USDC Phishing Attack Targets Ethereum User, $1.76M Lost in Permit Signature Scam

A cryptocurrency investor has lost approximately $1.76 million worth of USDC in a sophisticated phishing attack after unknowingly signing a malicious Permit approval signature on the Ethereum network. The incident was first flagged by blockchain security platform GoPlus Security, which detected the suspicious transaction patterns earlier today. According to real-time monitoring data, the victim unknowingly signed a malicious Permit transaction, a gasless approval mechanism widely used in decentralized finance (DeFi). Once the signature was obtained, the attacker gained permission to move the victim’s tokens without requiring any additional confirmation from the wallet holder.

The stolen funds consisted of approximately 1.76 million USDC, making it one of the larger permit-based phishing incidents reported in recent months.

Key Details of the Attack

• Victim Wallet Address: 0x051bb76Ff78366de530E293FdB1158c2079ab664 (Ethereum Mainnet)
• Total Loss: ~$1.76 million USDC
• Attack Method: Malicious Permit signature allowing the attacker to execute transferFrom transactions
• Timeline: The phishing signature was signed approximately 8–10 hours before the attack was detected, after which the funds were rapidly drained.

Suspected Attacker Wallets

Security researchers identified several addresses linked to the phishing operation. Users are strongly advised not to interact with these wallets:

• 0xAfb2423F447D3e16931164C9970B9741aAb1723E
• 0x6fE314fD4CF845f35fc461eD98e2FB8d9356B566
• 0xf1A50bbebA19a85dB20432c6c201aa89604dfd2B
• 0x9F6f1ac48E4c7E53495A99ce49974Cd1914fE17E

Blockchain records show the funds were quickly transferred through multiple wallets shortly after the drain, following patterns commonly observed in phishing-related exploits.

Why Permit-Based Scams Are So Effective

Permit-based approvals are commonly implemented through EIP-2612, which allows users to authorize token spending through off-chain signatures instead of paying gas fees for traditional on-chain approvals. While this mechanism improves convenience and reduces transaction costs, it has increasingly become an attractive attack vector for phishing campaigns.

Scammers often trick victims by presenting fake airdrop claims, phishing wallet-connection pages, fraudulent DeFi dashboards, or misleading signature prompts that appear harmless. Once a user signs the message, attackers can submit the signed approval to the blockchain and execute transferFrom transactions, allowing them to drain the victim’s tokens without requiring any further interaction from the wallet owner.

Security Reminder for Users

Security experts recommend that cryptocurrency users exercise caution when signing wallet messages. Carefully reviewing signature requests, avoiding unknown or suspicious websites, using security tools that simulate transaction risks before signing, and periodically revoking unnecessary token approvals are key safety practices. Meanwhile, DeFi platforms have also faced other security challenges recently. For example, the Venus Protocol recently dealt with an exploit that left the platform with around $2.15 million in bad debt after a token price crash.