Ethereum user loses $440,358 in USDC after malicious permit exploit

Phishing Attacker Drains Wallet Through Fraudulent Approval

A cryptocurrency user has lost $440,358 in USD Coin (USDC) on the Ethereum network after unknowingly approving a fraudulent "permit" signature. This malicious approval granted an attacker full spending rights to the user's wallet, allowing them to drain the funds. The incident was confirmed by the Web3 security platform Scam Sniffer.

The victim, whose wallet address is 0x67E8561Ba9d3f4CBe5fEd4C12c95b54f073a0605, approved a transaction that facilitated this exploit. Scam Sniffer identified that the stolen funds were subsequently sent to two separate addresses: 0xbb4…666f682aF and 0x6a3aF6…d8F9a00B.

The attacker exploited a "permit" transaction, a type of signature that allows token transfers without requiring the owner to manually confirm each transaction. While the initial approval might not show any immediate movement of funds, it grants the attacker the ability to later specify the amount and execute the transfer without further consent. In this case, the attacker filled in the amount of $440,358.

Following the approval, the attacker invoked several "transferFrom" calls using the FiatTokenProxy contract, which is responsible for handling USDC transactions. Around 10 AM UTC on Monday, the funds were disbursed: 22,000 USDC was sent to an account labeled "Fake Phishing," $66.06K was transferred to address 0xbb4…666f682aF, and $352.3K was sent to 0x6a3aF6…d8F9a00B simultaneously.

victim:
0x67E8561Ba9d3f4CBe5fEd4C12c95b54f073a0605
scammers:
0xbb4223Ef4cCe93fB40beb62178aBE9A666f682aF
0x6a3aF6Cb51D52F32D2A0A6716a8EFF99d8F9a00Bhttps://t.co/GdyGP2iPYZ pic.twitter.com/IukksnpAl1
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 8, 2025

This incident follows another significant phishing attack reported by Scam Sniffer on November 7, where a user lost $1.22 million in USDC and a PlaUSDT0 token. This loss occurred just 30 minutes after the user signed fraudulent permit messages.

According to Scam Sniffer's November phishing report, total losses from such incidents reached $7.77 million, marking an increase of 1137% compared to October's $3.28 million. Despite this surge in monetary losses, the number of victims decreased by 42%, with 6,344 affected users in November compared to 10,935 in the previous month.

In a separate incident approximately a week prior, hackers employed an "address poisoning" technique to steal 1.1 million USDT on Ethereum. Kyle Soska, CIO of Ramiel Capital, explained that attackers monitor small outbound transfers from large wallets ("whale wallets") and then use GPU-powered systems to generate addresses that closely resemble legitimate ones. Soska elaborated that the attacker sends a very small tether transaction to the victim, causing a look-alike address to appear in the victim's wallet's recent activity list. The victim then inadvertently selects this fraudulent address when attempting to send a larger sum.

Holiday Season Sees Surge in Impersonation Scams

The rise in crypto-related phishing incidents coincides with an increase in digital scams during the holiday shopping season. Darktrace, a cybersecurity firm that monitors global consumer phishing trends, reported a 201% increase in scams impersonating major US retailers in the week leading up to Thanksgiving, compared to the same week in October.

Emails spoofing retailers such as Macy's, Walmart, and Target saw a 54% increase in a single week. Amazon was the most frequently impersonated company, accounting for 80% of phishing attempts, surpassing other digital consumer brands like Apple, Alibaba, and Netflix.

In early November alone, Kaspersky detected 146,535 spam emails referencing seasonal discounts, including 2,572 related to Singles' Day campaigns. These messages often reused templates from previous years, with scammers mimicking major retailers like Amazon, Walmart, and Alibaba to advertise early-access sales. These fake sales redirected users to fraudulent checkout pages designed to steal credentials and execute malicious approvals.

Data from the Kaspersky Security Network (KSN) indicates that between January and October, the company blocked 6,394,854 phishing attempts targeting online stores, banks, and payment systems. Nearly half of these attempts, specifically 48.2%, were directed at online shoppers.

During the same period, Kaspersky identified over 20 million attacks on gaming platforms. A significant portion of these, 18.56 million, involved abusing Discord, which the company identified as a distribution point for malicious files disguised as gaming software.

Entertainment platforms also experienced intense targeting. Kaspersky recorded 801,148 Netflix-themed and 576,873 Spotify-related phishing attempts in 2025. Additionally, the company documented 2,054,336 phishing attempts impersonating gaming platforms such as Steam, PlayStation, and Xbox.

Furthermore, Kaspersky recorded 20,188,897 attempted malware infections disguised as "common software." Discord accounted for the majority of these, with 18,556,566 detections, a figure more than 14 times higher than incidents reported in the previous year.