A cryptocurrency user lost $908,551 in USDC on August 2, 2025, more than a year after unknowingly approving a malicious smart contract. The approval, signed on April 30, 2024, gave the attacker unlimited access to the wallet’s funds. For 458 days, the hacker waited silently until the wallet balance grew large enough to steal.
The stolen USDC was sent to an address linked to pink-drainer.eth, a known phishing operator. This case highlights the dangers of unchecked wallet permissions and the growing trend of delayed crypto thefts.
How the Attack Unfolded
The victim first approved a fake smart contract on April 30, 2024, likely through a phishing site or fraudulent airdrop. At the time, the wallet held little to no funds, giving the attacker no reason to act immediately. The scammer remained dormant, watching for a large deposit.
On July 2, 2025, the victim transferred $762,397 in USDC from a MetaMask wallet to the compromised address. Just 10 minutes later, another $146,154 was moved from Kraken into the same wallet. The attacker waited another month before making a move.
Finally, on August 2, 2025, at 4:57 a.m. UTC, the hacker executed the theft in a single transaction. The stolen funds were sent to a wallet flagged as “Fake_Phishing322880”, which has been tied to previous phishing scams.
Read also: From a Zip File to Catastrophe: Radiant’s $50M Hack Explained
Why the Delay Made the Attack Effective
Unlike typical hacks that rely on stealing private keys, this scam exploited an old but still-active token approval. ERC-20 token approvals allow third-party contracts to access funds without requiring further permission. Once granted, these approvals do not expire unless manually revoked.
The attacker’s patience paid off. By waiting over a year, they ensured the victim had forgotten about the approval. Since the wallet appeared inactive for months, the victim had no reason to suspect a threat. Only when a large sum was deposited did the hacker strike.
This method shows how scammers are adapting. Instead of rushing to drain small amounts, they wait for the perfect moment. The 458-day gap between approval and theft is one of the longest delays recorded in such cases.
Growing Trend of Dormant Crypto Scams
This incident is part of a larger pattern in crypto theft. In July 2025 alone, over $142 million was stolen in 17 separate incidents, ranging from phishing scams to exchange breaches. While most attacks happen quickly, delayed scams like this one demonstrate a shift in strategy.
Security experts from Scam Sniffer and Etherscan warn users to regularly review and revoke old approvals. Tools like Revoke.cash and Etherscan’s Token Approval Checker can help identify and cancel unused permissions. While revoking approvals costs a small gas fee, it is far cheaper than losing hundreds of thousands.
The best defense is limiting approvals to trusted contracts and revoking unnecessary permissions immediately after use. Users must stay vigilant, as attackers now play the long game, exploiting forgotten approvals rather than relying on brute-force methods.
