Security Hub

Phishing Token Approval Drains $999,999 in USDT From One Wallet

Published: Jul 9, 2026By Aleksandar Dukic

Key Analysis

An Ethereum user lost $999,999 in USDT after signing a single malicious token approval, Scam Sniffer reports. Here is how approval-drainer attacks work.

Phishing Token Approval Drains $999,999 in USDT From One Wallet

Listen To This Article

Phishing Token Approval Drains $999,999 in USDT From One Wallet

4m 47s audio

AI narration. Useful for scanning on the move. Names and tickers may be mispronounced.

A crypto user lost $999,999 in USDT on Ethereum after signing a single phishing token approval, according to on-chain security firm Scam Sniffer. The loss was flagged on July 9, 2026, and shared by Cointelegraph. The wallet was not hacked in the conventional sense. No private key leaked. The owner authorized the transfer themselves by approving a malicious contract.

That distinction matters. Approval-drainer scams are now one of the most common ways money leaves self-custodied wallets, and they exploit a design feature of ERC-20 tokens rather than any bug.

The permission slip that empties an account

Every ERC-20 token, including USDT and USDC, uses an approve function. It lets you grant a smart contract permission to move a set amount of your tokens on your behalf. Decentralized exchanges rely on it. So do lending protocols, bridges, and almost every app that needs to pull tokens from your balance.

The problem is that an approval can be set to an unlimited amount, and it stays active until you revoke it. A phishing site disguises a malicious approve call as something harmless: a wallet connection, a token claim, an NFT mint, a "verify your assets" prompt. The victim sees a normal signature request and clicks confirm. Behind that click, they have just handed a stranger's contract the right to drain the entire USDT balance. Seconds later, an automated drainer executes the transfer.

In this case, the outcome was $999,999 gone in one move. The near-round figure suggests the wallet's full stablecoin position was taken.

No key theft required

People new to self-custody often assume the danger is someone stealing their seed phrase. That risk is real, and recent incidents like the Ill Bloom seed flaw show what happens when key material is exposed. But approval drains are different and arguably harder to defend against, because the victim signs voluntarily.

The attacker never needs your keys. They only need you to sign one transaction. Hardware wallets do not fully protect against this either. A Ledger or Trezor will still sign an approval if you approve it, because from the device's perspective you asked for it. The security boundary is the human reading the prompt, not the hardware holding the key.

This is why spending from your own wallet carries a responsibility that custodial accounts do not. When an exchange holds your funds, a phishing signature on a random site cannot move them. Self-custody removes that middle layer, which is the entire point, but it also removes the safety net.

Stablecoins are the prime target

Attackers favor stablecoins for a simple reason. USDT and USDC hold steady value and are instantly usable, so a drained balance converts to clean liquidity without slippage or a volatile exit. Ethereum still settles the majority of stablecoin activity, which concentrates the target pool. USDT trades near its $1.00 peg, and the ecosystem token, ETH, sat at $1,738.79 as of July 9, 2026, but neither price matters to a drainer chasing dollar-denominated balances.

The mechanics scale. A single drainer kit can run thousands of phishing pages, each waiting for one careless signature. Scam Sniffer and similar monitors report these losses almost daily, ranging from a few hundred dollars to seven figures like this one.

Practical defense

A few habits cut the risk sharply:

  • Read the actual contract interaction, not just the site's friendly text. Wallets like Rabby and newer MetaMask builds show a plain-language decode of what you are signing. If it says you are approving USDT to an unknown address, stop.
  • Revoke stale approvals periodically. Tools such as Revoke.cash list every active approval on your address and let you cancel them. An approval you granted a year ago to a since-abandoned dApp is still live.
  • Use a separate "burner" wallet for minting, claims, and any unfamiliar site. Keep your main stablecoin holdings in an address that never touches promotional links.
  • Treat unsolicited airdrops, "you have a pending reward" messages, and urgent claim windows as hostile by default.

None of this requires new technology. The $999,999 loss happened because a legitimate signature request was pointed at a hostile contract, and the reader did not catch it. Approvals are the most powerful action a self-custody user takes and the one most often clicked through without a second look.

Overview

An Ethereum user signed a malicious token approval on a phishing site and lost $999,999 in USDT in a single transaction, per Scam Sniffer. There was no key theft. The attack abused the standard ERC-20 approve function, which grants a contract permission to move your tokens until you revoke it. Stablecoins are the preferred target because they hold value and convert instantly. The defense is behavioral: decode every signature, revoke old approvals, and isolate large balances from wallets used on unfamiliar sites.

DisclaimerThis article is provided for informational purposes only and does not constitute financial advice. All fee, limit, and reward data is based on issuer-published documentation as of the date of verification.

Have a question or update?

Discuss this analysis with the community on X.

Discuss on X

Comments

Comments are moderated and may take a moment to appear.