A crypto user lost $908,551 to a wallet-draining scam 458 days after unknowingly signing a malicious approval transaction, onchain data shows.

The attack originated from an ERC-20 approval transaction — likely signed via a phishing site or fake airdrop — that gave the scammer’s wallet, “0x67E5Ae,” ongoing permission to access the victim’s funds.

The scammer — linked to the notorious pink-drainer.eth wallet address — executed the theft on Aug. 2 at 4:57am UTC, stealing $908,551 worth of the USDC (USDC) stablecoin, Scam Sniffer pointed out on X. The theft came 458 days after the victim signed the phishing approval transaction on April 30, 2024.

The security incident prompted Scam Sniffer to remind crypto users to “regularly review and revoke old approvals,” or else, hard-earned funds may be at risk.

“Your wallet security matters,” it added. 

The scammer’s patience paid off

Until a month ago, the victim’s compromised wallet had seen minimal transaction activity and held little value — giving the attacker no incentive to act.

That changed on July 2, when the victim deposited $762,397 into the tainted wallet address, “0x6c0eB6,” from a MetaMask wallet at 8:41pm UTC.

Ten minutes later, another $146,154 in USDC was transferred into the same wallet from a Kraken wallet.

Related: $3.5B Bitcoin heist from 2020 retroactively uncovered — Arkham Intel

The scammer likely monitored the wallet over the next month, waiting to see if more funds would flow into it before deciding to drain the funds in a single transaction on Aug. 2.

This delayed strike is a defining trait of phishing approval attacks: scammers wait around for months, striking only when the victim’s wallet balance makes it worthwhile.

Tools already exist to prevent these attacks

To help prevent such attacks, Ethereum users can use Etherscan’s Token Approval Checker to review and revoke unnecessary token approvals — though each revocation requires a gas fee. 

Bad actors and scammers stole over $142 million from the crypto space in July across at least 17 separate attacks, with the exploit of crypto exchange CoinDCX accounting for the most significant loss.

Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users