How dangerous is Approval scam and why do so many people fall for it?

The shift from the Internet of information (Web2) to the Internet of value (Web3) has created a revolution in the way people own and transfer assets. However, the decentralized and irreversible nature of blockchain technology also makes it fertile ground for sophisticated forms of cybercrime. According to analysis from the Tan Phat Digital team, "Approval Scam" has become one of the most dangerous attack methods, directly targeting the core operating mechanism of smart contracts. Unlike traditional attacks based on private key appropriation, Approval Scam exploits user consensus through standardized application programming interfaces (APIs) of tokens, making property ownership fragile after just one confirmation.

Technical foundation of the approval mechanism in Blockchain

To understand the nature of Approval Scam, it is necessary to analyze current token standards dominates the Ethereum ecosystem and EVM (Ethereum Virtual Machine) compatible chains. These standards regulate how digital assets interact with each other and with decentralized applications (dApps).

ERC-20 standard and Approve function

ERC-20 is the most popular standard for fungible tokens (fungible tokens). One of the six mandatory functions of this standard is approve(address spender, uint256 amount). This function allows the wallet owner to delegate to another address (usually a dApp smart contract) the right to withdraw a certain amount of tokens from their wallet.

This mechanism is called "Allowance". When users make a transaction on decentralized exchanges (DEX) like Uniswap, they must authorize Uniswap's contract to take tokens from their wallet to perform the swap. This creates maximum convenience but also introduces a security hole: if the approved contract is malicious, it can withdraw user funds at any time without further intervention from the wallet holder.

Differences between ERC-721 and ERC-1155 in the approval mechanism

While ERC-20 deals with fungible tokens, ERC-721 and ERC-1155 governs non-fungible tokens (NFTs) and multi-purpose tokens. Here are the details of their approval mechanism:

• ERC-721 Standard (Single NFT): Use the typical approval function setApprovalForAll(operator, approved). This command affects all NFTs belonging to that collection in the user's wallet.

• ERC-1155 Standard (Hybrid FT & NFT): Also use the setApprovalForAll(operator, approved) function. However, the scope of influence is broader, including all types of tokens (both NFTs and regular tokens) covered by that contract.

For NFTs, scammers often lure victims into signing the setApprovalForAll function. Once signed, the attacker has the right to "wipe out" all valuable items in the collection without having to approve each one. This is the basis for large-scale NFT thefts on platforms like OpenSea.

Variant mechanism: EIP-2612 Permit and Permit2

The rise of Web3 has led to the need to reduce gas costs and optimize user experience, thereby giving birth to on-chain (gasless) approval methods.

EIP-2612: Off-Chain Signature Revolution

EIP-2612 introduces the permit() function, allowing users to approve spending limits with an off-chain digital signature instead of an actual blockchain transaction. The user signs a structured message that includes the owner address, spender address, token quantity, nonce number, and validity period. The scammer just needs to collect this signature and submit it to the blockchain himself to activate the right to withdraw funds. This is extremely dangerous because users often mistakenly believe they are just "logging in" or "authenticating" to a website.

Permit2: Uniswap's approval management center

Permit2 is a protocol that unifies approvals for all ERC-20 tokens. Users only need to approve the Permit2 contract once. Although it has an automatic expiration feature, it creates a concentration of risk. If a scammer captures a Permit2 message, they can withdraw any tokens the user has previously approved for Permit2.

See more: Smart What is Contract Audit? Why do Blockchain projects need security audits

Analyzing the danger of Approval Scam

Losing money without a secret key

In traditional hacks, users lose their seed phrase or private key. With Approval Scam, users' wallets remain theoretically secure, but assets are still "legally" stripped through signed approval orders. Thieves do not need to interfere with the wallet's source code; they only need the wrong consent of the victim.

Disperse silently and wait for the opportunity

An approval order usually has unlimited value (unlimited approval). The scammer does not necessarily withdraw money immediately. They can wait until the victim adds more money to the wallet or wait for the token value to increase before executing the appropriation order. This "silence" makes it difficult for victims to detect until the asset is completely gone.

Irreversible and difficult to trace

Every blockchain transaction, once confirmed, cannot be undone. By the time the victim realizes he or she has authorized a malicious contract, the assets have often been transferred through mixers or cross-chain bridges to erase the traces.

Why so many users fall for the trap: Psychology and manipulation techniques

Sophisticated disguises through Phishing and Airdrops

Fraudsters often lure victims to fake websites with The interface is identical to reputable platforms. The "Claim Airdrop" button is essentially a Approve or Permit request for the attacker's wallet.

FOMO effect and false urgency

Fear of missing out (FOMO) causes users to skip safety checks. Fraudsters create urgent notifications such as "Only 5 minutes left to receive rewards" to pressure victims to click "Confirm" on the wallet without carefully reading the content.

Limitations of the e-wallet interface

Many e-wallets often display the approval request in the form of a confusing string of characters, causing users (especially new ones) to consider signing confirmation as a normal technical procedure like accepting the terms of use. Traditional web applications.

The current state of digital asset fraud in Vietnam

Vietnam is currently one of the largest crypto asset markets in the Asia-Pacific region, ranked third after India and South Korea with an estimated transaction value of 220-230 billion USD in the period 2024-2025. However, that comes with a huge risk of fraud. In 2024 alone, total losses due to online fraud in Vietnam are estimated to reach VND 18,900 billion.  

Typical cases and methods of operation

A shocking case was cleared at the end of November 2025 in Da Nang related to the "ghost" TOSI project. This ring has appropriated about 90 billion VND from more than 8,000 victims nationwide. Below are the identifying characteristics:  

• Multi-level transformation model: Unusually high bonuses from 3% to 22%/month to attract new participants.  

• International impersonation: Labeling Japanese technology or preparing to list on major exchanges like Binance to create fake trust.  

• Sophisticated technical intervention: Programming the function to attach personal e-wallet code to the system, causing investors' money to go directly to the fraudster's pocket instead of the project's common wallet.  

• Erase professional traces: When the number of new users decreases, they close the website for reasons of "maintenance" or "hacker attack" and then create a new project to continue the cycle.  

New legal framework in 2026

From January 1, 2026, the Law on Digital Technology Industry officially takes effect, bringing digital assets into the scope of Vietnamese law for the first time. In particular, from January 20, 2026, Vietnam will begin piloting the reception of licensing applications for market organizations trading cryptographic assets according to Resolution No. 05/2025/NQ-CP. Businesses that want to participate must meet:

• Minimum charter capital of 10,000 billion VND contributed in Vietnamese Dong.

• Minimum 65% of charter capital contributed by organizations, including the participation of commercial banks or securities companies.

• Technology systems and risk management processes must be strictly inspected

Global Drainer Market Report 2024-2025

Cybercriminals are increasingly professionalizing through the "Wallet Drainer-as-a-Service" model. In 2025, although losses from wallet withdrawals tend to decrease in absolute value, impersonation scams record a record growth of 1400%. The total amount of money misappropriated through global cryptocurrency scams in 2025 is estimated to reach between 14 and 17 billion USD.

Organizations such as Inferno Drainer still maintain dominance with about 40-45% market share of attacks, using sophisticated scripts to impersonate popular protocols such as Seaport and WalletConnect.

On-chain Analysis: Regulation asset tracing

According to Tan Phat Digital, on-chain data analysis is an important weapon to confront criminals. The investigation process usually includes 5 steps:

1. Establish anchor point: Identify victim wallet address and malicious approval transaction hash.

2. Flow tracing: Track funds through intermediary wallets (Peel Chain) or cross-chain bridges.

3. Identification and Labeling: Use tools such as MistTrack to identify wallets belonging to centralized exchanges (CEX).

4. Risk assessment: Analyze attacker behavior to find real identity touchpoints.

5. Documentation and Coordination: Prepare reports to authorities and exchanges to request asset freezes.

Prevention and Security strategies multilayer

In the Web3 space, "prevention" is always more effective than "cure". Tan Phat Digital recommends that users take the following measures:

Check and Revoke approval rights (Revoke)

Users should periodically use tools such as Revoke.cash to check the list of contracts with the right to spend their money and execute Revoke command immediately. The use of Rabby Wallet is also recommended because of its ability to provide early warning of dangerous approval requests.

"Zero Trust" rules

• Exact URL: Absolutely do not click on links from search ads. Always check the domain name carefully.

• Read the signing order carefully: When the wallet displays the keywords "Permit", "Approve", or "Set Approval For All", stop to control risk.

• Limit limit: When approving reputable dApps, only authorize the correct number of tokens to be traded instead of selecting "No term".

Forms of investment and associated risks

New investors need to clearly understand popular forms to avoid being drawn into high interest rate traps:

• Short-term trading (Trading): Based on rapid price fluctuations. Very high risk due to FOMO mentality.

• Long-term investing (HODLing): Buy and hold assets in a safe wallet (cold wallet). Average risk from the market.

• Staking/Lending: Receive interest from depositing assets. Risks related to smart contract errors.

• Coin Mining (Mining): Invest in hardware to receive rewards. Risk of operating costs and equipment wear.

Case Study Typical Approval Scam and Web3 Fraud (2021-2026)

Below is a summary from Tan Phat Digital of the most typical cases to help investors identify real-life fraud scenarios:

1. TOSI case (Da Nang, 2025): Subjects created a "ghost" project, hiring programmers to create TOSI coins on Binance Smart Chain. The most sophisticated trick is to program the function of attaching personal wallet code to the user's transaction system, causing investment money to go directly into the pockets of criminals. Damage was recorded at about 90 billion VND for more than 8,000 victims.  

2. Ledger Connect Kit Supply Chain Attack (December 2023): Attacker took over the NPM account of a Ledger employee, inserting malicious code into Connect Kit library versions 1.1.5 to 1.1.7. When a user connects the wallet to any dApp that uses this library, the funds will be withdrawn to the hacker's wallet (related to Angel Drainer). About 600,000 USD in damage in a few hours.

3. Trust Wallet Chrome Extension Vulnerability (December 2025): A hack targeting the version 2.68 update on the Chrome browser resulted in about 7 million USD being stolen. The issue is believed to stem from the leak of a Chrome Web Store API key, allowing crooks to push a malicious version to the app store.

4. Monkey Drainer - Large-Scale NFT Phishing (2022-2023): This group used nearly 2,000 domains impersonating famous NFT projects to trick users into signing malicious signTypedData commands. The total loss is estimated at 13 million USD with more than 7,000 NFTs stolen, including high-value assets such as CryptoPunks and Otherside.

5. Matrix Chain (MTC) case (Vietnam, 2025): Transnational fraud line enticed participants to invest in MTC virtual currency with the promise of super profits. A 200-day project of Dong Nai Provincial Police destroyed this network, recording an amount of illegally raised money of nearly 10,000 billion VND.

6. Inferno Drainer and Discord Trap (January 2025): Attackers impersonate support robots (Collab.Land bot) in large Discord servers. When users click on "Let's go" to verify their identity, they are redirected to a phishing website that requires signing an infinite Approval command, resulting in the loss of all wallet assets.  

7. Super scam Paynet Coin (PAYN) / FMCPAY (2025): Group of subjects set up FMCPAY platform, create PAYN coin and advertise that it can be used to book airline tickets and hotels in the US. In essence, this is a multi-level pyramid model appropriating billions of dollars. Even after the floor collapsed, they tricked the victim into paying more money to "hire an American lawyer" to get the money back.

8. 50 million USD theft via Address Poisoning (2025): This is the largest single loss in 2025. The bad guys create wallet addresses with the same first and last characters as the victim's usual wallet, then send transactions worth 0 USD to "poison" the wallet history. The victim subjectively copied this address for the actual transaction worth 50 million USD.  

9. Aurory NFT "Drainware" (2021): One of the earliest examples of wallet scraping malware. The attacker creates a DNS domain name that closely resembles the real Aurory project. When users pressed the "Mint NFT" button, they essentially signed an order allowing the malicious contract to withdraw all assets. The incident caused 1.5 million USD and 70 NFTs to evaporate in just a split second.

10. "GitHub Aptitude Test" scam (2025): Hackers pretend to be recruiters, asking programmers to download projects from GitHub to do the test. These projects contain malicious code that automatically identifies the operating system to download payloads, take control of the computer and steal wallet approval information as soon as the user logs in.

Frequently Asked Questions (FAQ)

Here are 10 common questions that users often send to Tan Phat Digital related to Approval Scam:

1. Other "Approve" commands What's the difference between a "Permit" order? Approve is an on-chain transaction, requiring you to pay gas fees to grant permission to spend money on a contract. Meanwhile, Permit (EIP-2612) is an off-chain digital signature that costs no gas but allows fraudsters to silently activate spending orders later.  

2. If I don't give the Seed Phrase (wallet password), can bad guys withdraw my money? Yes. Through Approval Scam, bad guys don't need your Seed Phrase. They only need you to sign a malicious Approve or Permit command to access and withdraw assets from your wallet.

3. How do I know if I have approved any scam projects? Use screening tools like Revoke.cash, Etherscan Approval Checker or BSCScan Revoke. These tools will list all addresses that have permission to spend tokens in your wallet.  

4. How dangerous is "Unlimited Approval"? When you select "infinite", that dApp has the right to withdraw the entire balance of that token forever until you make a Revoke order. If the dApp is hacked or is a fraudulent project, your wallet will be wiped out at any time.  

5. Does Uniswap's Permit2 protocol make wallets more secure? Permit2 increases convenience and has an automatic approval expiration feature. However, it also creates centralization risk: an erroneous Permit2 signature could allow a bad actor to simultaneously withdraw multiple tokens that you previously approved.  

6. I accidentally signed a strange request, what should I do immediately? You must immediately visit Revoke.cash to revoke that approval. If possible, immediately transfer the remaining funds to a completely new wallet to ensure safety.  

7. Why is Rabby Wallet recommended to avoid Approval Scam? Unlike Metamask, Rabby Wallet has a built-in security scanning feature and displays a clear warning when you are about to sign a malicious approval order or an unlimited approval order.  

8. By 2026, will virtual currency fraud in Vietnam be criminalized?Yes. With the Digital Technology Industry Law (2026) and the latest case law in 2025, fraudulent acts of appropriating cryptographic assets are gradually being included in the strict criminal penalty framework.

9. What is the "Stop - Check - Protect" rule? This is the golden rule: Stop (don't rush to sign the order), Check (verify the URL, check the command content sign), and Protection (contact the bank or exchange to freeze assets if unusual).  

10. Can I get my money back after being hit with Approval Scam? It's very difficult because blockchain cannot be undone. However, you should report to centralized exchanges (CEX) and authorities so they can trace on-chain with tools like MistTrack and freeze funds if it is transferred to the exchange.

Approval Scam is proof that fraud techniques are always evolving along with technology. With Vietnam officially putting digital assets into the pilot framework from 2026, users will have more protection from the law. However, personal knowledge and caution are still the most important defenses. Tan Phat Digital believes that a knowledgeable investor community will be the foundation for the sustainable development of the digital economy in Vietnam.