A hacker made off with more than $440,000 in USDC after a wallet owner unknowingly signed a malicious “permit” signature, according to a Monday tweet by Scam Sniffer.
The theft comes amid a surge in phishing losses. Roughly $7.77 million was drained from more than 6,000 victims in November, Scam Sniffer’s monthly report found, representing a 137% jump in total losses from October, even as the number of victims fell by 42%.
“Whale hunting intensified with a top hit of $1.22 million (permit signature). Despite fewer attacks, individual losses grew significantly,” the company noted.
Permit-based scams revolve around tricking users into signing a transaction that looks legitimate but quietly hands an attacker the right to spend their tokens. Malicious dapps may disguise fields, spoof contract names, or present the signature request as something routine.
If a user fails to scrutinize the details, signing the request effectively grants the attacker permission to access all of the user’s ERC-20 tokens. Once granted, scammers typically drain the funds immediately.
The method exploits Ethereum’s permit function, which is designed to make token transfers easier by allowing users to delegate spending rights to trusted applications. The convenience becomes a vulnerability when those rights are granted to an attacker.
“What’s particularly tricky about this attack type is that the attackers can either conduct the permit and transfer of tokens in one transaction (a smash and grab type approach) or they could give themselves access via the permit and then lay dormant waiting to transfer away any later added funds (as long as they set an appropriately far away access deadline within the permit function metadata),” Tara Annison, head of product at Twinstake, told Decrypt.
“The success of these types of scams relies on you signing something that you don’t quite realise what it will do,” she said, adding that, “It’s all about the human vulnerability and taking advantage of people’s eagerness.”
Annison added that this incident is far from isolated. “There are many big value and high volume examples of phishing scams designed to trick users into signing something they don’t fully understand. Often done under the guise of free airdrops, fake project landing pages to connect your wallet to [or] fraudulent security warnings to check if you’ve been impacted,” she added.
Wallet providers have been rolling out more protective features. MetaMask, for example, warns users if a site appears suspicious and attempts to translate transaction data into human-readable intent. Other wallets similarly highlight high-risk actions. But scammers continue to adapt.
Harry Donnelly, founder and CEO of Circuit, told Decrypt that permit-style attacks are “quite widespread” and urged users to check sender addresses and contract details.
“That’s the clearest way to know that if it’s a protocol that doesn’t match where you’re actually trying to send the funds, then that likely is someone trying to steal funds,” he said. “You can check the amount, so often they’ll try and give unlimited approvals, like that.”
Annison emphasized that vigilance is still users’ strongest defense. “The best way to protect yourself from a permit, approveAll or transferFrom scam is to ensure that you know what you are signing. What actions will actually be done in the transaction? What functions are being used? Do these match up to what you thought you were signing?”
“Many wallets and dapps have improved user interfaces to ensure that you’re not blindly signing something and can see what it will result in, as well as warnings for high risk functions being used. However it’s important that users are actively checking what they’re signing and not just connecting their wallet and hitting the sign,” she said.
Once stolen, the recovery of funds is unlikely. Martin Derka, co-founder and technical lead at Zircuit Finance told Decrypt the chances of getting the funds back was “basically zero.”
“In phishing attacks, you’re dealing with an individual whose entire goal is to take your funds. There’s no negotiation, no point of contact, and often no idea who the counterparty is,” he said.
“These attackers play a numbers game,” Derka said, adding that, “Once the money is gone, it’s gone. Recovery is essentially impossible.”
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Read the full article here
Verify the accuracy of this article using AI-powered analysis and real-time sources.
Enter your email to receive detailed fact-checking analysis
You've used your 5 free reports. Sign up for unlimited access!
Already have an account? Sign in here
The FSNN News Room is the voice of our in-house journalists, editors, and researchers. We deliver timely, unbiased reporting at the crossroads of finance, cryptocurrency, and global politics, providing clear, fact-driven analysis free from agendas.
We and our selected partners wish to use cookies to collect information about you for functional purposes and statistical marketing. You may not give us your consent for certain purposes by selecting an option and you can withdraw your consent at any time via the cookie icon.
Cookies are small text that can be used by websites to make the user experience more efficient. The law states that we may store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission. This site uses various types of cookies. Some cookies are placed by third party services that appear on our pages.
Freedom Index