Pepe Holder Loses $1.4 Million in Uniswap Permit2 Phishing Attack

In a shocking incident, a holder of the PEPE token lost approximately $1.39 million in a phishing attack that exploited Uniswap's Permit2 feature. The victim unknowingly signed a malicious transaction, allowing the attacker to drain their wallet of various cryptocurrencies, including PEPE, Microstrategy (MSTR), and Apu (APU) tokens.

Key Takeaways

• A PEPE token holder lost $1.39 million due to a phishing attack.
• The attack exploited Uniswap's Permit2 feature, which allows multiple token approvals with a single signature.
• The stolen assets were transferred to a new wallet within an hour of the attack.
• This incident highlights the growing trend of phishing scams in the cryptocurrency space.

Understanding Permit2 Phishing Attacks

Uniswap introduced the Permit2 feature in 2022 to streamline token approvals and reduce gas fees. However, this convenience has also made it a target for scammers. In a typical Permit2 phishing attack, users are tricked into signing an off-chain signature that grants attackers access to their wallets.

Once the victim signs the malicious transaction, the scammer can execute two critical actions: Permit and Transfer From. This allows them to drain the victim's wallet without immediate detection, as the approval process occurs off-chain.

The Attack Details

According to cybersecurity firm ScamSniffer, the attack occurred on October 13, 2024. The victim's assets were transferred to a new wallet just an hour after the malicious transaction was signed. The stolen assets included:

• 108 billion PEPE tokens
• 73.8 million APU tokens
• 165,000 MSTR tokens

The rapid transfer of these assets underscores the efficiency of the phishing operation, which is becoming increasingly common in the crypto ecosystem.

The Rising Trend of Phishing Scams

This incident is not an isolated case. The cryptocurrency industry has seen a surge in phishing scams, particularly those exploiting the Permit2 feature. Just this month, there have been multiple reports of significant losses:

1. An investor lost 15,079 fwdETH (approximately $36 million) in a Permit phishing scam.
2. Another victim lost $2.47 million worth of Aave Ethereum sDAI in a similar attack.
3. In September, a user lost 12,083 spWETH valued at $32.43 million due to a fraudulent Permit2 signature.

Recommendations for Users

As the risk of phishing attacks continues to grow, users are urged to take precautions when signing transactions. Here are some recommendations:

• Verify Requests: Always check the legitimacy of any signature requests.
• Limit Approvals: Set limits on token approvals to minimize potential losses.
• Stay Informed: Keep up with the latest security practices in the crypto space.

Conclusion

The recent loss of $1.39 million by a PEPE token holder serves as a stark reminder of the vulnerabilities present in the cryptocurrency ecosystem. As scams become more sophisticated, users must remain vigilant and informed to protect their assets from potential threats.

Sources

• Pepe Holder Loses $1.4 Million in Uniswap Permit2 Phishing Attack - Decrypt, Decrypt.
• PEPE Holder Loses $1.39 Million in 'Permit2' Phishing Scam, The Crypto Times.
• Trader loses $1.28 million in Pepe and other Altcoins to Phishing attack   - Nairametrics, Nairametrics.
• PEPE Holder Loses $1.39 Million in ‘Permit2’ Phishing Scam: Guest Post by The Crypto Times | CoinMarketCap, CoinMarketCap.