According to blockchain security firm Scam Sniffer, someone recently lost 15,079 fwDETH ($35 million) after falling for a phishing scam.
The “allow” option was introduced with Ethereum Improvement Proposal (EIP) 2612, making it possible to perform token transfers without gas.
Off-chain delegation signing allows someone else to transfer tokens from their account.
Typically, ERC-20 token transfers are a two-step process that consists of confirming the transaction on the blockchain by paying a gas fee and then transferring a certain number of tokens to another account. Thanks to the “allow” option, the transaction is signed off-chain. Aside from saving on gas fees, this makes transactions more user-friendly.
While adding more convenience and flexibility, the feature also opened up a new avenue for scammers to separate some uninitiated users from their money.
Token holders can be tricked into signing a malicious authorization, allowing an attacker to steal tokens from their website in broad daylight.
According to Scam Sniffer, ERC-20 signature scams have emerged as the main type of phishing scams. It is worth noting that victims tend to be tricked into signing malicious transactions with the help of fake social media accounts.
The blockchain security firm previously exposed the Inferno Drainer group, which recruited tens of thousands of victims by creating phishing websites that mimicked popular crypto projects and lured them into making off-chain signatures.
In January, Scam Sniffer revealed that crypto users suffered losses of over $300 million in 2023 due to phishing scams.