Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
    Three Stories, One Pattern Why Binance Is Having Its Worst Week Since the Pardon
    Three Stories, One Pattern: Why Binance Is Having Its Worst Week Since the Pardon
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

Crypto User Loses $999,999 in USDT to a Single Phishing Signature

One malicious signature was all it took — and the automated script behind it was clinical enough to retry and empty the wallet down to the last dollar.

Written By Dhara Chavda
Edited by Divya Mistry
Published 1 hour ago·Updated 32 minutes ago
Make The Crypto Times preferred on GoogleGoogle
Share
Crypto User Loses $999,999 in USDT to a Single Phishing Signature
Show AI Summary
A crypto user lost $999,999 in USDT after signing a malicious token approval, which triggered an automated script to drain their wallet in 36 seconds.
The attack began with a failed attempt to pull $1,000,000, but the script adjusted and pulled the exact remaining balance, highlighting the precision of automated wallet-draining attacks.
The theft occurred in two stages: the initial approval phishing and the subsequent automated draining, demonstrating the mechanical precision and speed of these attacks.

A single phishing signature has cost one crypto user $999,999 in USDT, according to the Web3 anti-scam firm Scam Sniffer, in a theft whose clinical execution underscores just how automated and precise wallet-draining attacks have become.

One signature, and a drainer that didn’t miss

The loss, flagged by Scam Sniffer and visible on-chain, followed the victim signing a malicious token approval on Ethereum, the kind of authorization that hands an attacker permission to move a wallet’s tokens. What makes this case a striking illustration is the mechanical precision of what happened next.

🚨 Someone lost $999,999 in USDT after signing a phishing token approval on Ethereum. 🎣

victim: 0x8c949361b49320c48a51f4b1c6f9f83862530f89
tx: https://t.co/54YXrwiVBi

🧵 pic.twitter.com/hnHPeQjNML

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) July 9, 2026

The attacker’s automated script first attempted to pull around $1,000,000 from the wallet. That transaction failed because the wallet actually held about $631 less than a full million—the script had asked for more than was there. Rather than give up, the drainer simply adjusted.

Thirty-six seconds later, Scam Sniffer reported, the script recalculated and pulled the exact remaining balance, sweeping the wallet down to essentially nothing and leaving the victim with a loss of $999,999. It is a small detail with a chilling implication: these are not clumsy smash-and-grabs but automated systems that monitor, retry, and optimize in real time to extract the maximum possible amount.

How approval phishing works, and why it’s so dangerous

The attack vector at work here is one of the most common and most misunderstood in crypto, and understanding it is the best defense against it. Unlike a traditional hack, this kind of theft never touches the victim’s password or seed phrase. Instead, it exploits a routine, legitimate feature of tokens like USDT: the “approval.”

When a user interacts with a decentralized application, they are often asked to sign an approval, technically an approve or Permit authorization, that grants a smart contract permission to spend a certain amount of their tokens. This is a normal part of using DeFi.

The danger is that phishing sites disguise a malicious version of this request as something harmless: a fake airdrop claim, an NFT mint, or a “verify wallet” or “login” prompt. The victim, believing they are doing something routine, signs — and in doing so grants the attacker’s contract an allowance, often an unlimited one, over their tokens. From that moment, the thief does not need the victim’s keys or any further action; they can move the authorized funds whenever they choose.

The introduction of gasless signature mechanisms has made this even more insidious, because a malicious approval can be presented as a free, gas-less “signature” that many users assume carries no risk. Once the funds are gone, the transaction is irreversible; there is no bank to call and no chargeback to file.

‘Whale hunting’: the 2026 trend, and how to stay safe

This near-million-dollar loss is not an anomaly but a symptom of a deliberate strategic shift. According to Scam Sniffer data, signature-phishing losses jumped 207% in January 2026 compared with the month before, even as the total number of victims fell by around 11%. That combination points to what security researchers call “whale hunting”—attackers concentrating their efforts on fewer, wealthier wallets, where a single successful signature can yield six or seven figures rather than a few hundred dollars.

The tooling behind these attacks has industrialized into “Drainer-as-a-Service,” where developers rent out ready-made draining kits to lower-level scammers in exchange for a cut, complete with the kind of automated, self-correcting scripts on display in this theft.

The defenses, fortunately, are concrete. Before confirming any signature, users should rely on a wallet that simulates the transaction and shows exactly what it will do — if a prompt to “claim a free NFT” actually reads as authorizing the transfer of your USDT, that is the moment to abort.

Approvals should be treated as ongoing liabilities, not one-time clicks: tools that let users review and revoke standing token allowances can close off the permissions that make these drains possible, and doing so periodically is sound hygiene. Large holdings are safest in a hardware wallet that never interacts with random applications, with a separate low-value “burner” wallet used for airdrops and unfamiliar sites. And any unexpected request to sign, especially one framed as urgent verification, deserves suspicion rather than a reflexive click.

A final caution applies to anyone who has already been hit: victims are frequently targeted a second time by “recovery” services that promise, for an upfront fee, to retrieve stolen crypto. These are almost always a second scam preying on the first, and legitimate recovery never begins with a stranger demanding payment. The uncomfortable truth this case illustrates is that in self-custody, a single careless signature can be as costly as handing over the keys outright — and the scripts waiting on the other side are built to make sure nothing is left behind.

Also Read: Ledger and Trezor Users Are Being Tricked Into Giving Away Millions

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:Crypto ScamTether
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

Robinhood Chain Active Addresses Hit Record High Amid Meme Coin Frenzy
Robinhood Chain Active Addresses Hit Record High Amid Meme Coin Frenzy
India’s ED Raids West Bengal in Crypto Investment & Chit Fund Fraud Probe
India’s ED Raids West Bengal in Crypto Investment & Chit Fund Fraud Probe
Hyundai Card Completes Stablecoin Cross-Border Transfer Test
Hyundai Card Completes Stablecoin Cross-Border Transfer Test
Why Stablecoins Kept Working When Venezuela's Banking System Didn't
Why Stablecoins Kept Working When Venezuela’s Banking System Didn’t
Circle Faces Criminal Complaint Over Refusal to Return Stolen USDC
Circle Faces Criminal Complaint Over Refusal to Return Stolen USDC 

Find Us on Socials

You may also like

Gate Denies Security Breach After User Claims $1.7M Loss 

Gate Denies Security Breach After User Claims $1.7M Loss 

Hyperliquid Token Buybacks Chip Away at Supply as Revenue Outstrips Ethereum’s Burn Rate

Hyperliquid Token Buybacks Chip Away at Supply as Revenue Outstrips Ethereum’s Burn Rate

Robinhood Chain Tops $100 Million TVL a Week After Launch

Robinhood Chain Tops $100 Million TVL a Week After Launch

CFTC Sues North Carolina Firm Over $14M Commodity Pool Fraud

CFTC Sues North Carolina Firm Over $14M Commodity Pool Fraud

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information