$440,000 hack exposes threat from "permit" scams on Ethereum

A hacker has stolen more than $440,000 in USDC after a wallet owner accidentally signed a malicious “permit” signature, according to a warning published Monday by anti-phishing platform Scam Sniffer.

The incident comes amid a sharp increase in damage from phishing attacks. In November alone, about $7.77 million was withdrawn from more than 6,000 victims—a 137 percent increase from October, although the number of victims fell by 42 percent.

According to the report, “whale hunting” continued to increase with the largest case reaching $1.22 million from just one permit signature, showing that although the number of cases decreased, the level of damage per victim increased significantly.

What is a Permit Scam?

Permit scams exploit the practice of tricking users into signing a transaction that appears to be legitimate but actually gives the attacker the right to spend their money. Many malicious dApps disguise content, spoof contract names, or create signing requests that look like routine operations.

If the user doesn’t double-check, that signature gives the attacker full permission to use the ERC-20 token in the wallet. Once licensed, they usually drain their funds immediately.

This method takes advantage of Ethereum’s permit function — which is designed to facilitate authorization of spending for trusted applications. However, convenience becomes a flaw when this right falls into the wrong hands.

A new interagency initiative has been launched to dismantle international crypto fraud networks, particularly “pig butchering” models that have caused billions of dollars in losses in recent years. Many agencies such as the DOJ, FBI, Secret Service and the US Treasury Department will coordinate to crack down on these criminal groups.

Why is permit scam difficult to recognize?

Tara Annison, head of product at Twinstake, said the danger is that an attacker could withdraw funds in a single transaction or wait until the victim loads more tokens into the wallet — as long as they have set a signature validity period long enough.

“The success of this type of scam lies in users signing something they don’t understand. It exploits subjectivity and human impulsivity,” she said.

She also said this is not a rare case. Many high-value phishing attacks often impersonate free airdrops, fake project websites, or fake security alerts to lure users into connecting wallets and signing transactions.

Crypto wallets increase alerts — but not enough

Wallets like MetaMask have added suspicious website alerts and moved transaction data to a more understandable format. Some other wallets also highlight high-risk operations. However, the attacker kept changing tactics.

Harry Donnelly, founder of Circuit, warns that permission-based attacks are “quite common” and that users need to check their sending addresses, related contracts, and especially licensing limits—in many cases bad actors ask for unlimited spending permissions.

How to protect yourself

Annison emphasizes that double-checking what you’re about to sign is still the most important line of defense:

• Understand what actions will occur after signing
• Check whether the function being called is correct for the operation you want
• Don’t sign just because the dapp asks for it or because of the promise of receiving rewards

Many wallets have improved the interface to make it easier for users to understand, but it’s still up to the users themselves to be vigilant.

According to Martin Derka, co-founder of Zircuit Finance, the possibility of getting the money back is “almost zero”.

He said that in phishing attacks, the victim does not know who the other person is, there is no point of contact, and the attacker always has only one goal: take the money and disappear. “Once the money is gone, it’s gone,” he said.

Thach Sanh