Ethereum User Loses $999,999 USDT to ERC-20 Approval Scam

What You Need to Know
- User lost $999,999 in USDT after signing malicious ERC-20 token approval on Ethereum.
- Attacker’s automated script recalculated available balance in 36 seconds after initial attempt failed.
- ERC-20 token approvals persist indefinitely until manually revoked, creating dormant attack surface.
- Malicious approval attacks scaled across multiple incidents, including fake Uniswap and HyperSwap drains.
A user lost exactly $999,999 in USDT on Ethereum after signing a malicious ERC-20 token approval, and the blockchain did precisely what it was designed to do: execute the instruction.
Blockchain security firm Scam Sniffer documented the incident, including a detail that reveals how automated these operations have become. The attacker’s first attempt, requesting a round $1,000,000, failed because the wallet held $631 less than that. Thirty-six seconds later, the script recalculated the available balance and drained it completely. The stolen funds moved across two Ethereum blocks, split into three transactions via Ethereum’s Multicall function, which bundles multiple actions into one call and compresses the window a victim has to react and revoke access.
No private keys were stolen. No protocol was exploited. Every transaction was valid.
How a Legitimate Feature Became the Attack Surface
ERC-20 token approvals are a foundational mechanic of Ethereum’s DeFi ecosystem. When a user interacts with a decentralized exchange or lending protocol, they grant a smart contract permission to move tokens on their behalf. The approval persists until manually revoked, which most users never do. That persistence is the vulnerability: a single signed permission, granted once in a moment of inattention, can sit dormant until an attacker is ready to use it.
This attack pattern is not new, but it is scaling. Scam Sniffer also flagged a May 2026 incident in which a site impersonating Uniswap drained approximately $400,000 after users approved a malicious contract, and a separate fake HyperSwap airdrop that used the same mechanic to empty wallets within seconds. The common thread is not a code vulnerability but a UX one: approval prompts across wallets and interfaces are often opaque, showing contract addresses rather than plain-language descriptions of what is being authorized.
The Uniswap impersonation case is the sharper precedent here. Uniswap is one of the most recognized interfaces in DeFi, and if users with enough sophistication to use it are still being caught by fake approval flows, the problem is structural, not just educational.
What Hardware Wallets Cannot Fix
The instinct after a story like this is to recommend hardware wallets, and Scam Sniffer does exactly that. The caveat matters: hardware wallets protect private keys, not judgment. A Ledger or Trezor will faithfully sign a malicious approval if the user confirms it. The device has no way to evaluate whether the contract on the other end is legitimate.
That gap is what makes approval-based phishing particularly effective at this stage of the cycle. Retail participation is up, interfaces have multiplied, and airdrop culture encourages users to interact with unfamiliar contracts quickly, before allocations run out. The urgency is manufactured, but it works.
Scam Sniffer’s recommendations are practical: review every signature request, verify the contract address and permission scope before confirming, and periodically revoke unused or unlimited approvals using dedicated revocation tools. The last step is the one most users skip entirely, leaving a long tail of active permissions attached to wallets they consider secure.
The $999,999 loss is a clean number that will circulate, but the mechanism behind it affects anyone who has ever approved a token on Ethereum without checking what they were actually authorizing. That is most users.
0 Comments