Recently, a phishing attack targeting DeFi users resulted in the loss of 12 Aave Ethereum LBTC, valued at approximately $1.08 million.
According to tracking by Scam Sniffer and observations from SlowMist founder Cosine, the attacker belonged to a "non-core" phishing group. However, their tactics were highly sophisticated. After successfully stealing the assets, they quickly converted them to ETH and laundered them through Tornado Cash.
01 In-Depth Analysis of the Incident
Recently, the blockchain security community disclosed a high-profile phishing theft involving significant value. While performing on-chain operations, the victim was tricked into signing a malicious "Permit" signature.
A "Permit" is a signature-based authorization mechanism that allows a third party to gain permission to transfer specific assets without requiring an on-chain transaction. Once signed, the attacker can legally drain the corresponding assets from the victim’s wallet.
The stolen asset, aEthLBTC, is a wrapped Bitcoin asset on the Aave protocol, representing considerable value. After the attack, the stolen funds were transferred to two wallet addresses: 0x1CCAF86F3C8C8f7dFCd5Ad37eBc498cdfEb38ff0 and 0x0385E38457feA1B25E8175837fBE67400E0FE9fD.
02 Security Landscape and Annual Data
This case is not an isolated incident. It reflects the increasingly complex and evolving threat of crypto phishing.
According to Scam Sniffer’s latest 2025 Crypto Phishing Report, total losses from signature phishing reached $83.85 million for the year. While this marks a significant 83% decrease compared to $494 million in 2024, the threat remains substantial.
The report highlights several key trends. Permit-based signatures remain a top weapon for attackers. Of the 11 major cases in 2025 with single losses exceeding $1 million, 3 involved Permit/Permit2, resulting in a combined loss of $8.72 million.
The largest single signature phishing loss in 2025 occurred in September. Through a Permit signature, attackers stole $6.5 million in stETH and aEthWBTC assets.
Losses are closely tied to market activity. In Q3 2025, as the market strengthened and the Ethereum price surged, phishing activity peaked. Losses for the quarter reached $31.04 million, accounting for 37% of the annual total.
03 Threat Evolution and New Attack Vectors
Attack techniques are evolving rapidly. After Ethereum’s "Pectra" upgrade in 2025 and the introduction of EIP-7702, attackers quickly identified new opportunities for exploitation.
EIP-7702 allows users to authorize a series of operations with a single signature, which attackers have leveraged to their advantage.
Shortly after the upgrade, in August 2025, two major attacks exploited EIP-7702’s batch signature feature, resulting in a combined loss of $2.54 million.
Attacks are no longer limited to phishing websites. More covert and complex tactics—such as supply chain attacks, front-end hijacking, and social media account takeovers—are on the rise.
For example, attackers have used phishing to steal developers’ npm publishing credentials, injecting malicious code into popular open-source packages. This creates self-replicating worms capable of stealing environment variables and private keys.
04 How Users Can Build a Defense System
With threats constantly evolving, proactive defense is key to safeguarding your assets.
The first principle is to treat every signature request with caution. Before signing any transaction or authorization—especially those from unknown links, social media, or private messages—thoroughly verify its legitimacy. Carefully check the recipient, asset type, and amount being authorized, and be wary of unlimited approvals.
Utilizing security tools forms the second line of defense. Consider browser extensions like Scam Sniffer, which can detect and warn you in real time if you’re visiting a known phishing site.
For users conducting large or complex DeFi transactions, using a hardware wallet or a dedicated signing device significantly enhances security. Regularly reviewing and proactively revoking unused approvals is also essential.
05 Security Outlook and Platform Responsibility
Although 2025 saw a sharp decline in traceable signature phishing losses, this does not mean the threat has disappeared.
This decrease may partly be due to attackers shifting to harder-to-trace methods, such as private key theft and targeted social engineering against high-value individuals.
As a responsible trading platform, Gate fully recognizes its critical role in user security education. We are committed not only to safeguarding user assets through technologies like multi-signature cold wallets and risk monitoring systems, but also to promoting security awareness through channels such as Gate Learn, helping users identify risks.
The crypto industry’s infrastructure—including exchanges, wallet providers, and project teams—must work together to implement the "principle of least privilege" in product design and provide clearer risk disclosures for authorizations.
When you trade on Gate, you can do so with greater peace of mind. Our systems are designed to securely custody crypto assets. Even so, always remain vigilant against any "high-yield" offers from unofficial sources.
Looking Ahead
As of January 4, 2026, the crypto market continues to move amid volatility. The Ethereum-to-Bitcoin exchange rate stands at about 0.03443 BTC, and the market is closely watching macroeconomic trends—for example, the probability of a 25 basis point Fed rate cut in January is estimated at 16.6%.
No matter how the market changes, one thing remains certain: Security is a perpetual theme in the crypto world. Million-dollar losses can start with a single careless signature. The first step to protecting your assets is developing habits that are even more cautious than those of the attackers.
