What a $440,000 Attack Reveals About the Growing Threat of “Permission” Scams on Ethereum

Source: PortaldoBitcoin Original Title: What a $440,000 Attack Reveals About the Growing Threat of “Permission” Scams on Ethereum Original Link: A hacker stole over $440,000 in USDC after a wallet owner unknowingly signed a malicious “permission” signature, according to a tweet from Scam Sniffer on Monday (8).

The theft comes amid a surge in phishing losses. About $7.77 million was lost from more than 6,000 victims in November, according to Scam Sniffer’s monthly report, representing a 137% increase in total losses compared to October, even as the number of victims fell by 42%.

“Whale hunting has intensified, with a maximum loss of $1.22 million (permission signature). Despite the reduction in the number of attacks, individual losses have increased significantly,” the company noted.

What are permission scams?

Permission-based scams involve tricking users into signing a transaction that appears legitimate but actually grants the attacker the right to spend their tokens. Malicious decentralized applications (dapps) can disguise fields, fake contract names, or present the signature request as something routine.

If a user doesn’t carefully review the details, signing the request gives the attacker permission to access all the user’s ERC-20 tokens. Once permission is granted, scammers typically drain the funds immediately.

The method exploits Ethereum’s permission function, which was designed to facilitate token transfers by allowing users to delegate spending rights to trusted applications. This convenience becomes a vulnerability when these rights are granted to an attacker.

“What’s particularly tricky about this kind of attack is that attackers can perform the permission and token transfer in a single transaction (a ‘smash and grab’ approach) or they can give themselves access through permission and then remain dormant, waiting to transfer any funds added later (as long as they set a sufficiently long access deadline in the permission function metadata),” said Tara Annison, head of product at Twinstake.

“The success of this type of scam depends on you signing something without fully understanding what’s going to happen,” she said, adding: “It all comes down to human vulnerability and taking advantage of people’s naivety.”

Annison added that this incident is far from isolated. “There are many examples of high-value, high-volume phishing scams designed to trick users into signing something they don’t fully understand. Often, these scams are disguised as free money giveaways, fake project landing pages to connect your wallet, or fraudulent security alerts to check if you’ve been affected,” she added.

How to protect yourself

Digital wallet providers have implemented more protection features. MetaMask, for example, warns users if a website seems suspicious and tries to translate transaction data into human-readable language. Other wallets also highlight high-risk actions. But scammers keep adapting.

Harry Donnelly, founder and CEO of Circuit, said “permit” attacks are “quite common” and advised users to check sender addresses and contract details.

“That’s the clearest way to know if the protocol doesn’t match the actual destination of the funds, as someone is probably trying to steal them,” he said. “You can check the value; often, they try to grant unlimited approvals, like this one.”

Annison emphasized that vigilance is still users’ best defense. “The best way to protect yourself from ‘permit’, ‘approveAll’, or ‘transferFrom’ scams is to make sure you know what you’re signing. What actions will actually be performed in the transaction? What functions are being used? Do they match what you thought you were signing?”

“Many wallets and decentralized applications (dapps) have improved their user interfaces to ensure you’re not signing anything blindly and can see the outcome, as well as displaying warnings about high-risk functions. However, it’s important that users actively check what they’re signing and not just connect their wallet and click sign,” she said.

Once stolen, recovery of funds is unlikely. Martin Derka, co-founder and tech lead at Zircuit Finance, said the chances of recovering funds are “virtually zero.”

“In phishing attacks, you’re dealing with an individual whose sole goal is to steal your funds. There’s no negotiation, no point of contact, and often no idea who the other party is,” he said.

“These attackers play the numbers,” Derka added, noting that “once the money is gone, it’s gone forever. Recovery is essentially impossible.”