Trader Loses $999,999 After Approving Phishing Token

A trader on Ethereum lost 999,999 USDT after approving a malicious token permission that let an automated script drain the wallet.

On Wednesday a trader lost 999,999 USDT on the Ethereum network after approving a malicious token permission, according to onchain records and a Scam Sniffer alert published Thursday. Attackers first attempted to withdraw a rounded $1 million through multiple multicall transactions but the initial attempt failed for insufficient funds; seconds later an automated script recalculated the balance and extracted 999,999 USDT in three transfers.

Phishing token approval scams present a permission request that appears routine. When a user signs the approval, a malicious contract can be granted the right to move tokens from the wallet. In this incident the signed approval allowed an automated sweeper contract to empty the remaining balance. Researcher Ryan Coleman described the mechanism: “The approval gave attackers unlimited access, enabling an automated sweeper to drain funds.”

Security firms reported phishing losses of $723 million across 248 incidents in 2025, and industry monitors recorded about $366 million in phishing losses in the first half of the year. Chainalysis estimated onchain scams collected at least $14 billion in 2025, with investment scams the largest category and approval phishing commonly used to execute those schemes.

Attackers frequently reuse the same wallets and cash-out patterns to target multiple victims. Renato Bastos, a senior investigator at Chainalysis, noted that reuse of wallets, legitimate approval features in contracts and consistent cash-out routes increase the scale of each breach.

Address poisoning is another tactic used alongside approval phishing. Scammers send tiny “dust” transfers to addresses that closely resemble legitimate destinations so a user might paste or select the wrong address. MetaMask introduced live address-poisoning detection in June to compare pasted addresses with previously used addresses.

Security services recommend checking signature requests carefully, avoiding approvals under time pressure and using wallet features or browser extensions that flag suspicious signatures. Earlier this month a separate wallet holder lost about $1.65 million after connecting to a fake exchange and signing a malicious contract.

Onchain transaction records and public alerts remain the primary sources for tracking these incidents. Investigators urge victims to report breaches promptly so patterns of reused wallets and cash-out routes can be traced and disrupted.

The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.

Articles by this author