Ethereum

Trader Loses $1M After Signing Phishing Token Approval on Ethereum

A crypto user lost 999,999 USDT on Ethereum after signing a phishing token approval, with scammers using a recalculating script to drain the exact remaining balance across three transactions.

⏱ 3 min read Ethereum
Quick Summary
  • A victim lost 999,999 USDT on Ethereum after signing a phishing token approval, with attackers using a recalculating script to extract the precise remaining balance in three transactions.
  • Chainalysis reported at least $14 billion in onchain scam losses in 2025, while CertiK tallied $723 million in phishing losses across 248 incidents during the same year.
  • Scam Sniffer advises users to carefully review all approval requests, avoid rushed transactions, and deploy scam-detection browser tools to reduce exposure.

A crypto user lost nearly $1 million on Wednesday after being tricked into signing a phishing token approval on Ethereum, according to onchain data. The incident adds to a growing wave of approval phishing losses that totalled $723 million across 248 incidents in 2025, per security firm CertiK.

How the Attack Unfolded

Blockchain security monitor Scam Sniffer flagged the attack on Thursday, revealing the victim lost exactly 999,999 USDt (USDT) in the exploit. According to Scam Sniffer, the attackers first attempted to drain a rounded $1 million through multicall transactions but failed because of insufficient funds. Seconds later, their script recalculated and executed follow-up transfers to extract the precise remaining balance.

‘The script recalculated and pulled the exact remaining balance,’ Scam Sniffer said.

Onchain records from Etherscan confirm that attackers extracted $999,999 across three separate transactions.

How Approval Phishing Works

Approval phishing exploits Ethereum’s token permission system. Scammers use social engineering to persuade a victim to click ‘approve’ on what appears to be a routine or minor transaction. In reality, the signed approval grants the attacker unlimited access to drain funds from the wallet automatically.

‘The approval gave attackers unlimited access, enabling an automated sweeper to drain funds,’ said researcher Ryan Coleman.

Earlier this month, a separate wallet holder reportedly lost $1.65 million after connecting to a fake exchange and signing a malicious contract in a similar incident.

Scammers Reuse Infrastructure Across Victims

Blockchain analytics firm Chainalysis reported in June that onchain scams pulled in at least $14 billion in 2025, with investment scams the dominant category. Approval phishing is described as a key mechanism by which many of those scams are executed onchain.

Renato Bastos, a senior investigator at Chainalysis, noted that attackers systematically reuse the same infrastructure across multiple victims:

‘Scammers reuse the same wallets, legitimate approval features from contracts, and cash-out routes across victims, which means each report exposes a wider network.’

The industry recorded $366 million in phishing losses in the first half of the year alone.

Address Poisoning Also a Growing Threat

Alongside phishing token approvals, address poisoning remains an active attack method. In this scheme, scammers generate wallet addresses nearly identical to a target’s own address and send tiny ‘dust’ transactions to it. If the victim later copies from their transaction history instead of a saved contact, they send funds to the attacker’s address instead.

In response to the growing threat, popular Ethereum wallet MetaMask launched live address poisoning detection in June. The tool compares each pasted address against addresses the wallet has previously interacted with, flagging potential lookalike fraud before a transaction is signed.

What Users Should Do

Scam Sniffer advises users to double-check every signature and approval request before confirming, and to avoid rushing through transaction prompts, especially ones that appear unexpectedly. It also recommends using browser extensions and tools built for scam detection to screen approval requests, and verifying wallet addresses character by character, particularly when copying from transaction histories.

⚖️ Our Verdict ⚖️ Watch and Wait

Another seven-figure approval-phishing loss underlines that signature scams remain one of the most effective attack vectors against retail users, against a backdrop of $723 million in 2025 phishing losses and $14 billion in total onchain scams. This is a security warning rather than a market-direction signal, and the practical takeaway is to review every approval request carefully.