Crypto Whale lost more than $6 million in Staked Ethereum (Steth) and Aave-Wrapped Bitcoin (AethWBTC) after approving the malicious signature on its phishing scheme on September 18th.
The attackers disguised the move as a routine wallet confirmation with a “permission” signature, which tricked the victim into allowing the fund to be transferred without causing an obvious red flag.
Yu Xian, founder of Blockchain Security Company Slow Mist, pointed out that the victims are not aware of the dangers because there is no gas charge for transactions. He wrote:
“From the victim’s point of view, he clicked a few times to confirm the wallet’s pop-up signature request, didn’t spend a penny of gas and lost $6.28 million.”
How does permission work?
Authorization of permission was originally designed to simplify token transfers. Instead of submitting on-chain approval and paying for the fee, users can sign off-chain messages that approve the Spenders.
However, its efficiency created a new offensive surface for malicious players.
Once the user signs such permissions, the attacker can combine the two features. As authorizations are off-chained, the wallet dashboard does not show unusual activity until the funds move.
As a result, the asset will disappear once approval is performed on-chain and the token is redirected to the attacker’s wallet.
This loophole is becoming increasingly appealing to millions of malicious actors without the need for complicated hacking or high-cost gas wars.
Fishing loss
The latest theft highlights a widespread trend to escalate phishing campaigns.
Scam Sniffer reported that in August alone, the attacker stole $12.17 million from more than 15,200 casualties. That figure represents a 72% jump in losses compared to July.
The company said the most significant share of the losses in August came from three large accounts, accounting for nearly half of the total. This included one wallet that lost $3.08 million in one exploit.
Meanwhile, the company attributed the surge in losses to an increase in EIP-7702 batch signature fraud and direct transfers to malicious contracts.
With this in mind, security experts are urging crypto users to be cautious when interacting with wallet requests and deny requests to grant unlimited permissions to the wallet.