Crypto Investor Loses $6.28M to Sophisticated Phishing Permit Scam

A cryptocurrency investor recently lost $6.28 million to a sophisticated phishing scam that exploited malicious signature approvals. The incident serves as a significant reminder of the increasing prevalence of “permit phishing” schemes, which pose a serious threat to users in the DeFi ecosystem.

Attacker Steals $6.28 Million  

The attack began when the victim received a targeted phishing message that appeared to be a legitimate update from a decentralized finance (DeFi) platform. Tempted by offers of better returns, the investor connected their wallet to a fake website.

There, they signed an EIP-2612, which includes a feature that allows token approvals without gas fees. However, it can also unintentionally give scammers unlimited spending access to a smart contract. 

The theft occurred shortly after the approvals were granted. The scammer quickly executed a contract that drained 3,200 stETH and a matching amount of aEthWBTC from the victim’s wallet. The loot, which was traced to a mixer address, revealed a calculated plan to conceal the trail. 

The entire theft took less than 12 minutes, using automated scripts for speed. Scam Sniffer noted that the victim’s portfolio, which was worth over $10 million before the attack, lost half its value immediately. The rapid process allowed no time for intervention, as blockchain transactions cannot be reversed once completed. On-chain analysis indicated that the assets were unlikely to be recovered, as they were likely laundered through exchanges.

Not New  

Following the exploit, some users on X have expressed shock, wondering how the victim unwittingly signed malicious token approvals. However, this subtle trap has long troubled the crypto space. For instance, earlier this month, a user of Venus Protocol lost $13.5 million.

The victim fell prey to a phishing scam by approving a transaction from a malicious Core Pool Comptroller contract, which granted the attacker access to their funds. Once permission was given, the hacker quickly drained stablecoins and wrapped tokens from the trader’s wallet. 

Surprisingly, though, a few hours after the incident, the Venus team tracked the stolen funds by force-liquidating the hackers’ trade positions. The team fully recovered the stolen funds afterwards, leaving the thief with nothing.

The post Crypto Investor Loses $6.28M to Sophisticated Phishing Permit Scam appeared first on Cointab.