USDT Phishing Attack Drains User’s Ethereum Wallet of $999,999

2–3 minutes

Last Updated:

July 10, 2026

Illustration of a USDT phishing attack with a fake token approval prompt and a hacker.

USDT Phishing Attack Drains User’s Ethereum Wallet of $999,999

Illustration of a USDT phishing attack with a fake token approval prompt and a hacker.

USDT Phishing Attack Drains User’s Ethereum Wallet of $999,999

A crypto user lost $999,999 in USDT after signing a fraudulent token approval on Ethereum. Etherscan data shows the attacker split the stolen funds into three transactions, which landed in Ethereum blocks 25489460 and 25489463 within minutes of the signature. The victim’s identity has not been made public, and no private keys were touched. The attacker only needed a signature.

image1 12

How One Signature Gave Away Unlimited Access

Token approval phishing does not require a victim’s private keys. Instead, it tricks a wallet owner into signing a request that grants a smart contract broad access to a specific token. Once signed, that access stays active until the owner manually revokes it, sometimes for months or years.

In this case, the victim’s wallet held an unlimited allowance for the token. That gave the attacker room to move the full amount without asking for any further confirmation. The attacker used Multicall functions to bundle several actions into a single transaction, which let them drain the approved USDT in seconds and split it into three separate outputs almost immediately.

The wallet’s private keys were never at risk. As a result, standard wallet alerts rarely catch this type of exploit. The only signal was the approval itself, and by the time it mattered, the funds were already gone.

What This Means for Ethereum Wallet Holders

An old, unused approval sitting in your wallet right now can be just as dangerous as a phishing link you click today. The fix does not require moving funds or switching wallets. Tools like Etherscan’s Token Approval Checker let you see all active allowances tied to your address and revoke those you no longer need. Our guide to common crypto scams breaks down other tactics to watch for beyond token approvals.

The Approval Habit Still Draining Wallets

No exploit was needed to pull off this theft. A single signature did the job. A fake Uniswap phishing site drained roughly $400,000 from several wallets in May 2026 after visitors approved a malicious contract. A fake airdrop approval scam hit a HyperSwap user this month, draining the wallet within seconds of a single click. 

In January, a similar token approval scam used fake two-factor prompts to bypass users’ suspicions during a separate phishing campaign tied to the OpenClaw token. Wallet providers keep adding warnings and interface changes, but none of them replace the need to actually read what a signature authorizes before signing.

What this means for you: if you have ever approved a token on Ethereum and forgotten about it, that approval is still active, and it will remain active until you check a token approval tool and revoke it yourself.

Join our growing community

David Constantino

Author

David is a crypto enthusiast, airdrop farmer, and blog writer with a focus on discovering and analyzing new token launches and blockchain projects. He explores the latest trends, shares actionable insights, and guides readers through opportunities in the fast-paced world of digital assets.