Trader loses $1M to onchain scammers via phishing token approval
A Uniswap Permit2 exploit drained a trader's wallet, highlighting approval phishing as one of crypto's most persistent and underestimated threats
One trader is out roughly $1 million after falling victim to a phishing attack that weaponized Uniswap’s Permit2 feature. The attack didn’t require a protocol hack or a zero-day exploit. The trader simply signed something they shouldn’t have.
How a single signature drains a wallet
Permit2 is a token approval contract introduced by Uniswap to streamline how users grant spending permissions across decentralized apps. Instead of approving each token interaction separately, Permit2 lets you sign a single off-chain message that covers multiple tokens at once.
In this attack, the trader was tricked into signing a Permit2 message that handed a malicious contract the keys to their wallet. No second prompt, no confirmation screen, no warning. The funds left quietly.
A separate incident saw a holder of the $VIRTUAL token lose around $196,000 through the same category of attack. Different wallet, different token, same mechanic: one bad signature, total loss.
A $14 billion problem that keeps growing
According to Chainalysis’s 2026 Crypto Crime Report, onchain scams netted at least $14 billion in 2025, up from $12 billion in 2024.
CertiK’s data adds further texture to the scale. In January 2026 alone, phishing and social engineering accounted for $370 million in total crypto losses. A single incident that month contributed $284 million of that figure.
Approval phishing has been quietly building its resume since 2021. Over $1 billion has been reported stolen via this specific method in the years since.
Wallet drainer losses fell to approximately $84 million in 2025, an 83% decline year-over-year, suggesting that targeted interventions against drainer infrastructure are working. The bad news is that approval phishing doesn’t rely on the same infrastructure.
Operation Atlantic, conducted in April 2026, resulted in the freezing of approximately $12 million tied to approval phishing schemes.
Why Permit2 raises the stakes
Traditional ERC-20 approvals require an on-chain transaction for each token, each protocol. Permit2 removes those checkpoints in favor of a single signed message, which means a single compromised signature can expose a user’s entire portfolio to a malicious contract.
Phishing sites now routinely impersonate legitimate DeFi interfaces, airdrop claim pages, and NFT minting portals, all designed to surface a convincing-looking Permit2 signature request.
What investors and traders should actually do
Wallet revocation tools like Revoke.cash allow users to audit and cancel outstanding token approvals, including Permit2 permissions. Running a regular revocation check, especially after interacting with new protocols or unfamiliar sites, limits the blast radius of any future mistake.
Verifying contract addresses before signing anything is non-negotiable. Phishing sites are often visually indistinguishable from the real thing. The contract address in the approval prompt is where the truth lives.
Hardware wallets add a physical confirmation layer that software wallets don’t, but they’re not a complete solution if the user still signs a malicious Permit2 message on a compromised site.