems, their applications, and regulatory requirements. She contributes to research, educational initiatives, and industry collaborations, examining trends in digital assets and fintech innovation, increasing awareness of the crypto space and its impact on financial systems.

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status