Ethereum Phishing (Uniswap Permit2) Hack 2026 — $1M Exploit Analysis

Trader lost ~$1M (999,999 USDT) after signing a malicious Uniswap Permit2 phishing message that granted attackers full wallet access; no protocol was hacked — a single bad signature caused the loss.

Details

Full Description

On July 9, 2026, a trader lost approximately $1M (999,999 USDT) after signing a malicious Uniswap Permit2 phishing message that granted attackers full wallet access. No protocol was hacked — the loss resulted from a single bad signature. Attackers retried after an initial failed $1M multicall, recalculating the exact balance 36 seconds later. A separate victim lost $196K in $VIRTUAL token via the same mechanism. Approval phishing has caused more than $1B in losses since 2021.

Laundering Analysis

Stolen USDT moved from victim wallet after Permit2 approval. A separate victim lost $196K in $VIRTUAL token via the same mechanism. No recovery reported at time of writing.

Sources

Transaction Hashes

Back to Browse