Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / Cryptopolitan /
Ethereum User Loses $440,358 in USDC in Malicious Permit Exploit—Here’s How It Happened

Ethereum User Loses $440,358 in USDC in Malicious Permit Exploit—Here’s How It Happened

Author:
Cryptopolitan
Published:
2025-12-09 08:30:17
5
2

Ethereum user loses $440,358 in USDC after malicious permit exploit

A signature-based approval function turned into a seven-figure nightmare for one Ethereum holder this week.

The exploit didn't need a password or a seed phrase. It bypassed traditional security by abusing a 'permit' function—a feature designed for convenience that instead opened a digital vault.

The Mechanics of the Heist

Think of a permit like a signed, blank check. It grants a smart contract a one-time allowance to move your tokens, all without a separate blockchain transaction. In this case, the signature got scooped up by a malicious actor. Once they had it, they simply cashed the check. The entire $440,358 in USDC vanished in moments.

Security Theater in DeFi

The incident highlights the razor's edge of user experience in decentralized finance. Features built for speed and low fees can introduce catastrophic risks. It's the crypto equivalent of leaving your bank card's signed authorization form on a park bench—a reminder that in the race for efficiency, security often takes a backseat. After all, what's a few hundred thousand dollars between anonymous strangers on the internet?

This isn't a flaw in the Ethereum protocol itself, but a stark lesson in interface risks. As the ecosystem pushes for mass adoption, the gap between technical capability and user safeguards keeps widening. The next wave of users won't care about cryptographic elegance—they'll care about not getting cleaned out.

Phishing attacker signs off on $440K USDC transfer from victim

According to blockchain data from Etherscan, the attacker relied on a “permit” transaction, a type of signature that transfers tokens without requiring the owner to confirm them manually. Even if no money appears to MOVE at the moment of signing, the attacker can later fill in the amount and cash it without further consent, which, in this case, $440,358 was filled.

Once approved, the attacker invoked several “transferFrom” calls using the FiatTokenProxy contract, which handles USDC transactions. At around 10 AM UTC Monday, 22,000 USDC was sent to a “Fake Phishing” account, $66.06K to address 0xbb4…666f682aF, and $352.3K to 0x6a3aF6…d8F9a00B simultaneously.

victim:
0x67E8561Ba9d3f4CBe5fEd4C12c95b54f073a0605

scammers:
0xbb4223Ef4cCe93fB40beb62178aBE9A666f682aF
0x6a3aF6Cb51D52F32D2A0A6716a8EFF99d8F9a00Bhttps://t.co/GdyGP2iPYZ pic.twitter.com/IukksnpAl1

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 8, 2025

Scam Sniffer also reported on another phishing incident on November 7, when another user lost $1.22 million in USDC and a PlaUSDT0 token just 30 minutes after signing fraudulent permit messages.

The Web3 security firm’s November phishing report shows total losses reached $7.77 million, a jump of 1137% from October’s $3.28 million. Despite the surge in losses, the number of victims decreased by 42%, as November recorded 6,344 affected users, a 42% drop from the 10,935 victims logged in the previous month.

Almost a week ago, some hackers used “address poisoning” to steal 1.1 million USDT on Ethereum. According to Ramiel Capital CIO Kyle Soska, the group monitored small outbound transfers from whale wallets and then used GPU-powered systems to generate near-identical look-alike addresses. 

“The attacker in this case sends a very small Tether transaction to the victim on-chain so that the look-a-like address appears in the recent activity list of the victim’s web3 wallet. The victim then accidentally chooses this address to send the big money to,” Soska said, replying to an X user asking how the incident was even possible.

Holiday shopping season flooded with impersonation scams

The escalation in crypto-related phishing comes on the heels of an uptick in digital scams in the holiday shopping season. Darktrace, a cybersecurity firm tracking global consumer phishing trends, reported a 201% rise in scams of “impersonating” major US retailers during the week leading into Thanksgiving, compared to the same week in October. 

Emails spoofing Macy’s, Walmart, and Target rose by 54% in a single week, but Amazon was the most impersonated company overall, accounting for 80% of phishing attempts, more than digital consumer brands Apple, Alibaba, and Netflix. 

In early November alone, Kaspersky detected 146,535 spam emails referencing seasonal discounts, including 2,572 related to Singles’ Day campaigns. Many of these messages reused proven templates recycled from previous years, with scammers mimicking Amazon, Walmart, and Alibaba to advertise early-access sales that redirected users to fake checkout pages to steal credentials and execute malicious approvals.

Data from Kaspersky Security Network (KSN) shows that between January and October, the company blocked 6,394,854 phishing attempts targeting online stores, banks, and payment systems. Nearly half of these attempts, 48.2%, specifically targeted online shoppers.

Over the same period, Kaspersky identified more than 20 million attacks on gaming platforms, including 18.56 million abusing Discord, which the company says is a distribution point for malicious files disguised as gaming software.

Entertainment platforms also saw intense targeting, with 801,148 Netflix-themed and 576,873 Spotify-related phishing attempts recorded in 2025. The company also documented 2,054,336 phishing attempts impersonating gaming platforms Steam, PlayStation, and Xbox.

Moreover, Kaspersky recorded 20,188,897 attempted malware infections disguised as “common software,” with Discord accounting for the majority at 18,556,566 detections, more than 14 times higher than the incidents reported last year.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.