Recently a victim was "re-phished" due to forgetting to revoke old approvals.

About 10 months ago, the victim approved a malicious signature and 37K in crypto assets was drained. Among the assets stolen were USDT and PRE tokens.

Instead of revoking token access or using a fresh wallet, the victim refunded the wallet losing another 51K in USDT.

Below is an image of the movements from the victim's wallet to the scammer wallets.

Above is a look inside the victim wallet of 0x6B099633b4b4F0eec2721f706B7F2a3b6D6c6a8F.

It sucks to lose funds once to a phishing scam. The 2nd time could of easily been prevented. If you're a victim of a phishing scam: ALWAYS REVOKE TOKEN APPROVALS. To be 100% safe, I recommend using a fresh wallet.

Below are the wallets of interest:

• 0x6B099633b4b4F0eec2721f706B7F2a3b6D6c6a8F – Phished VICTIM Wallet
• 0x37Df413291dCBAfbefFe78A9EB72abd913Bdc3d2 – Clean VICTIM Wallet
• 0xFC4EAA4ac84D00f1C5854113581F881b42b4A745 – Scammer Wallet stole 51K (I posted about this one here a couple of weeks ago)
• 0x34f0503AA6750f878f60Cb7B56D6B62E30489728 – Scammer Wallet stole 37K

How the First Scam Happened

The victim signed a malicious signature. The victim could of been scammed from a phishing website promising rewards, a fake airdrop or through other means. The point is, the victim gave approval to the scammer for token transfers.

Permit2 approvals allow scammers to spend an unlimited amount of your tokens. In this case, Inferno Drainer was used on the backend to do the dirty work of draining the victim's wallet of 31.3K of USDT and 5.5K PRE tokens.

Above is the Etherscan transaction receipt. The victim gave Unlimited Approval of USDT from his wallet of 0x6B099633b4b4F0eec2721f706B7F2a3b6D6c6a8F to the malicious contract of 0x0000553F880fFA3728b290e04E819053A3590000 (Inferno Drainer).

How Permit2 Works

Permit2 is a versatile smart contract designed for managing approvals in an intuitive way. Once users give it an unlimited approval, Permit2 opens up the possibility for further delegating permissions to other smart contracts.

I've talked about the downsides of Permit2 in previous posts. The upside is it provides less friction for the end user. The user doesn't need to send separate token approvals and Permit2 enables gas free signatures for the tokens.

Scammers can abuse this function because most users don't know what they are approving. Additionally, phishing websites can trick victims into giving scammers approval to multiple tokens at once through Permit2.

Drained a 2nd Time

Without revoking approval access, the scammer can go back for a 2nd helping of your crypto. I can see on-chain the victim sent 51.5K in USDT from his clean wallet to the phished wallet. About 3 days later, that 51.5K now belongs to the scammer.

Funds moved from Clean VICTIM Wallet to Phished VICTIM Wallet to Scammer Wallet.

The scammer still has USDT approval on the victims's wallet and was able to complete the transaction 10 months after the initial scam.

I posted about this wallet – 0xFC4EAA4ac84D00f1C5854113581F881b42b4A745 and it's connection to Inferno Drainer about 2 and a half weeks ago. I'll post in the comments below.

How to Revoke All Token Approvals

The easiest and simplest way is to use revoke.cash. It's good practice to periodically check the permissions you allow on your wallet every few months.

Phishing scammers can be extremely sophisticated and expert tricksters. It's very easy to interact with a malicious contract without understanding the risks.

If you believe you've engaged with a malicious smart contract, you're going to want to immediately revoke all approvals.

Below are the steps:

1. Go to revoke.cash
2. Connect your wallet (Please make sure it's the actual revoke.cash!)
3. Give authorization
4. Revoke any approvals from unauthorized spenders.

​