In brief
- Signature phishing victims jumped more than 200% in January, with $6.27 million stolen, blockchain security firm Scam Sniffer warned.
- Despite the spike, total phishing losses in 2025 were sharply lower than in 2024.
- Cheaper Ethereum fees after the Fusaka upgrade have made phishing tactics like mass address poisoning attacks more attractive for scammers, researchers said.
Blockchain security firm Scam Sniffer is warning of a sharp spike in signature phishing, with losses totaling $6.27 million and 4,700 wallets drained in January—an increase of 207% from December.
Signature phishing occurs when attackers lure users to malicious decentralized applications that prompt them to sign off‑chain messages. While the requests appear harmless—such as approving a token deposit or listing an NFT—the signatures can instead authorize unlimited token spending or the transfer of NFTs, allowing attackers to later drain wallets.
Someone lost $12.25M in January by copying the wrong address from their transaction history. In December, another victim lost $50M the same way.
Two victims. $62M gone.
Signature phishing also surged — $6.27M stolen across 4,741 victims (+207% vs Dec).
Top cases:
· $3.02M —… pic.twitter.com/7D5ynInRrb
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) February 8, 2026
The January surge contrasts with a broader decline in crypto phishing over the past year. Scam Sniffer reported total phishing losses of $83.85 million across 106,106 victims in 2025 on Ethereum and EVM-based chains, down 83% in value and 68% in victims compared with 2024.
Losses last month were highly concentrated. Two wallets accounted for roughly 65% of the total stolen through phishing and other attacks, including $3.02 million taken through a permit and increaseAllowance attack involving SLV and XAUt tokens, and $1.08 million drained via a permit attack.
Beyond signature phishing, Scam Sniffer pointed to address poisoning and permit scams as key contributors. Address poisoning attackers send tiny transactions, or dust, to targets using addresses that closely resemble legitimate ones the wallet has already interacted with. When users later copy an address from their transaction history, they may inadvertently send funds to an attacker-controlled lookalike address.
Ethereum’s Fusaka upgrade changes scam economics
Researchers said tactics like address poisoning have become more attractive following Ethereum’s Fusaka upgrade, which sharply reduced transaction fees. Blockchain researcher Andrey Sergeenkov found that new address creation surged last month, with one week seeing 2.7 million new addresses, about 170% above typical levels. He said roughly two-thirds of new addresses received less than $1 in stablecoins as their first transaction, consistent with large-scale address poisoning campaigns.
Sergeenkov argued that lower Ethereum fees have changed the economics of mass poisoning attacks. While conversion rates remain extremely low, the reduced cost of sending millions of dust transactions has made the strategy viable, with profits now coming from a small number of high-value mistakes.
In addition to ensuring users check transactions and make sure they understand what they are signing or where they are sending money, wallets are also trying to introduce features to limit the risk of attacks.
Tara Annison, head of product at Twinstake, said wallets are increasingly adding transaction simulations, clearer warnings and pre-execution checks to flag risky interactions. “Rabby does pre-execution simulation and will warn you if you’re interacting with known malicious smart contracts or if there’s hidden logic in the transaction,” she told_ Decrypt_.
Metamask, meanwhile, “gives you a nice big warning if the site you’re connecting to looks like a phishing website and includes human readable warnings if the transaction looks like it might be about to do something dodgy for your assets,” Annison said. She added wallets are placing security features like this “front and centre to avoid you signing something you shouldn’t.”
Decrypt has approached the Ethereum Foundation for comment.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Fake Police Officers Held French Couple at Knifepoint in $1M Bitcoin Robbery
Three suspects posing as police officers attacked a couple in Versailles, forcing them to transfer approximately €900,000 in Bitcoin. French authorities confirm the theft and are investigating the growing trend of violent robberies targeting crypto holders.
Decrypt3m ago
Korean inspection theft: 320 Bitcoins "found and recovered," quickly cashed out for $21.5 million to pay the national treasury
Gwangju District Prosecutors Office in South Korea recently sold 320.8 Bitcoin seized, cashing out 31.6 billion Korean Won. This batch of Bitcoin originally came from investigations into illegal gambling platforms from 2018 to 2021. Although there was an incident where Bitcoin was stolen by hackers due to a public official's mistake, the hackers later returned the Bitcoin. Authorities have conducted investigations and also discovered other cases of seized Bitcoin going missing.
区块客29m ago
French couple robbed at knifepoint by fake police during home invasion, forced to transfer approximately $1 million worth of Bitcoin
On March 10th, a French couple was attacked at home by three fake police officers armed with knives, forcing them to transfer approximately 900,000 euros worth of Bitcoin. The couple was injured and tied up, and the assailants fled. This case is the latest example of a "wrench attack" in cryptocurrency. Several similar incidents have occurred in France this year.
GateNews36m ago
National Internet Emergency Center issues OpenClaw security application risk warning, proposing four protective measures
The National Internet Emergency Center has issued a risk alert, as improper use of the OpenClaw agent has led to security vulnerabilities. Users are advised to strengthen network controls, enhance credential management, strictly regulate plugin sources, and stay updated on security updates to ensure safe application.
GateNews1h ago
Cosmos has disclosed a security vulnerability affecting some EVM Stack blockchains; the Saga chain has released a patch.
Gate News Announcement: On March 10, Cosmos Labs disclosed on the X platform that a recent security vulnerability affecting some blockchains built on Cosmos EVM Stack has been discovered. The vulnerability involves related functional modules and has impacted Layer 1 blockchains in the production environment.
GateNews1h ago
OpenClaw AI remains vulnerable after update; China Academy of Information and Communications Technology issues alert
Gate News Announcement, March 10th, experts from the China Academy of Information and Communications Technology issued a safety warning regarding the recently popular open-source AI agent OpenClaw (commonly known as "Lobster"). The experts pointed out that although the agent has been updated to the latest version and can fix known security vulnerabilities, this does not mean that all security risks have been completely eliminated. Previously, the Ministry of Industry and Information Technology's Cybersecurity Threat and Vulnerability Information Sharing Platform had issued related security risk alerts. (CCTV News)
GateNews2h ago
