A crypto user lost nearly $1 million after approving a malicious token permission on Ethereum, according to onchain tracking shared by Scam Sniffer. The incident highlights how phishing “toke
A crypto user lost nearly $1 million after approving a malicious token permission on Ethereum, according to onchain tracking shared by Scam Sniffer. The incident highlights how phishing “token approvals” continue to evolve from one-off scams into repeatable theft workflows.
Scam Sniffer reported that the victim’s loss was 999,999 USDT (USDT) linked to an Ethereum phishing approval. The attacker first attempted to drain funds through multicall requests but failed due to insufficient balance, then immediately succeeded seconds later by executing follow-up transfers that removed the remaining funds.
Key takeaways
- A single “approve” on an Ethereum token can grant an attacker sweeping power, allowing losses to be extracted quickly via automated transfers.
- Scam Sniffer’s report describes multi-step draining: an initial multicall attempt may fail, but subsequent transactions can still empty the wallet.
- Approval-phishing remains a widely used tactic within broader onchain scam ecosystems, including investment fraud.
- Researchers warn that scammers often reuse the same wallet patterns—meaning one uncovered incident can reveal a broader network of activity.
- Address poisoning still compounds the risk, and users should treat copied addresses and pasted contract or wallet data with extra caution.
A nearly $1 million theft triggered by a token approval
The phishing mechanism centers on token approvals that appear routine. In these scams, victims are tricked into signing a transaction that grants a malicious actor permission to spend tokens or route funds from the wallet. The approval itself may be presented as a small step—such as enabling a transfer, interaction, or “verification”—but it can instead grant broad or lasting access that the attacker immediately exploits.
In the reported case, Scam Sniffer said the script recalculated the victim’s remaining balance and then pulled the exact amount left after the first drain attempt. That meant the attacker did not need to guess the wallet’s contents—execution was adjusted in real time to maximize extraction.
On Etherscan, the scam’s activity is reflected across three transactions culminating in the extraction of 999,999 USDT. (See: Etherscan transaction.)
Why approval phishing keeps working
Approval phishing is a recurring pattern rather than a new trick. CertiK data cited in the coverage indicates that in 2025 phishing losses totaled $723 million across 248 incidents. The structure of these scams is consistent: social engineering prompts victims to click “approve,” but the approval hands over spending capability to an attacker-controlled contract.
CertiK’s figures are particularly important because they suggest the problem is not isolated. Approval phishing scales well for criminals: once a victim grants token permissions, the attacker can use that permission to drain balances without requiring ongoing interaction from the victim.
Industry-wide, the scale of phishing losses remains high. The article notes that the crypto sector recorded $366 million in phishing losses in the first half of the year, reinforcing that approval-based permission scams are part of a broader wave of onchain fraud rather than a niche threat.
Scammers reuse wallets and permission patterns
The broader risk is amplified when criminals reuse the same infrastructure and wallet targets. Earlier in the month, a separate incident was reported involving a victim losing $1.65 million after connecting to a fake exchange and signing a malicious contract. In that scenario, the approval gave attackers “unlimited access,” enabling an automated sweeper to drain funds, according to researcher Ryan Coleman.
Chainalysis previously reported that onchain scams pulled in at least $14 billion in 2025, with investment scams remaining a dominant category. In Chainalysis materials on approval phishing, the firm explains that approval-based tactics are one way investment fraud moves from social engineering into automated onchain theft.
Chainalysis also cautioned that criminals reuse the same wallets, leverage legitimate approval features from contracts, and employ consistent cash-out routes across victims. That reuse matters for investors and users because it changes what “one report” can mean: when investigators map recurring permission and withdrawal behaviors, it can expose a wider network of coordinated activity rather than a standalone attacker.
Chainalysis senior investigator Renato Bastos is quoted in the underlying coverage explaining that each uncovered report can reveal a broader network because scammers repeat wallet usage and operational paths. Readers should watch for whether similar approval signatures, contract patterns, or draining methods recur across incidents—those repetitions often indicate systematic campaigns.
Address poisoning adds another layer of risk
Phishing token approvals are not the only mechanism used to steal funds. The coverage also points to address poisoning, where scammers create wallet addresses that look similar to legitimate ones and then send small “dust” amounts to those near-matching addresses. When victims copy and paste the address, the dusted lookalike can cause users to send funds to the attacker rather than the intended recipient.
The risk is especially relevant on ecosystems where manual copy/paste workflows remain common. The article notes that MetaMask launched live address poisoning detection in June. That tool compares each pasted address with addresses the wallet has previously interacted with—designed to flag suspicious new or unexpected addresses that match known patterns for deception.
With both approval phishing and address poisoning in play, the common theme is user interaction: scams manipulate what people think they’re signing or sending. Defenses therefore require slowing down and verifying the exact permission or recipient address before proceeding.
What to watch next
Approval phishing incidents like the reported 999,999 USDT theft tend to spread quickly when criminals refine execution and reuse wallet patterns. Users should be alert to any signature request connected to token approvals, avoid rushing through prompts, and consider detection tools—while security teams and onchain analysts will likely continue tracking recurring draining scripts and shared infrastructure to identify campaigns before they expand further.
This article was originally published as $1M Loss as Trader Approves Phishing Token After Wallet Signature on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.