Trader Loses 999,999 USDT in Approval Scam
A crypto user lost 999,999 USDT after signing a phishing token approval on Ethereum, giving scammers permission to drain almost the entire wallet balance.
The incident was flagged by blockchain security firm Scam Sniffer and adds to a series of large losses tied to malicious wallet signatures.
Failed $1M Drain Recalculated the Balance
The attacker first tried to drain a rounded $1 million from the wallet through multicall transactions. That attempt failed because the wallet held slightly less than the requested amount. Seconds later, the attacker adjusted the figure and pulled the exact remaining balance.
Scam Sniffer said the script recalculated the wallet balance before the successful transfer. That indicated the theft was automated, rather than a slow manual withdrawal after the user signed. The stolen funds were taken in follow-up transfers after the approval was granted. On-chain reports said the victim lost 999,999 USDT, almost the full balance available to the attacker.
Token Approval Gave Attacker Spending Rights
The case was not reported as a private key compromise. Instead, the victim signed a token approval that allowed a malicious spender to move USDT from the wallet. Once that permission existed, the attacker could transfer approved funds without asking the user to sign each withdrawal.
Approval phishing remains dangerous because wallet prompts can look like routine permission requests for a token, app or verification step. In this case, one signed approval was enough to give the attacker access to the user’s USDT balance.
Phishing Caused $366M in First-Half Losses
The incident comes as phishing remains one of the costliest attack types in crypto. CertiK’s first-half security report said phishing accounted for about $366 million in losses in the first six months of 2026. That made it the second-costliest incident category behind access-control failures.
Recent cases show a similar pattern across different assets and wallets. Users are tricked into signing approvals, permit messages or malicious contract interactions, and automated drainers move quickly once permission is granted.
Security Firms Warn Over Approval Signatures
Security firms continue to advise users to inspect signature requests before approving them. That includes checking the contract, the token being approved, the spender address and whether the permission is unlimited or larger than expected.
Users are also advised to revoke unused approvals through trusted wallet or blockchain tools. The latest loss shows how one approval signature can be enough to drain a wallet if it gives a malicious contract permission to spend tokens.