Warning! User loses 12 Aave LBTC due to signing malicious permissions, with losses exceeding one million

LiquidityWitch · 2026-01-03T13:20:11+00:00

A user was deceived when signing a permission, losing 12 Aave Ethereum LBTC tokens worth over $1.08 million. The attacker forged a signature to obtain asset authorization, then exchanged and laundered the assets. Users are reminded to verify the contract address and authorization amount before signing to prevent phishing scams.

LiquidityWitch

2026-01-03 13:20:11

Abstract generation in progress

【ChainNews】A user fell into a trap when signing what appeared to be a normal “permission.” According to on-chain monitoring, this user was inexplicably robbed of 12 Aave Ethereum LBTC (aEthLBTC), with a loss of over 1.08 million RMB.

The attack method is not particularly complicated—phishing groups forge permission signatures to deceive users into granting asset authorization, then act quickly. They did not choose to sell directly but first exchanged aEthLBTC for ETH, then laundered the funds through the mixing service Tornado Cash. This combination makes tracking the funds much more difficult.

Although this type of attack is not a common advanced technique in the industry, it poses a deadly threat to ordinary users. Reminder: before signing any transaction permission, always carefully verify the contract address and authorization amount, and do not grant permissions blindly. The phishing group’s trick is to exploit everyone’s carelessness.

AAVE-1,37%

ETH1%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

21 Likes

Reward
21
9
Repost
Share

Comment

0/400

StealthMoon

· 18h ago

It's the same old trick again, signing a permission and it's gone, hard to handle --- Is 1.08 million really gone? Oh my god, looks like I need to install a wallet guard --- Signature permissions are really deadly, every time you have to stare closely at the contract address --- Tornado Cash has done it again, mixing services are always a good helper for money laundering --- Honestly, for ordinary people, playing on the chain is just gambling with luck, hard to guard against --- Signing for a dozen or more tokens, this is why I never dare to connect to unknown contracts --- Phishing gangs' tactics are not complicated, but they are always effective, human weakness --- Wake up everyone, be sure to check the authorized amount carefully, don't do those crazy unlimited authorization operations

View OriginalReply0

RugPullAlarm

· 22h ago

It's the same old trick, forging permission signatures. The 1.08 million dollars are gone just like that, and the on-chain data is crystal clear. First swap to ETH and then go into Tornado Cash for mixing. These people are really bad at their methods, but some people still fall for it. To be honest, ordinary users can't see through these traps. The key is to develop a habit: always check the contract address before granting permissions, or you'll get rug pulled sooner or later.

View OriginalReply0

DegenWhisperer

· 01-03 13:50

It's the same old story with permission signatures, 1.08 million gone... Still need to be more cautious. --- Tornado Cash money laundering trick is really clever; funds seem to evaporate as soon as they go in. --- Honestly, phishing schemes are low-level but hard to defend against. Who can guarantee they won't slip up? --- 12 aEthLBTC tokens lost just like that. That's why I never authorize large amounts; I prefer to pay a few extra gas fees. --- Even after verifying the contract address, I still got caught. This guy must be pretty frustrated. --- Mixer services are truly a paradise for bad actors; no wonder on-chain analysis is becoming more difficult. --- It seems phishing scammers are also evolving, from tricking newbies to deceiving experienced users. --- Every time they say to check carefully, but in the end, someone still gets exploited... human nature.

View OriginalReply0

MevWhisperer

· 01-03 13:49

Coming back with this again? Be careful with licenses, they can really ruin you. Just signing your name and losing over a million, can't even laugh about it, brother. Tornado Cash disappeared after a wash, these people really know how to play. Honestly, you don't even verify the contract address? No wonder. Ordinary people getting exploited like this, how can the ecosystem still be trusted?

View OriginalReply0

WagmiAnon

· 01-03 13:37

It's the same old trick of permission signing... Losing $1.08 million just like that, it hurts to watch.

View OriginalReply0

LiquidatedAgain

· 01-03 13:36

Getting liquidated again? No, this time it was directly caught in a phishing trap. 1.08 million dollars just disappeared, and these risk control points are useless... You can get liquidated just by signing a permission, it's really absurd.

View OriginalReply0

ApeEscapeArtist

· 01-03 13:34

Damn, it's that licensing signature again… It's really too easy to fall for --- $1.08 million just gone, oh my, how careless can you be --- Tornado Cash is still laundering money? These guys really know how to play --- Not even verifying the contract address? No wonder you got rug pulled --- After all, it's just a licensing scam again, Web3 is really this annoying --- First exchange to ETH and then wash coins, this process is a bit professional --- The key is most people won't check if the contract address is correct… --- 12 LBTC, huh? This loss is a bit outrageous --- Can rug services really not be prevented? --- It's called a warning in a nice way, but in fact, most people will still get caught

View OriginalReply0

MetaverseHobo

· 01-03 13:23

Here we go again, this kind of basic phishing... one careless move and you could lose assets worth millions. Be really careful with permission signing; it's not always recoverable. Tornado Cash got caught in the crossfire again haha

View OriginalReply0

LiquidationAlert

· 01-03 13:21

Another sucker, signing permits without even checking the address? 1.08 million just gone like that, I feel sorry for him. --- Tornado Cash's combo punch is indeed lethal; once you mix coins, it's basically impossible to recover them. Web3 is just this thrilling. --- Honestly, it's greed. There's no such thing as a free lunch. Taking an extra look before signing can really save your ass. --- It's always the same trick. Phishing gangs are almost industrialized. When will we see effective protection measures? --- This guy really is, clearly operating on common sense, yet some still walk right into the gunfire. --- Mixing services are still in the wild state. It would take highly advanced compliance checks to truly eliminate the problem. --- This makes me think of those one-click authorization projects. Truly daring to click "Agree" on everything—commendable courage.

View OriginalReply0