Kucoin
Trader Loses $1M in Ethereum Phishing Attack via Permit2 Exploit
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A trader lost approximately $1 million in a phishing attack that exploited Uniswap's Permit2 feature. The attack involved the victim signing a fraudulent token approval request, which granted a malicious contract access to their wallet. This method does not require a protocol hack or zero-day exploit, as it relies on social engineering to deceive users into signing harmful transactions. The attackers quickly drained the funds, splitting them into three transactions to evade detection. This incident is part of a broader trend of approval phishing, with Chainalysis reporting at least $14 billion in onchain scams in 2025. CertiK data indicates that phishing and social engineering accounted for $370 million in losses in January 2026 alone. The risk is heightened as phishing sites increasingly mimic legitimate DeFi interfaces. Users are advised to utilize wallet revocation tools and verify contract addresses before signing any approvals.
Key Points: • A trader lost $1 million due to a phishing attack exploiting Uniswap's Permit2 feature. • The attack involved signing a fraudulent token approval, allowing attackers to drain funds quickly. • Phishing and social engineering accounted for $370 million in crypto losses in January 2026.