According to GoPlus, a wallet was drained of $1.76 million in USDC after the user signed a malicious Permit transaction, highlighting the continued risk of approval-based phishing attacks.
GoPlus reported that a user lost $1.76 million in USDC after signing a malicious Permit transaction, with the transfer occurring about eight hours before the report. The new incident differs from the earlier March 15 case involving $720,108 in valBUSD and valTUSD linked to an increase allowance signature through a phishing email. Both incidents reflect how attackers can exploit token approval mechanisms to gain spending permission and move assets without directly taking control of the wallet.