Lost 51K, forgot to Revoke Approvals

Recently a victim was “re-phished” due to forgetting to revoke old approvals.

About 10 months ago, the victim approved a malicious signature and 37K in crypto assets was drained. Among the assets stolen were USDT and PRE tokens.

Instead of revoking token access or using a fresh wallet, the victim refunded the wallet losing another 51K in USDT.

Below is an image of the movements from the victim's wallet to the scammer wallets.

Above is a look inside the victim wallet of 0x6B099633b4b4F0eec2721f706B7F2a3b6D6c6a8F.

It sucks to lose funds once to a phishing scam. The 2nd time could of easily been prevented. If you're a victim of a phishing scam: ALWAYS REVOKE TOKEN APPROVALS. To be 100% safe, I recommend using a fresh wallet.

Below are the wallets of interest:

  • 0x6B099633b4b4F0eec2721f706B7F2a3b6D6c6a8F – Phished VICTIM Wallet
  • 0x37Df413291dCBAfbefFe78A9EB72abd913Bdc3d2 – Clean VICTIM Wallet
  • 0xFC4EAA4ac84D00f1C5854113581F881b42b4A745 – Scammer Wallet stole 51K (I posted about this one here a couple of weeks ago)
  • 0x34f0503AA6750f878f60Cb7B56D6B62E30489728 – Scammer Wallet stole 37K

How the First Scam Happened

The victim signed a malicious signature. The victim could of been scammed from a phishing website promising rewards, a fake airdrop or through other means. The point is, the victim gave approval to the scammer for token transfers.

Permit2 approvals allow scammers to spend an unlimited amount of your tokens. In this case, Inferno Drainer was used on the backend to do the dirty work of draining the victim's wallet of 31.3K of USDT and 5.5K PRE tokens.

Above is the Etherscan transaction receipt. The victim gave Unlimited Approval of USDT from his wallet of 0x6B099633b4b4F0eec2721f706B7F2a3b6D6c6a8F to the malicious contract of 0x0000553F880fFA3728b290e04E819053A3590000 (Inferno Drainer).

How Permit2 Works

Permit2 is a versatile smart contract designed for managing approvals in an intuitive way. Once users give it an unlimited approval, Permit2 opens up the possibility for further delegating permissions to other smart contracts.

I've talked about the downsides of Permit2 in previous posts. The upside is it provides less friction for the end user. The user doesn't need to send separate token approvals and Permit2 enables gas free signatures for the tokens.

Scammers can abuse this function because most users don't know what they are approving. Additionally, phishing websites can trick victims into giving scammers approval to multiple tokens at once through Permit2.

Drained a 2nd Time

Without revoking approval access, the scammer can go back for a 2nd helping of your crypto. I can see on-chain the victim sent 51.5K in USDT from his clean wallet to the phished wallet. About 3 days later, that 51.5K now belongs to the scammer.

Funds moved from Clean VICTIM Wallet to Phished VICTIM Wallet to Scammer Wallet.

The scammer still has USDT approval on the victims's wallet and was able to complete the transaction 10 months after the initial scam.

I posted about this wallet – 0xFC4EAA4ac84D00f1C5854113581F881b42b4A745 and it's connection to Inferno Drainer about 2 and a half weeks ago. I'll post in the comments below.

How to Revoke All Token Approvals

The easiest and simplest way is to use revoke.cash. It's good practice to periodically check the permissions you allow on your wallet every few months.

Phishing scammers can be extremely sophisticated and expert tricksters. It's very easy to interact with a malicious contract without understanding the risks.

If you believe you've engaged with a malicious smart contract, you're going to want to immediately revoke all approvals.

Below are the steps:

  1. Go to revoke.cash
  2. Connect your wallet (Please make sure it's the actual revoke.cash!)
  3. Give authorization
  4. Revoke any approvals from unauthorized spenders.

reddit imagereddit imagereddit image

38 thoughts on “Lost 51K, forgot to Revoke Approvals”

  1. Hello jbtravel84. It looks like you might have found a new scam? If so, please report this scam by crossposting to r/CryptoScams, r/CryptoScamReport, or visiting scam-alert.io. For tips on how to avoid scams, click here.

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

  2. Link to a Reddit post outlining 0xFC4EAA4ac84D00f1C5854113581F881b42b4A745 and Inferno Drainer – https://www.reddit.com/r/CryptoCurrency/comments/1c9o8ix/760k_stolen_through_inferno_drainer/

  3. I feel like most of these “too stupid to be true” scenarios are just whales tax-loss harvesting. They don’t have to time the market anymore; ‘oh, your profits were stolen?’ bam, no taxes on those gains that are now sitting in a undisclosed wallet

    Edit: Loss harvesting was a bad word. You make 20k profit on crypto, and instead of realizing those gains, you “lose them”. There’s no realized profit. What ever that word is.. fraud maybe

  4. Starting to honestly think were wrong and not early anymore…

    Crypto needs a reckoning….This shits depressing man

  5. People really need to have a close look at the BankSocial multi chain wallet.

    The small additional cost for the extra security features is well worth it if you hold anything substantial.

    Secura Essentials is your round-the-clock wallet protection tool. Incoming, outgoing, and dApp connections are all monitored in real-time by AI/ML to reduce attacks on your wallet. In addition, we’ve partnered with companies like [Chainalysis]() to provide constant threat scanning of third party attacks on your wallet.

    With our patent pending Decentralized Recovery tool, you never have to worry about losing your key/passphrase again. Our evolutionary platform distributes key fragments to Credit Unions.


  6. https://support.ledger.com/hc/pt-br/articles/9038403790237-Revogar-compensações-ativas-com-revoke-cash?docs=true

    Go to ledger site and click at the revoke link there

    This thing should be easier

  7. When I read this every time I think how crazy all these possibilities are. How complex those systems and how you can just have tokens that allow other entities to access your stuff.
    While I sit here with a btc only wallet …

  8. Is there a way to see token approvals on Base? Revoke.cash wasn’t pulling them up last I checked.

  9. See, and here I thought usdt was the only one that you could get reversed with a lot of help from authorities.


    Did you talk to tether?

  10. Could this only happen with Eth smart contracts? New to crypto. But for people that just buy and hold, cold wallet, no need to give or revoke approvals correct? May be a dumb question but figured I’d ask.

  11. That’s why you should always use many wallets. It can be a pain in the ass but at least if you fuck up it won’t be everything.

  12. I’m really sorry for your loss. Please don’t use this wallet again. If your wallet is compromised, start a new wallet.

  13. Worthwhile remembering that a lot of people are successful in crypto because they aren’t smart enough to second guess putting thousands into random meme coins. Easy come, was go. You have to be immensely stupid not not just get a wallet drained once, but twice!

  14. The problem is not the contract it’s the people connecting wallets to frontends and signing transactions they don’t actually understand.

    If you knew how to interact directly with a contract you would know exactly what you were giving it approval to.

    Instead you rely on a dapp to abstract these interactions for you and that’s where the scamming happens. You place trust in a centralized system with closed source code you cannot verify. You also can’t because you’re a normie.

    Crypto is complicated and if you engage in it you understand that.

  15. Would think crypto wallets have a solution for this. Like requiring manual approval of transactions. Pretty much what exchanges do

  16. This post should say “terribly designed wallet allows free users funds to get drained”

  17. Thanks for sharing this post. Maybe wallet designers can make it a default to revoke all token approvals automatically every month or so.

    Users who are more sophisticated can choose to opt out of this automatic revoke.

    Think this might be able to help mitigate some of these wallet draining issues.

  18. Thanks for the thorough explanation… it is content like this what makes it worth this sub.

Comments are closed.