Rising Threat of Ethereum Permit Scams Results in $440,358 Loss for USDC Holder
A USDC holder lost $440,358 after signing a malicious 'permit' signature, according to Scam Sniffer on December 8, 2025. November 2025 saw about $7.77 million drained from more than 6,000 victims through phishing scams, marking a 137% increase in drained funds from October, although the number of victims fell by 42%.
Permit scams trick users into signing transactions that grant attackers the right to spend ERC-20 tokens, enabling immediate draining of funds. Attackers either execute the permit and transfer tokens in a single transaction or gain access via the permit and delay the transfer by setting a far deadline.
Experts emphasize that the success of these scams largely relies on human error and users signing transactions they do not fully understand. Wallets like MetaMask have started warning users about suspicious sites and translating transaction data to help detect risks. Users are advised to verify sender addresses, contract details, and watch for high-risk actions before signing.
Recovery of stolen funds is essentially zero, as attackers are typically individuals without contact information, making funds usually irrecoverable. The primary advice is for users to actively review what they are signing, confirm the intended actions and functions, and ensure they match their intentions to avoid falling victim to such scams.
