TL;DR
- A user lost nearly $1 million after signing a fraudulent token approval on Ethereum, in a new case of onchain phishing.
- Phishing losses reached $723 million across 248 incidents during 2025, according to data from security firm CertiK.
- Chainalysis reported that onchain scams generated at least $14 billion in losses in 2025, with approval phishing being the most recurring attack vector.
A trader lost nearly $1 million last Wednesday after signing a malicious token approval on the Ethereum network, according to onchain data published by security firm Scam Sniffer.
The incident was based on a phishing attack via approval tokens, a tactic that has already caused losses of $366 million in the first half of the year alone. The attackers first attempted to drain exactly $1 million through multicalls, but failed due to insufficient funds. Seconds later, a script recalculated the available balance and extracted the remaining $999,999 in three consecutive transactions.
🚨 Someone lost $999,999 in USDT after signing a phishing token approval on Ethereum. 🎣
victim: 0x8c949361b49320c48a51f4b1c6f9f83862530f89
tx: https://t.co/54YXrwiVBi🧵 pic.twitter.com/hnHPeQjNML
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) July 9, 2026
Phishing Can Steal Millions in Seconds
This type of attack operates through social engineering: the victim signs what appears to be a minor transaction, but in reality grants the attacker unlimited access to their wallet’s funds. “The approval gave the attackers unlimited access, which allowed an automated sweeper to steal all the funds,” explained researcher Ryan Coleman. Earlier in July, another user had lost $1.65 million after connecting to a fake exchange and signing a malicious contract in a similar scheme.
According to CertiK, phishing attack losses reached $723 million across 248 incidents during 2025. Chainalysis, for its part, reported that onchain scams generated at least $14 billion in losses that year, with investment scams being the dominant category and approval phishing the frequent execution mechanism. “Scammers reuse the same wallets, legitimate contract approval functions and cash-out routes across victims, which means that each report exposes a broader network,” noted Renato Bastos, senior researcher at Chainalysis.
Address Poisoning
Another highly dangerous vector is address poisoning. Attackers generate wallets with addresses nearly identical to those of their targets and send small amounts of funds to induce copy errors. In June, MetaMask launched a real-time detection tool that compares each pasted address against the user’s previous interaction history. Scam Sniffer recommended verifying all signature requests before approving them, avoiding transactions made under pressure, and using scam detection extensions.






