A trader lost over $1.28 million worth of cryptocurrencies after signing a malicious permit transaction.
According to blockchain security firm PeckShieldAlert, on Oct. 14, a cryptocurrency investor lost 108 billion PEPE, 73.8 million APU, and 165,000 MSTR tokens after getting tricked into signing a phishing permit signature transaction.
This is called an approval phishing attack which transfers control of a victim’s wallet to the attacker, allowing scammers to drain the stored assets.
In this case, the victim’s wallet, identified by “0xb0b..40c7,” lost roughly $1.2 million worth of cryptocurrencies across six transactions within a few minutes, with the stolen assets distributed across multiple addresses controlled by the attackers.
One of the addresses, labeled as “Fake_Phishing442846”, was involved in a separate attack two weeks ago with the affected wallet losing over $32 million worth of spWETH tokens after signing a similar malicious transaction.
At the time, blockchain intelligence firm Arkham reported that the attack was executed using Inferno Drainer, a multi-chain cryptocurrency scam service provider. As such, it is likely that the bad actors behind the recent attack also employed the scam toolkit.
For those unaware, Inferno Drainer is a subscription-based phishing-as-a-service tool that allows criminals to create malicious websites and applications to trick users into signing over control of their wallets. The developers charge scammers 30% for making phishing websites and another 20% for each successful attack.
To date, Inferno Drainer has targeted several crypto-related projects, managing to steal $237,775,036 from over 200,000 victims per Dune analytics data. On Nov. 26, 2023, the developers announced plans to sunset the service indefinitely. However, the toolkit resurfaced in May 2024, driven by renewed demand from its “customers.”
Phishing attacks have become a growing threat in the cryptocurrency space, with one of the leading reasons behind victims’ losses being approval phishing attacks. According to an August report by Chainalysis, these attacks have siphoned off over $2.7 billion since 2021.
Last week, a wallet reportedly linked to a venture capital fund lost over $35 million worth of fwDETH tokens after signing a dubious permit signature.
In its Q3 report, blockchain security firm CertiK labeled phishing as the most damaging attack vector for the quarter, with losses amounting to $343.1 million across 65 incidents.