CryptoCISO

Case Study: A Six-Figure Invoice Paid to the Wrong Wallet

Written by

in

A finance team paid a routine supplier invoice in USDC. Unknown to them, an attacker had been sitting inside the email thread for weeks and swapped the payment address at the last moment. A six-figure sum went to a wallet the thief controlled.

What we found. This was a business email compromise (BEC) layered onto a crypto payment. The attacker did not break any blockchain — they broke an inbox, then let the company send the funds themselves.

What we did. Stablecoins carry a recovery lever that most assets lack: the issuer can freeze tokens at the contract level. We traced the USDC immediately, identified the portion still sitting in the thief wallet, and delivered an evidence package to the stablecoin issuer compliance team while following the already-moved remainder toward an exchange off-ramp.

The outcome. The issuer froze a portion of the USDC at the contract level, taking it out of the thief reach, while the remainder was documented for an exchange freeze request and law-enforcement referral. The freeze was only possible because the theft was reported fast, with on-chain proof attached.

The takeaway. Stablecoin theft has a unique pressure point — issuer-level freezes — but the window is short. Verify payment addresses out-of-band, and if a crypto payment goes wrong, get an on-chain trace in front of the issuer within hours, not days.

Client and identifying details have been anonymized to protect confidentiality. CryptoCISO does not guarantee recovery; outcomes depend on the specific facts of each case.