$PEPE Holder Loses $1.3M in Sophisticated Phishing Scam

According to a report by blockchain security firm ScamSniffer on X, a crypto whale recently fell victim to a phishing scam and lost over $1.39 million in multiple cryptocurrencies. The incident involved the exploitation of Uniswap’s “permit2” feature, which allowed scammers to drain the victim’s wallet after they signed a phishing signature.

🚨 25 mins ago, a PEPE holder lost $1.39M worth of PEPE, MSTR, and APU after signing a “permit2” phishing signature.💸 pic.twitter.com/Wf4nd8eFxl

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) October 13, 2024

The stolen assets included $PEPE, $MSTR, and $APU tokens—collectively valued at around $1.39 million—on the decentralized exchange (DEX) Uniswap. 

The “Permit2” Feature

The phishing attack took advantage of Uniswap’s Permit2 function. This feature allows multiple tokens to be approved with a single signature. Scammers take advantage of it to access and drain users’ wallets once they acquire a victim’s signature.

According to the blockchain security firm, the attackers bypassed security alerts by using Create2, which allowed them to generate new addresses for each malicious action. After obtaining the victim’s signature, the attackers created a contract at the new address and transferred the assets out of the wallet. 

Ethereum Trader Lost $35M in Phishing Scam

The $PEPE holder is just one of the recent victims of such attacks. CoinTab previously reported a similar incident where a decentralized finance (DeFi) trader lost over $35 million in a phishing attack. The attack resulted in the theft of 15,079 wrapped ether tokens ($fwDETH) from the DeFi platform Duo Exchange (DUO). The attackers then converted the $fwDETH to $DETH, another wrapped ether token associated with DUO, before exchanging it back to $ETH via Swap.

In Q3 2024 alone, crypto investors lost over $127 million due to scams, with phishing attacks alone accounting for $87 million. One incident led to a $55 million loss after a phishing scheme targeted proxy ownership. Another major attack on September 28 drained 12,083 $spWETH ($32.43 million), using a permit phishing signature.

These incidents highlight the importance of caution when signing on-chain transactions. Users are urged to thoroughly verify the legitimacy of any signature requests to safeguard their assets against phishing schemes.