A crypto user lost nearly $1 million on Wednesday after being tricked into signing a phishing token approval on Ethereum, according to onchain data. The incident adds to a growing wave of approval phishing losses that totalled $723 million across 248 incidents in 2025, per security firm CertiK.
How the Attack Unfolded
Blockchain security monitor Scam Sniffer flagged the attack on Thursday, revealing the victim lost exactly 999,999 USDt (USDT) in the exploit. According to Scam Sniffer, the attackers first attempted to drain a rounded $1 million through multicall transactions but failed because of insufficient funds. Seconds later, their script recalculated and executed follow-up transfers to extract the precise remaining balance.
‘The script recalculated and pulled the exact remaining balance,’ Scam Sniffer said.
Onchain records from Etherscan confirm that attackers extracted $999,999 across three separate transactions.
How Approval Phishing Works
Approval phishing exploits Ethereum’s token permission system. Scammers use social engineering to persuade a victim to click ‘approve’ on what appears to be a routine or minor transaction. In reality, the signed approval grants the attacker unlimited access to drain funds from the wallet automatically.
‘The approval gave attackers unlimited access, enabling an automated sweeper to drain funds,’ said researcher Ryan Coleman.
Earlier this month, a separate wallet holder reportedly lost $1.65 million after connecting to a fake exchange and signing a malicious contract in a similar incident.
Scammers Reuse Infrastructure Across Victims
Blockchain analytics firm Chainalysis reported in June that onchain scams pulled in at least $14 billion in 2025, with investment scams the dominant category. Approval phishing is described as a key mechanism by which many of those scams are executed onchain.
Renato Bastos, a senior investigator at Chainalysis, noted that attackers systematically reuse the same infrastructure across multiple victims:
‘Scammers reuse the same wallets, legitimate approval features from contracts, and cash-out routes across victims, which means each report exposes a wider network.’
The industry recorded $366 million in phishing losses in the first half of the year alone.
Address Poisoning Also a Growing Threat
Alongside phishing token approvals, address poisoning remains an active attack method. In this scheme, scammers generate wallet addresses nearly identical to a target’s own address and send tiny ‘dust’ transactions to it. If the victim later copies from their transaction history instead of a saved contact, they send funds to the attacker’s address instead.
In response to the growing threat, popular Ethereum wallet MetaMask launched live address poisoning detection in June. The tool compares each pasted address against addresses the wallet has previously interacted with, flagging potential lookalike fraud before a transaction is signed.
What Users Should Do
Scam Sniffer advises users to double-check every signature and approval request before confirming, and to avoid rushing through transaction prompts, especially ones that appear unexpectedly. It also recommends using browser extensions and tools built for scam detection to screen approval requests, and verifying wallet addresses character by character, particularly when copying from transaction histories.


