A single phishing signature has cost one crypto user $999,999 in USDT, according to the Web3 anti-scam firm Scam Sniffer, in a theft whose clinical execution underscores just how automated and precise wallet-draining attacks have become.
One signature, and a drainer that didn’t miss
The loss, flagged by Scam Sniffer and visible on-chain, followed the victim signing a malicious token approval on Ethereum, the kind of authorization that hands an attacker permission to move a wallet’s tokens. What makes this case a striking illustration is the mechanical precision of what happened next.
The attacker’s automated script first attempted to pull around $1,000,000 from the wallet. That transaction failed because the wallet actually held about $631 less than a full million—the script had asked for more than was there. Rather than give up, the drainer simply adjusted.
Thirty-six seconds later, Scam Sniffer reported, the script recalculated and pulled the exact remaining balance, sweeping the wallet down to essentially nothing and leaving the victim with a loss of $999,999. It is a small detail with a chilling implication: these are not clumsy smash-and-grabs but automated systems that monitor, retry, and optimize in real time to extract the maximum possible amount.
How approval phishing works, and why it’s so dangerous
The attack vector at work here is one of the most common and most misunderstood in crypto, and understanding it is the best defense against it. Unlike a traditional hack, this kind of theft never touches the victim’s password or seed phrase. Instead, it exploits a routine, legitimate feature of tokens like USDT: the “approval.”
When a user interacts with a decentralized application, they are often asked to sign an approval, technically an approve or Permit authorization, that grants a smart contract permission to spend a certain amount of their tokens. This is a normal part of using DeFi.
The danger is that phishing sites disguise a malicious version of this request as something harmless: a fake airdrop claim, an NFT mint, or a “verify wallet” or “login” prompt. The victim, believing they are doing something routine, signs — and in doing so grants the attacker’s contract an allowance, often an unlimited one, over their tokens. From that moment, the thief does not need the victim’s keys or any further action; they can move the authorized funds whenever they choose.
The introduction of gasless signature mechanisms has made this even more insidious, because a malicious approval can be presented as a free, gas-less “signature” that many users assume carries no risk. Once the funds are gone, the transaction is irreversible; there is no bank to call and no chargeback to file.
‘Whale hunting’: the 2026 trend, and how to stay safe
This near-million-dollar loss is not an anomaly but a symptom of a deliberate strategic shift. According to Scam Sniffer data, signature-phishing losses jumped 207% in January 2026 compared with the month before, even as the total number of victims fell by around 11%. That combination points to what security researchers call “whale hunting”—attackers concentrating their efforts on fewer, wealthier wallets, where a single successful signature can yield six or seven figures rather than a few hundred dollars.
The tooling behind these attacks has industrialized into “Drainer-as-a-Service,” where developers rent out ready-made draining kits to lower-level scammers in exchange for a cut, complete with the kind of automated, self-correcting scripts on display in this theft.
The defenses, fortunately, are concrete. Before confirming any signature, users should rely on a wallet that simulates the transaction and shows exactly what it will do — if a prompt to “claim a free NFT” actually reads as authorizing the transfer of your USDT, that is the moment to abort.
Approvals should be treated as ongoing liabilities, not one-time clicks: tools that let users review and revoke standing token allowances can close off the permissions that make these drains possible, and doing so periodically is sound hygiene. Large holdings are safest in a hardware wallet that never interacts with random applications, with a separate low-value “burner” wallet used for airdrops and unfamiliar sites. And any unexpected request to sign, especially one framed as urgent verification, deserves suspicion rather than a reflexive click.
A final caution applies to anyone who has already been hit: victims are frequently targeted a second time by “recovery” services that promise, for an upfront fee, to retrieve stolen crypto. These are almost always a second scam preying on the first, and legitimate recovery never begins with a stranger demanding payment. The uncomfortable truth this case illustrates is that in self-custody, a single careless signature can be as costly as handing over the keys outright — and the scripts waiting on the other side are built to make sure nothing is left behind.
Also Read: Ledger and Trezor Users Are Being Tricked Into Giving Away Millions
