In brief
- Signature phishing victims jumped more than 200% in January, with $6.27 million stolen, blockchain security firm Scam Sniffer warned.
- Despite the spike, total phishing losses in 2025 were sharply lower than in 2024.
- Cheaper Ethereum fees after the Fusaka upgrade have made phishing tactics like mass address poisoning attacks more attractive for scammers, researchers said.
Blockchain security firm Scam Sniffer is warning of a sharp spike in signature phishing, with losses totaling $6.27 million and 4,700 wallets drained in January—an increase of 207% from December.
Signature phishing occurs when attackers lure users to malicious decentralized applications that prompt them to sign off‑chain messages. While the requests appear harmless—such as approving a token deposit or listing an NFT—the signatures can instead authorize unlimited token spending or the transfer of NFTs, allowing attackers to later drain wallets.
Someone lost $12.25M in January by copying the wrong address from their transaction history. In December, another victim lost $50M the same way.
Two victims. $62M gone.
Signature phishing also surged — $6.27M stolen across 4,741 victims (+207% vs Dec).
Top cases:
· $3.02M —… pic.twitter.com/7D5ynInRrb
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) February 8, 2026
The January surge contrasts with a broader decline in crypto phishing over the past year. Scam Sniffer reported total phishing losses of $83.85 million across 106,106 victims in 2025 on Ethereum and EVM-based chains, down 83% in value and 68% in victims compared with 2024.
Losses last month were highly concentrated. Two wallets accounted for roughly 65% of the total stolen through phishing and other attacks, including $3.02 million taken through a permit and increaseAllowance attack involving SLV and XAUt tokens, and $1.08 million drained via a permit attack.
Beyond signature phishing, Scam Sniffer pointed to address poisoning and permit scams as key contributors. Address poisoning attackers send tiny transactions, or dust, to targets using addresses that closely resemble legitimate ones the wallet has already interacted with. When users later copy an address from their transaction history, they may inadvertently send funds to an attacker-controlled lookalike address.
Ethereum’s Fusaka upgrade changes scam economics
Researchers said tactics like address poisoning have become more attractive following Ethereum’s Fusaka upgrade, which sharply reduced transaction fees. Blockchain researcher Andrey Sergeenkov found that new address creation surged last month, with one week seeing 2.7 million new addresses, about 170% above typical levels. He said roughly two-thirds of new addresses received less than $1 in stablecoins as their first transaction, consistent with large-scale address poisoning campaigns.
Sergeenkov argued that lower Ethereum fees have changed the economics of mass poisoning attacks. While conversion rates remain extremely low, the reduced cost of sending millions of dust transactions has made the strategy viable, with profits now coming from a small number of high-value mistakes.
In addition to ensuring users check transactions and make sure they understand what they are signing or where they are sending money, wallets are also trying to introduce features to limit the risk of attacks.
Tara Annison, head of product at Twinstake, said wallets are increasingly adding transaction simulations, clearer warnings and pre-execution checks to flag risky interactions. “Rabby does pre-execution simulation and will warn you if you’re interacting with known malicious smart contracts or if there’s hidden logic in the transaction,” she told_ Decrypt_.
Metamask, meanwhile, “gives you a nice big warning if the site you’re connecting to looks like a phishing website and includes human readable warnings if the transaction looks like it might be about to do something dodgy for your assets,” Annison said. She added wallets are placing security features like this “front and centre to avoid you signing something you shouldn’t.”
Decrypt has approached the Ethereum Foundation for comment.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Quantum threats arrive early? Google simulates a “9-minute crypto hijacking” scenario, with 6.9 million BTC facing a crisis
Google’s quantum AI team research indicates that the quantum computing power needed to break Bitcoin is far lower than expected, possibly less than 500,000 qubits. Research simulations show that hackers can intercept ongoing Bitcoin transactions within 9 minutes, and that about one-third of Bitcoin is stored in wallets that have already been exposed, increasing the risk of quantum attacks. While Bitcoin’s Taproot upgrade strengthens privacy, it also exposes public keys, increasing asset risk.
区块客48m ago
U.S. Charges Suspect in $54M Uranium Finance Exploit as DeFi Crackdown Intensifies
A Maryland man has been charged with exploiting vulnerabilities at Uranium Finance, resulting in a $54 million loss. Prosecutors allege he hacked the platform, laundered the funds through high-value collectibles, and could face decades in prison.
LiveBTCNews52m ago
Steakhouse Financial’s front-end system was hacked; users should be alert for phishing risks
DeFi risk management platform Steakhouse Financial was recently hacked, and its frontend system was used for phishing, but user funds were not affected. The attack stemmed from social engineering targeting the server provider, and Steakhouse will roll back the malicious changes and publish an incident report. Experts advise users to improve their security awareness and watch out for phishing risks.
GateNews1h ago
Archblock files for bankruptcy, alleging related-party transactions involving Justin Sun and fraud in Eastern Europe
Crypto firms Archblock, TrustToken, and TrueCoin have filed for bankruptcy due to financial devastation after Techteryx failed to pay invoices and was defrauded by an Eastern European criminal group. The company has also been involved in multiple legal disputes, facing tax issues and high-risk investment losses, highlighting potential risks in the stablecoin industry.
GateNews1h ago
SlowMist alert: The malicious versions 1.14.1 / 0.30.4 of axios have security risks. Please check and rotate credentials.
The Mist Security Team has issued a warning. axios@1.14.1 and axios@0.30.4 have been identified as malicious versions; they contain malicious payloads that can be delivered via an postinstall script. The impact on OpenClaw needs to be assessed by scenario. It is recommended that affected hosts immediately check and rotate credentials.
GateNews1h ago
Misty Fog Cosine: The OpenClaw 3.28 version may introduce a malicious axios dependency package
Gate News reports that on March 31, SlowMist founder Yu Xuan issued a security warning stating that the latest version 3.28 of OpenClaw may introduce a malicious axios dependency package, prompting users to conduct thorough inspections. Yu Xuan pointed out that, in addition to the risks directly associated with OpenClaw, related Skills may also rely on axios, leading to indirect contamination. Because axios is widely used, a comprehensive investigation is recommended. It is understood that this poisoning incident was detected in a timely manner.
GateNews2h ago
