- Scam Sniffer reports $6.27 million stolen in January through signature phishing, with 4,700 wallets affected and a 207% rise from December.
- Overall crypto phishing losses on Ethereum and EVM chains fell to $83.85 million in 2025, while cheaper fees after the Fusaka upgrade fuel address poisoning.
Blockchain security firm Scam Sniffer has reported a sharp resurgence in signature phishing, warning that attackers drained $6.27 million from 4,700 wallets in January alone. The figure represents a 207% jump in losses compared with December, and stands out against an overall decline in crypto phishing activity over the past year on Ethereum and other EVM-based networks. The firm’s latest data highlights how evolving tactics, cheaper on-chain activity, and uneven victim distribution are reshaping the threat landscape for digital asset holders.
How signature phishing drains wallets
In Scam Sniffer’s analysis, signature phishing involves luring users to malicious decentralized applications that ask them to sign off-chain messages. On the surface, these prompts can look like routine actions, such as confirming a token deposit or listing a non-fungible token for sale. The risk lies in the underlying permissions encoded in those signatures. Instead of merely approving a single transaction, a signature can silently authorize unlimited token spending or allow the transfer of NFTs, giving attackers a standing right to siphon assets at a later time without any additional confirmation from the victim.
The spike in January shows how effective these techniques have become despite increased awareness of crypto scams. According to Scam Sniffer, the stolen $6.27 million was not spread evenly across victims or attack types. Signature phishing formed a key part of a broader mix that also included permit-based attacks, address poisoning, and other approvals that opened the door to large-scale wallet draining. Two wallets, in particular, were hit exceptionally hard and accounted for about 65% of all funds lost last month through phishing and related exploits, underscoring how a small number of high-value incidents can dominate aggregate loss figures.
One of these major cases involved $3.02 million taken through a combined permit and increaseAllowance attack targeting SLV and XAUt tokens. In another incident, attackers used a permit mechanism to drain $1.08 million from a single victim. These attacks leverage token approval and permit standards that are widely used for legitimate decentralized finance operations, but which can be turned against users when they sign messages they do not fully understand.
Broader phishing trends and the role of Ethereum’s Fusaka upgrade
While January’s data shows a surge in signature phishing and related exploits, Scam Sniffer’s year-over-year figures indicate that overall crypto phishing has fallen sharply. Across Ethereum and EVM-based chains in 2025, the firm recorded total phishing losses of $83.85 million affecting 106,106 victims. Compared with 2024, that represents an 83% decline in the value stolen and a 68% drop in the number of victims. The contrast between long-term improvement and the recent monthly spike suggests that attackers are refining their methods rather than retreating from the space.
One key factor shaping current tactics is Ethereum’s Fusaka upgrade, which has significantly reduced transaction fees. Lower costs have altered the economics of several scam strategies, especially address poisoning. In that scheme, attackers send tiny “dust” transactions to potential victims, using addresses that closely resemble legitimate ones the wallet has previously interacted with. Later, when users copy an address from their transaction history to make a transfer, they may mistakenly choose the attacker’s near-identical address instead of the intended recipient, inadvertently sending funds to the scammer.
Blockchain researcher Andrey Sergeenkov has tracked how the Fusaka upgrade has influenced this behavior. He observed a sharp rise in new Ethereum addresses last month, with one week registering 2.7 million new addresses—around 170% above what is typically seen. Sergeenkov noted that about two-thirds of these new addresses received less than $1 in stablecoins in their first transaction, a pattern he described as consistent with industrial-scale address poisoning campaigns.
With transaction fees now markedly lower, sending millions of dust transfers has become financially feasible. Sergeenkov argued that while the proportion of victims remains very small relative to the number of targeted users, the cost to run such campaigns has dropped enough that a handful of large mistakes can yield meaningful profits. That logic applies not only to address poisoning but also to other low-cost, high-volume tactics, including the distribution of links and interactions that set up signature phishing attempts.
Wallet defenses against signature phishing and other scams
As attackers refine tools such as signature phishing, address poisoning, and permit abuse, wallet developers are rolling out new protections aimed at reducing user exposure. Scam Sniffer’s findings point to a growing emphasis on both user education—encouraging people to read and understand what they are signing or where they are sending assets—and technical safeguards built into wallet interfaces.
Tara Annison, head of product at Twinstake, highlighted several of these defensive features. She noted that wallets increasingly offer transaction simulations, clearer warnings, and pre-execution checks designed to surface hidden risks before a user confirms an action. According to Annison, the Rabby wallet conducts pre-execution simulations and alerts users if they appear to be interacting with a known malicious smart contract or if the transaction contains concealed logic that might result in unexpected token movements. This approach aims to bridge the gap between complex on-chain operations and what a user can reasonably understand from a typical transaction prompt.
Metamask has also added protections that focus on both phishing detection and transaction clarity. Annison said the wallet displays prominent warnings when a connected site appears to resemble a phishing page. It also includes human-readable alerts if a pending transaction seems poised to perform actions that could be harmful to the user’s assets, such as granting unusually broad spending permissions. She emphasized that these security measures are being placed more prominently within wallet interfaces so they are visible at the moment of decision, reducing the chance that users will authorize something they did not intend.
These wallet-level initiatives complement broader advice often given to crypto holders, including carefully checking transaction details, verifying recipient addresses, and taking time to confirm what an off-chain signature actually permits. While phishing and permit-based theft rely heavily on user error or inattention, the combination of better design, simulations, and explicit risk flags may limit how easily attackers can turn deceptive prompts into large thefts.
Conclusion
Scam Sniffer’s latest data shows that, even as total crypto phishing losses on Ethereum and EVM-based networks have fallen steeply since 2024, signature phishing and related approval exploits remain a significant and evolving threat. January’s $6.27 million in losses, concentrated heavily in just two high-value cases, illustrates how a small number of targeted attacks can outweigh broader progress in user awareness and platform security. Ethereum’s Fusaka upgrade, by lowering transaction fees, has simultaneously enabled more cost-effective mass campaigns such as address poisoning, pushing attackers toward strategies that rely on volume and rare but lucrative mistakes. In response, wallets are adding simulations, warnings, and pre-execution checks to help users spot risky interactions before they sign. How effectively these measures can contain signature phishing and other scams will likely shape the next phase of security on Ethereum and across the broader EVM ecosystem.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
