Approval Phishing

What is approval phishing?

Approval phishing is a wallet-based scam where an attacker convinces you to sign an on-chain permission—often a token approval or NFT operator approval—that lets their address or contract transfer assets later without asking again. Instead of stealing your seed phrase, the scam abuses normal wallet prompts (“connect,” “sign,” “approve”) to get consent that looks routine. It’s a core pattern covered in crypto wallet scams and how to avoid them because the transaction you sign can be valid and irreversible even though the intent was deceptive.

Approval phishing

At a high level, approval phishing works by separating the moment you grant permission from the moment funds are stolen. A malicious site might advertise an airdrop, a support fix, or a mint, then prompt you to “approve” or “sign to continue.” Nothing obvious leaves your wallet immediately, so it feels safe. But the approval you just granted can act like a standing authorization: the attacker (or an automated “drainer” contract) can later call a transfer function and pull assets that fall under that permission. This is why victims often notice losses hours or days later and struggle to connect the theft to the earlier click.

Token approval phishing

Token approval phishing specifically targets ERC-20 style permissions. Many tokens require you to grant a smart contract an allowance before it can spend on your behalf (for example, when swapping on a DEX). Scammers mimic that familiar flow and trick you into approving their contract instead of a legitimate one. The dangerous version is an “unlimited” allowance, where the spender can move up to your entire balance now and in the future. Some campaigns also use signature-based approvals such as permit2, where you sign a message that can later be submitted on-chain by the attacker to activate spending rights. Because the wallet prompt may not clearly explain the spender or amount, token approval phishing often succeeds even with cautious users.

Allowance phishing

Allowance phishing is essentially the same attack described from the perspective of what’s being abused: the allowance (the numeric limit that defines how much a spender can transfer). The scammer’s goal is to get an allowance that is (1) large enough to be worth stealing and (2) broad enough to keep working after you receive more funds. In practice, the attacker monitors your wallet and triggers transfers when your balance increases, making the theft feel “mysterious.” This also overlaps with signature phishing, where the trick is to obtain a signature that authorizes spending or sets an operator, even if you never send a traditional “approve” transaction. If you suspect you’ve granted a bad allowance, the key mitigation is to revoke approval for the suspicious spender so future transfers fail.

Why approval phishing matters

Approval phishing matters because it turns a single moment of confusion into ongoing, programmable access to your assets—without compromising your private keys. That makes it scalable for attackers and hard for victims to dispute: the blockchain will treat the transfer as authorized if the permission exists. It also undermines user trust in everyday DeFi actions like swaps and mints, since legitimate apps use the same approval mechanics. The best defense is understanding that “approve” is not a harmless step, routinely reviewing permissions, and removing anything you don’t recognize—habits that sit at the center of crypto wallet scams and how to avoid them.