A crypto user lost $999,999 in USDT after signing a fraudulent token approval on Ethereum. Etherscan data shows the attacker split the stolen funds into three transactions, which landed in Ethereum blocks 25489460 and 25489463 within minutes of the signature. The victim’s identity has not been made public, and no private keys were touched. The attacker only needed a signature.

How One Signature Gave Away Unlimited Access
Token approval phishing does not require a victim’s private keys. Instead, it tricks a wallet owner into signing a request that grants a smart contract broad access to a specific token. Once signed, that access stays active until the owner manually revokes it, sometimes for months or years.
In this case, the victim’s wallet held an unlimited allowance for the token. That gave the attacker room to move the full amount without asking for any further confirmation. The attacker used Multicall functions to bundle several actions into a single transaction, which let them drain the approved USDT in seconds and split it into three separate outputs almost immediately.
The wallet’s private keys were never at risk. As a result, standard wallet alerts rarely catch this type of exploit. The only signal was the approval itself, and by the time it mattered, the funds were already gone.
What This Means for Ethereum Wallet Holders
An old, unused approval sitting in your wallet right now can be just as dangerous as a phishing link you click today. The fix does not require moving funds or switching wallets. Tools like Etherscan’s Token Approval Checker let you see all active allowances tied to your address and revoke those you no longer need. Our guide to common crypto scams breaks down other tactics to watch for beyond token approvals.
The Approval Habit Still Draining Wallets
No exploit was needed to pull off this theft. A single signature did the job. A fake Uniswap phishing site drained roughly $400,000 from several wallets in May 2026 after visitors approved a malicious contract. A fake airdrop approval scam hit a HyperSwap user this month, draining the wallet within seconds of a single click.
In January, a similar token approval scam used fake two-factor prompts to bypass users’ suspicions during a separate phishing campaign tied to the OpenClaw token. Wallet providers keep adding warnings and interface changes, but none of them replace the need to actually read what a signature authorizes before signing.
What this means for you: if you have ever approved a token on Ethereum and forgotten about it, that approval is still active, and it will remain active until you check a token approval tool and revoke it yourself.


















