key insights
- Permit2 improves transaction efficiency but also increases the impact of a single malicious approval.
- Approval phishing continues replacing traditional wallet drainers as one of crypto’s most effective attack methods.
- Periodic review and revocation of token permissions can greatly minimize wallet exposure over time.
Despite the recent Prince of Persia drama, Ethereum users still continue to deal with the escalating security risks as a trader has lost nearly $1 million by approving a malicious Permit2 transaction. The incident wasn’t a protocol exploit or wallet breach.
Instead, attackers relied on social engineering to obtain spending permission, allowing them to empty almost the entire wallet within seconds.

The theft occurred on July 8 when the victim unknowingly approved a fraudulent transaction that granted attackers unrestricted access to 999,999 USDT stored on the Ethereum network. Blockchain security firm Scam Sniffer identified the incident and said the attackers adjusted their withdrawal script in real time after an initial transfer attempt failed because the wallet balance fell slightly below $1 million.
Attackers adapted their script within seconds
On-chain records show the attackers initially attempted to withdraw a full $1 million through multicall transactions. The transfer failed because the wallet contained 999,999 USDT rather than the requested amount.
The attackers immediately recalculated the available balance and executed three successful transfers totaling the wallet’s remaining funds.
The transactions included:
- 639,999 USDT
- 159,999 USDT
- 200,000 USDT
Scam Sniffer said the automated script detected the exact balance before draining every remaining token. Etherscan has since flagged the receiving wallet as a phishing address.
The attack centered on Uniswap’s Permit2 system, which allows users to authorize token spending through signed messages instead of separate on-chain approvals. The feature enhances efficiency but is being used by criminals to disguise their approvals as regular wallet requests.
Permit2 attacks only need one deceptive signature, unlike traditional hacks. When approved, the attackers can move the money without asking for further approval from the money owner.
Approval scams continue to be one of the biggest threats in crypto
Approval phishing remains one of the most prevalent attack techniques in DeFi, according to security companies. Typically, the victim thinks that he is conducting non-threatening transactions and gives the people who have created the token all the permissions it requires.
According to CertiK, phishing scams caused $723 million in losses across 248 incidents during 2025. The company also reported that the crypto industry lost $1.32 billion to security incidents during the first half of 2026, with phishing remaining the leading cause during the first quarter.
| Security metric | Reported figure |
|---|---|
| Wallet loss in latest incident | 999,999 USDT |
| Phishing losses during 2025 | $723 million |
| Reported phishing incidents | 248 |
| Crypto security losses in H1 2026 | $1.32 billion |
The latest theft followed another major compromise reported days earlier. A separate investor lost about $1.65 million after connecting to a fake cryptocurrency exchange and signing another malicious approval.
Researcher Ryan Coleman said that approval granted attackers unlimited access, allowing an automated sweeper to drain the wallet immediately. He urged users to verify smart contracts carefully and revoke unused token approvals.
Meanwhile, Chainalysis estimated that crypto scams generated at least $14 billion during 2025. Investigators said criminals frequently reuse wallet infrastructure, approval techniques, and laundering routes across multiple campaigns.

Growing pressure for stronger wallet protection
The latest Ethereum phishing case also renewed concerns about approval-based permissions replacing traditional transaction confirmations. Because Permit2 removes repeated on-chain approvals, a single compromised signature can expose multiple assets at once.
Security researchers also warned about address poisoning, another growing tactic where attackers send tiny transactions from nearly identical wallet addresses. Victims may accidentally copy the fraudulent address during future transfers.
Wallet providers have begun to roll out extra safety measures. Address poisoning detection has been recently introduced by MetaMask, and Revoke.cash, among other approval monitoring tools, is still recommended by security experts for users to cancel unwanted token permissions.
Scam Sniffer recommended that users check all the signatures they receive before confirming wallet transactions. The company also suggested scam detection tools to use in the browser and cautioned against rushing through transaction prompts.
Broader market implications
Despite being one of the most vulnerable security protocols in the development of decentralized finance, user approvals are still being exploited in the latest incident involving Ethereum. These attacks differ from protocol attacks in that they are designed to deceive human decision-makers, rather than technical solutions.
Given the sophistication of phishing attacks, security firms predict that these will focus on wallet permissions instead of vulnerabilities in the blockchain. It could be as crucial for investors to review all of the approval requests and delete old permissions as it’s to secure private keys.
The trend of these attacks is increasing and wallet security will be a prominent issue in the Ethereum ecosystem as wallet developers and providers work to improve security measures to better resist the growing sophistication of phishing attacks.





