An unidentified crypto user lost $999,999 in USDT to an Ethereum phishing attack after signing a fraudulent token approval request.
On-chain records show the attackers split the stolen funds into three transactions. The transfers landed inside Ethereum blocks 25489460 and 25489463 within minutes of the signature.
Token approval phishing remains one of the most persistent threats in decentralized finance. Attackers do not need a victim’s private keys to steal funds. Instead, they trick users into signing a request that grants a contract broad access to a token. The approval then stays active until someone revokes it.
Inside the Ethereum Phishing Attack
This pattern has hit crypto users repeatedly through 2026. The victim’s wallet held an unlimited allowance for the token, which gave the attacker room to act without any further confirmation. In May, a fake Uniswap phishing site drained roughly $400,000 from several wallets after visitors approved a malicious contract. A fake airdrop approval scam hit a HyperSwap user in a similar fashion this month. The scam drained his wallet within seconds of a single click.
Scam Sniffer. Source: X
Multicall Functions Sped Up the Theft
In this case, the attacker used Multicall functions to bundle several actions into one transaction. This structure lets the attacker move the approved USDT in seconds. The funds are then split into three separate outputs almost immediately.
In turn, that speed narrowed the victim’s window to revoke the approval. The wallet’s private keys stayed untouched throughout the attack. As a result, standard wallet alerts rarely flag this kind of exploit.
The method echoes tactics behind recent wallet address poisoning scams, where attackers exploit transaction structure rather than credential theft. Scam Sniffer also tied a 200 percent jump in phishing losses this year to a shift toward high-value wallets.
https://www.youtube.com/watch?v=KQybhNRlPaU&t=46s
Security Analysts Urge Signature Caution
Following the theft, Scam Sniffer analysts renewed calls for crypto users to verify every signature request before confirming it. The firm recommends checking the exact contract address and permission scope that a wallet displays. Users should avoid approving requests by default. Revoking unused or unlimited approvals on a regular basis remains one of the simplest defenses against this attack type.
The incident also echoes a MetaMask phishing campaign uncovered in January, which used fake two-factor prompts to bypass user suspicion entirely. Wallet providers keep adding protections. Still, analysts note that no interface change fully replaces a careful read of what a signature actually authorizes.
The gap between one signature and a drained wallet keeps narrowing for Ethereum users as phishing tactics grow more automated.
Read the Original story Crypto User Loses $999,999 in USDT to One Phishing Signature: How to Stay Safe by Phil Haunhorst at beincrypto.com
