OnChain Fog Start Here 中文
Avoid Scams

What Is Approval Phishing? Why Tokens Get Drained After You Sign

2026-05-27 · 链上迷雾

Someone asks for help in a chat group: they never shared their seed phrase, their hardware wallet is sitting safely in a drawer, yet one morning their USDT is almost entirely gone. It sounds like black magic, but it is a very typical attack — approval phishing. It does not steal your private key. Instead, it tricks you into personally signing a permission that hands the power to move your assets over to the attacker.

First, separate two things: transfers and approvals

On-chain wallet actions fall roughly into two kinds, and their consequences are worlds apart.

  • Transfer: sends coins from your address to another address — one-off, deducted on the spot.
  • Approval (allowance): you tell a contract “from now on you may spend up to N of a certain token from my address.” The approval itself moves no coins, but it issues a “withdrawal limit.” Whoever holds that limit can pull your tokens later, without you noticing.

Approvals are necessary in normal DeFi use: swapping on a decentralized exchange or depositing into a lending protocol both require approving the relevant token first. The risk lies in who you approve and for how much. Attackers simply want you to grant that allowance to a contract they control — usually set to an “unlimited” amount.

A person signing an approval on a phone while a hidden malicious hook quietly drains wallet tokens

How the phishing happens

Approval phishing rarely relies on a technical breakthrough. It uses context and scripting to wrap one dangerous approval as a “normal action.” Common playbooks include:

  1. Fake airdrop claim pages: a popup says you have an airdrop waiting; you click “Claim,” and what appears is a token approval or a Permit signature request.
  2. Fake official sites / events: a near-identical lookalike domain arrives via a search ad or a social media DM; after you connect your wallet, the very first step is to “approve.”
  3. Impersonated support: you complain in a community that a withdrawal is stuck, and a “support agent” immediately DMs you to “verify your wallet” — which is, again, signing an approval.

One stealthier variant deserves its own mention: offline signature phishing (Permit / Permit2). A traditional approval is an on-chain transaction that costs gas, so you have some awareness of it. A Permit-style signature is signed “offline,” and pages often describe it as “just verifying identity, free, no gas needed.” Many people see no fee and no transfer, so they sign with confidence — yet this signature can grant a spending allowance all the same, which the attacker later redeems on-chain. “The signature is free” does not mean “the signature is risk-free,” one of the most common traps for beginners. If the jargon is still unfamiliar, start with the crypto glossary to get the basics straight.

A few misconceptions worth breaking

  • “I never gave out my seed phrase, so I can’t be robbed.” Wrong. Approval phishing never needs your seed phrase or private key; it needs the approval you sign yourself.
  • “I use a cold wallet, so I’m safe.” A cold wallet keeps the private key offline, but the moment you connect it to a phishing site and sign an approval, a cold wallet gets drained just the same. Hardware stops key leaks, not the “confirm” you tap yourself.
  • “I checked the amount before signing.” Many phishing flows set the allowance to an enormous (unlimited) number — a very long string that is hard to notice unless you expand the wallet’s details.

Check every line before you sign

Rather than chasing stolen funds afterward, intercept the risk the instant a signature pops up. Turn the following into habits:

  • Know what the action is: the wallet labels whether it’s Approve, Permit, or a plain Transfer. Anything that says “claim airdrop / connect wallet” but asks you to approve or sign a Permit — stop.
  • Check the spender: is the contract being approved unfamiliar? Did it come from a page you don’t trust?
  • Check the amount: set it to “only what’s needed this time,” not a default unlimited approval.
  • Check the domain: enter sites from your bookmarks; never click ads or DM links.
  • Split large holdings: keep long-term assets in an address that never connects to any dApp, and use a small separate address for interactions. This mirrors the logic of risk management — cap the worst-case loss first.

A security panel revoking token approvals one by one, with shield and broken-chain icons

If you suspect you’ve approved something dangerous

If you worry you signed a risky approval, use a block explorer or a dedicated approval-management tool to review and revoke all token approvals on your address. Revoking is itself an on-chain transaction that costs gas, but it instantly cuts off that “withdrawal limit.”

This table helps you quickly read your situation:

Situation Risk What to do
Never approved anything in a dApp Low Keep to send/receive, don’t connect randomly
Approved, but only known protocols with limits Medium Review the approval list regularly
Signed Approve / Permit for a strange page High Revoke immediately, move assets to a new address
Already noticed tokens shrinking Urgent Revoke first, move remaining assets, then investigate

A caveat: revoking only stops future losses — it cannot recover what’s already gone; and if your private key itself has leaked, revoking won’t save you, in which case abandon the address outright. To round out your exchange-side habits, see exchange security.

Back to basics

Approval phishing is so common because it exploits not a code bug but the human impulse to “grab the reward quickly.” On-chain, every signature you make is a binding authorization that no support desk can reverse. The habit of looking three seconds longer before you sign beats any tool.

This article is educational and does not constitute investment or security advice. On-chain actions are irreversible; treat every approval and signature with care.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Myths

Why Nine Out of Ten 'Insider Tips' Are Traps

"I have insider info" is the cheapest and most common opening line in crypto. Strip away the packaging and the real structure is almost never sharing — it's a carefully designed exit-liquidity funnel.

 Exchange Safety

Why Is Storing Crypto Long-Term on an Exchange So Risky? Lessons Before the Next Blow-Up

Leaving coins on an exchange is convenient and looks normal. But "long-term" on an exchange is a thing that has blown up repeatedly in this industry. This article lays out why it remains unsafe.

 Mindset & FOMO

Why You Should Not Flex Your PnL in Telegram Groups, and What It Actually Costs You?

Posting a PnL screenshot in a TG group feels like 5 seconds of pride, then 5 minutes of peer attention, then potentially 5 months of being targeted, copied, or kidnap-budgeted. This piece splits "why not to flex" into four layers — security, mindset, social, execution — and shows the bill on each.

 Asset Security

What the $284M Trezor Phishing Wave Teaches Hardware Wallet Users

The early-2026 Trezor phishing wave drained roughly $284M without breaking a single chip. It stole something simpler — users' trust in "official" email. Here is how the chain worked and what to do about it.

 Asset Security

Is My Wallet Actually Safe? How to Run a Thorough Self-Audit on Your Own

Most people only feel their wallet is "probably fine" and never sit down to verify. This article walks through a self-audit you can run alone — covering seed phrases, approvals, signatures, devices and asset distribution.

 Asset Security

Your Exchange KYC Data Got Leaked — Now What?

You wake up to find you're on yet another exchange KYC leak list. What to do in the first hours, what defenses to build long-term? This piece is an ordered checklist focused on "protect assets first, identity next, habits last."