According to blockchain security firm Scam Sniffer, someone recently lost 15,079 fwDETH ($35 million) after falling for a phishing scam.
The “permit” option was introduced with Ethereum Improvement Proposal (EIP) 2612, making it possible to make gasless token transfers.
An off-chain authorization signature allows someone else to transfer tokens from their account.
Normally, ERC-20 token transfers represent a two-step process that consists of confirming a transaction on the blockchain by paying a gas fee and then moving a certain number of tokens to another account. Thanks to the “permit” option, a transaction gets signed off-chain. Apart from saving on gas fees, this also makes transactions more user-friendly.
While adding more convenience and flexibility, the feature also opened up a new avenue for fraudsters to separate some uninitiated users from their money.
Token holders can get tricked into signing a malicious authorization, thus allowing the attacker to steal tokens from their website in broad daylight.
According to Scam Sniffer, scams that revolve around signatures with the ERC-20 permit have emerged as the main type of phishing scams. Notably, victims tend to be tricked into signing malicious transactions with the help of impersonated social media accounts.
The blockchain security firm previously exposed the Inferno Drainer group, which has collected tens of thousands of victims by creating phishing websites mimicking popular crypto projects and luring them into performing off-chain signatures.
In January, Scam Sniffer revealed that crypto users suffered more than $300 million worth of losses in 2023 due to phishing scams.