Approval Phishing
A crypto scam that tricks victims into signing a token-approval transaction granting unlimited access to their wallet's assets, allowing the scammer to drain funds at will.
Also known as: token approval scam, ERC-20 approval fraud, setApprovalForAll scam
Last reviewed: 1 June 2026
In cryptocurrency ecosystems, interacting with decentralised applications (dApps) often requires granting token approvals — permissions that allow a smart contract to spend tokens on your behalf. Approval phishing abuses this mechanism by tricking users into signing an unlimited approval for a malicious contract that the attacker controls.
The victim is typically directed to a fake dApp interface — a cloned DeFi platform, a fake NFT minting site, or a malicious link sent via social media or Discord — that presents a legitimate-looking transaction request. The victim signs what appears to be a routine interaction, but the approval grants the attacker's contract the ability to transfer all of the victim's tokens at any time in the future.
Unlike immediate wallet drains, approval phishing can be a sleeper attack: the attacker may wait until the wallet's balance increases before executing the drain. Victims should regularly audit token approvals using tools that list active permissions and revoke any that are unknown or no longer needed. Hardware wallets display full transaction details and make it harder to sign transactions without understanding them.
Examples
- A victim connects their wallet to what appears to be a legitimate NFT platform and signs an approval transaction; the attacker later drains all tokens from the wallet using the granted permission.