Hoskinson Blames Account Models for Address Poisoning

• Trader loses $50 million in USDT through an address poisoning attack.
• Charles Hoskinson states that UTXO blockchains like Cardano resist poisoning attacks.
• Crypto thefts surpassed $3.4 billion in 2025, according to Chainalysis data.

Digital asset security remains the primary challenge facing the cryptocurrency sector as it enters 2026. An unnamed trader lost nearly $50 million in USDT to an address poisoning scam, raising questions about infrastructure resilience.

The victim had operated their wallet for approximately two years, primarily conducting USDT transfers. The trader followed standard security practices by sending a test transaction of 50 USDT before executing the larger transfer. Despite this precaution, the attack succeeded through social engineering tactics.

Address Poisoning Exploits Fundamental Design Flaws

Charles Hoskinson, founder of Cardano, stated that the vulnerability stems from architectural choices in account-based blockchain systems. Ethereum and other EVM-compatible chains display addresses as free-form strings in transaction histories. Wallets encourage users to copy addresses from previous transactions. This creates opportunities for attackers to inject malicious addresses.

Hoskinson argued that UTXO-based blockchains like Bitcoin and Cardano are not affected by this attack vector. These systems consume existing transaction outputs and create new ones with each transfer. This prevents the address reuse patterns that enable poisoning attacks. UTXO wallets select transaction outputs explicitly rather than copying destination addresses from account histories.

“A persistent account state to visually poison does not exist” in UTXO models, Hoskinson noted on X. One user disagreed, stating that address poisoning results from user error when copying incorrect addresses from blockchain explorers. Hoskinson responded that account abstraction and smart wallet standards make the problem worse rather than better.

Annual Theft Reaches Highest Levels Since 2022

Data from Chainalysis shows cryptocurrency hacks exceeded $3.4 billion in 2025, surpassing 2024 levels. The Bybit breach in February accounted for approximately $1.4 billion, making it the largest single cryptocurrency theft on record. North Korea-linked actors were attributed with responsibility for that attack.

The $50 million address poisoning incident is a growing trend of attacks targeting traders with large holdings. These schemes rely on exploiting human behavior rather than breaking cryptographic security or finding smart contract vulnerabilities.

Projects building on account-based models face pressure to implement additional safeguards against social engineering. Smart wallet standards and account abstraction introduce complexity that may create new vulnerability vectors. Meanwhile, UTXO-based chains position their architectural choices as inherent security advantages.