OnChain Fog Start Here 中文
Asset Security

The Five Signature Phishing Patterns of 2026, and How to Spot Each at a Glance

2026-06-05 · 链上迷雾

I keep saying one line: wallets drained in 2026 mostly lose money not to leaked private keys, but to signature phishing. Across post-mortems for the past twelve months, off-chain signature phishing accounts for more than half of every wallet loss above five figures.

But “signature phishing” is not one attack. It is a family of attacks. They use different protocol fields, different contract entry points, and different wallet prompts to achieve the same goal — getting you to authorize someone else to move your assets. This post walks through the five most common variants and the visual cues for each.

A shared property first

All signature phishing shares one premise: none of it asks for your private key. What it asks for is a signature made by your private key over some piece of data. Once that signature exists, the attacker has a valid credential to call “transfer,” “sell,” or “bridge” against your assets.

Which means:

  • You never see this transaction “initiated” on-chain.
  • Your wallet balance just disappears at some later moment.
  • You believe you did nothing.

That is why signature phishing is far scarier than transfer phishing.

Conceptual overview of the five signature phishing patterns

Pattern 1: setApprovalForAll (NFT class)

setApprovalForAll(operator, true) is the ERC-721 / ERC-1155 switch that lets one address transfer all of your NFTs of that collection. Once it goes to an attacker contract, your entire NFT portfolio on that chain can be swept anytime.

Cues:

  • The wallet popup says setApprovalForAll, with an operator address you do not recognize.
  • The context is a “free mint,” “airdrop,” or “snapshot claim.”
  • The page nudges you to “sign a free thing first,” but that signature is not the mint itself.

I only allow this call on two marketplaces I deeply trust, and even then I read the calldata each time. Anywhere else, I refuse.

Pattern 2: ERC-20 unlimited approve

This is the ERC-20 counterpart of setApprovalForAll: you give a contract approve(spender, type(uint256).max), effectively letting it move all your balance of that token.

Cues:

  • The amount field shows an abnormally huge number or unlimited.
  • The contract name does not match what you want to do — for example you want to swap 1 USDC and you are asked to approve something that looks like a router but is not the real one.
  • The wallet warns of a follow-up transfer, but that was never your intent.

One rule on defense: never sign unlimited approvals. Paying gas for a fixed-amount approve is worth it.

Pattern 3: Permit / EIP-2612 off-chain signatures

This is the most dangerous family of 2026. Permit lets you grant token approvals with a single EIP-712 off-chain signature, no on-chain transaction needed.

Why is it dangerous?

  1. It leaves no gas footprint — no “approve” record shows on the explorer.
  2. It bypasses standard wallet warnings — many wallets render EIP-712 typed data poorly.
  3. It is immediately exploitable — the attacker calls permit followed by transferFrom whenever they choose.

Cues:

  • The popup shows Permit, spender, deadline, value fields.
  • The site says you can “just sign something gasless” to continue — this is the key signal.
  • The wallet shows “Sign Typed Data” or “EIP-712”.

My rule: any structured signature I cannot read in plain language gets rejected.

Broader context on why signature phishing is so frequent is in the Safe Labs 5,000 drainer addresses post and the January $311M phishing breakdown. Both list Permit as a leading driver.

Pattern 4: Seaport / Permit2 aggregated signatures

OpenSea’s Seaport and Uniswap’s Permit2 bundle multiple approvals into a single signature, intended to improve UX but also providing attackers with a new signature phishing template.

Spoofed versions look completely normal: an aggregator DEX or NFT marketplace asks you to “sign an approval,” the popup shows Seaport/Permit2 keywords, and you sign because it “looks familiar.” But the payload may contain:

  • Approvals for USDC, USDT, and WETH all going to an attacker contract.
  • Transfer rights for several NFTs handed over at the same time.

Cues:

  • The signature touches multiple tokens / multiple contracts at once.
  • You only want to do one thing (say, swap one token), but the granted scope is far broader than necessary.
  • The signature’s signing origin is not the official domain you are interacting with (hover the spender field to check).

My handling: for any aggregated signature, first confirm spender and token list match the minimum-necessary principle.

Expanded view of an aggregated signature with dense fields

Pattern 5: Cross-chain bridge / meta-transaction signatures

This one is newer. The attacker wraps the signature as a “bridge instruction” or a “meta-transaction.” You think you are signing a transfer intent on one chain, but the attacker uses that signature on another chain or on a different contract through a relayer.

Cues:

  • The popup contains bridge, relayer, forwarder, or executeMetaTransaction keywords.
  • The signature references multiple chain IDs or a chainId that looks odd.
  • The UI implies action on chain A, but the underlying data points to chain B.

Most users cannot fully parse these in the popup. The safest stance is “official bridges only + small test transfers first” for meta-transactions and bridges.

A cheat-sheet of the five patterns

Pattern Frequent fields One-glance signal
setApprovalForAll operator, approved=true NFT context + unknown operator
approve unlimited spender, value=uint256.max huge number or “unlimited”
Permit / EIP-2612 spender, deadline, value “just sign gaslessly to continue”
Seaport / Permit2 multi-token / multi-amount one signature covering many approvals
Bridge / meta-tx bridge, relayer, chainId multi-chain or relayer execution

Keep this table in your notes app. It beats memorizing any long post.

Three small habits that make patterns visible

After all five patterns, the daily practice boils down to three things:

  • Always read the calldata on the hardware wallet screen before tapping confirm. Even if you cannot decode it, you can spot “weird amount” or “unfamiliar contract.”
  • Turn blind signing off. Any site asking you to enable blind signing is flagged immediately.
  • Treat “just sign this for free” as suspicious by default. A gasless signature is still a signature.

Wallet safety is a habits problem, not a tools problem. I have written basic crypto security habits as the entry; this post zooms into the signature layer.

Building the recognition into muscle memory

My personal method: give myself five seconds before any signature. In those five seconds the brain does three things:

  1. What do I want to do right now?
  2. Do the popup fields map one-to-one to that intent?
  3. Are spender and amount at the minimum-necessary scope?

Five seconds will not stop every attack, but it stops most “impulse signs.” The vast majority of drained wallets never gave themselves those five seconds.

Signature attacks will keep evolving, but this self-questioning structure stays stable. Once it is wired into your muscle memory, you have pulled yourself out of a big chunk of the 2026 victim pool.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Industry Events

BTC ETFs Bled for 10 Straight Days, $2.97B Out — What It Means for Ordinary Users

Through June 4, US spot Bitcoin ETFs posted ten consecutive sessions of net outflows totaling about $2.97B — one of the longest negative streaks since launch. This piece breaks down what the number says and, just as important, what it does not.

 Mindset & FOMO

AI Is Siphoning Crypto Money — Should You Chase the Rotation?

Early June showed a clear flow: money rotating from crypto into AI. Nvidia at a new high, BTC and ETH softer. "Is crypto past its prime" surfaced again. This piece does not pick a winner. It answers how mindset should behave during sector siphon.

 Mindset & FOMO

ETH Slipped Below 2,000 — How Should the Believers Recalibrate?

ETH crossed below the 2,000 psychological line in early June while on-chain activity softened. For self-described "ETH believers," this is a subtler mindset test than the 2022 bear: not one obvious red candle but a slow grind lower.

 Mindset & FOMO

BTC Broke Below 67k — Should You Buy the Dip? A June Mindset Check

BTC sliced through 67k in early June and briefly tested 61k intraday. The dip-buying itch is back. This piece does not call the next candle. It asks one question: at this level, what rules should your mindset follow before you click buy.

 Mindset & FOMO

US–Iran Tension Escalating — How Should a Crypto Portfolio React?

Early June saw a fresh US–Iran flare-up — oil spiked, risk assets weakened, BTC and ETH dropped together. Headlines change every half day; positions cannot. Here is how a crypto portfolio should behave under geopolitical shocks.

 Asset Security

After a Drainer Empties Your Wallet, Is There Any Path to Recovery?

Once you discover a drainer has emptied your wallet, what you can do in the next hour is limited, but the order matters. This post lays out the recovery paths along a timeline: on-chain tracing, platform freeze requests, formal reporting, mixer realities, and longer-term recovery.