Avoid Scams

What Is Approval Phishing? Why Tokens Get Drained After You Sign

2026-05-27 · 链上迷雾

Someone asks for help in a chat group: they never shared their seed phrase, their hardware wallet is sitting safely in a drawer, yet one morning their USDT is almost entirely gone. It sounds like black magic, but it is a very typical attack — approval phishing. It does not steal your private key. Instead, it tricks you into personally signing a permission that hands the power to move your assets over to the attacker.

First, separate two things: transfers and approvals

On-chain wallet actions fall roughly into two kinds, and their consequences are worlds apart.

  • Transfer: sends coins from your address to another address — one-off, deducted on the spot.
  • Approval (allowance): you tell a contract “from now on you may spend up to N of a certain token from my address.” The approval itself moves no coins, but it issues a “withdrawal limit.” Whoever holds that limit can pull your tokens later, without you noticing.

Approvals are necessary in normal DeFi use: swapping on a decentralized exchange or depositing into a lending protocol both require approving the relevant token first. The risk lies in who you approve and for how much. Attackers simply want you to grant that allowance to a contract they control — usually set to an “unlimited” amount.

A person signing an approval on a phone while a hidden malicious hook quietly drains wallet tokens

How the phishing happens

Approval phishing rarely relies on a technical breakthrough. It uses context and scripting to wrap one dangerous approval as a “normal action.” Common playbooks include:

  1. Fake airdrop claim pages: a popup says you have an airdrop waiting; you click “Claim,” and what appears is a token approval or a Permit signature request.
  2. Fake official sites / events: a near-identical lookalike domain arrives via a search ad or a social media DM; after you connect your wallet, the very first step is to “approve.”
  3. Impersonated support: you complain in a community that a withdrawal is stuck, and a “support agent” immediately DMs you to “verify your wallet” — which is, again, signing an approval.

One stealthier variant deserves its own mention: offline signature phishing (Permit / Permit2). A traditional approval is an on-chain transaction that costs gas, so you have some awareness of it. A Permit-style signature is signed “offline,” and pages often describe it as “just verifying identity, free, no gas needed.” Many people see no fee and no transfer, so they sign with confidence — yet this signature can grant a spending allowance all the same, which the attacker later redeems on-chain. “The signature is free” does not mean “the signature is risk-free,” one of the most common traps for beginners. If the jargon is still unfamiliar, start with the crypto glossary to get the basics straight.

A few misconceptions worth breaking

  • “I never gave out my seed phrase, so I can’t be robbed.” Wrong. Approval phishing never needs your seed phrase or private key; it needs the approval you sign yourself.
  • “I use a cold wallet, so I’m safe.” A cold wallet keeps the private key offline, but the moment you connect it to a phishing site and sign an approval, a cold wallet gets drained just the same. Hardware stops key leaks, not the “confirm” you tap yourself.
  • “I checked the amount before signing.” Many phishing flows set the allowance to an enormous (unlimited) number — a very long string that is hard to notice unless you expand the wallet’s details.

Check every line before you sign

Rather than chasing stolen funds afterward, intercept the risk the instant a signature pops up. Turn the following into habits:

  • Know what the action is: the wallet labels whether it’s Approve, Permit, or a plain Transfer. Anything that says “claim airdrop / connect wallet” but asks you to approve or sign a Permit — stop.
  • Check the spender: is the contract being approved unfamiliar? Did it come from a page you don’t trust?
  • Check the amount: set it to “only what’s needed this time,” not a default unlimited approval.
  • Check the domain: enter sites from your bookmarks; never click ads or DM links.
  • Split large holdings: keep long-term assets in an address that never connects to any dApp, and use a small separate address for interactions. This mirrors the logic of risk management — cap the worst-case loss first.

A security panel revoking token approvals one by one, with shield and broken-chain icons

If you suspect you’ve approved something dangerous

If you worry you signed a risky approval, use a block explorer or a dedicated approval-management tool to review and revoke all token approvals on your address. Revoking is itself an on-chain transaction that costs gas, but it instantly cuts off that “withdrawal limit.”

This table helps you quickly read your situation:

Situation Risk What to do
Never approved anything in a dApp Low Keep to send/receive, don’t connect randomly
Approved, but only known protocols with limits Medium Review the approval list regularly
Signed Approve / Permit for a strange page High Revoke immediately, move assets to a new address
Already noticed tokens shrinking Urgent Revoke first, move remaining assets, then investigate

A caveat: revoking only stops future losses — it cannot recover what’s already gone; and if your private key itself has leaked, revoking won’t save you, in which case abandon the address outright. To round out your exchange-side habits, see exchange security.

Back to basics

Approval phishing is so common because it exploits not a code bug but the human impulse to “grab the reward quickly.” On-chain, every signature you make is a binding authorization that no support desk can reverse. The habit of looking three seconds longer before you sign beats any tool.

This article is educational and does not constitute investment or security advice. On-chain actions are irreversible; treat every approval and signature with care.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Industry Events

BTC ETFs Bled for 10 Straight Days, $2.97B Out — What It Means for Ordinary Users

Through June 4, US spot Bitcoin ETFs posted ten consecutive sessions of net outflows totaling about $2.97B — one of the longest negative streaks since launch. This piece breaks down what the number says and, just as important, what it does not.

Mindset & FOMO

AI Is Siphoning Crypto Money — Should You Chase the Rotation?

Early June showed a clear flow: money rotating from crypto into AI. Nvidia at a new high, BTC and ETH softer. "Is crypto past its prime" surfaced again. This piece does not pick a winner. It answers how mindset should behave during sector siphon.

Mindset & FOMO

ETH Slipped Below 2,000 — How Should the Believers Recalibrate?

ETH crossed below the 2,000 psychological line in early June while on-chain activity softened. For self-described "ETH believers," this is a subtler mindset test than the 2022 bear: not one obvious red candle but a slow grind lower.

Mindset & FOMO

BTC Broke Below 67k — Should You Buy the Dip? A June Mindset Check

BTC sliced through 67k in early June and briefly tested 61k intraday. The dip-buying itch is back. This piece does not call the next candle. It asks one question: at this level, what rules should your mindset follow before you click buy.

Mindset & FOMO

US–Iran Tension Escalating — How Should a Crypto Portfolio React?

Early June saw a fresh US–Iran flare-up — oil spiked, risk assets weakened, BTC and ETH dropped together. Headlines change every half day; positions cannot. Here is how a crypto portfolio should behave under geopolitical shocks.

Asset Security

After a Drainer Empties Your Wallet, Is There Any Path to Recovery?

Once you discover a drainer has emptied your wallet, what you can do in the next hour is limited, but the order matters. This post lays out the recovery paths along a timeline: on-chain tracing, platform freeze requests, formal reporting, mixer realities, and longer-term recovery.