The incident, flagged on Sept. 18, shows how attackers are exploiting Ethereum’s convenience features to strike with little warning.

A Gas-Free Trap

The target lost both staked Ethereum (stETH) and Aave-wrapped Bitcoin (aEthWBTC) after approving a series of wallet prompts that looked routine. Because the signatures required no gas fees, the transaction raised no immediate suspicion. Within minutes, the assets were transferred out.

SlowMist founder Yu Xian noted that the victim likely believed he was just confirming harmless requests. “It felt like a couple of clicks — no cost involved — and suddenly millions were gone,” he said.

The attackers abused Ethereum’s Permit function, a tool created to simplify token transfers by letting users sign off-chain approvals. When combined with the TransferFrom function, that authorization allows funds to be drained directly once executed on-chain. By the time the approval shows up in a wallet interface, it’s already too late.

Bigger Trend of Phishing Losses

This whale isn’t alone. Scam Sniffer data shows August was one of the worst months on record for phishing, with over $12 million stolen from more than 15,000 addresses. Just three wallets made up nearly half of the losses, one of them losing more than $3 million in a single attack.

READ MORE:

XRP Gains Spotlight With U.S. Reserve Inclusion and ETF Hype

Researchers point to the rise of batch-signature schemes and malicious smart contracts as driving forces behind the surge. Attackers are increasingly relying on social engineering and deceptive approvals rather than complex exploits or costly gas wars.

Staying Safe in a Hostile Environment

Experts are urging users to treat wallet requests with extreme caution. Unlimited approvals, in particular, remain a common entry point for theft. Even experienced investors with deep pockets are falling victim, highlighting how fragile security can be when convenience tools are abused.

The $6 million theft serves as another warning that in decentralized finance, the weakest link isn’t always the code — sometimes it’s the human behind the screen.

The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.

The post Ethereum Whale Wiped Out in $6M Gas-Free Phishing Attack appeared first on Coindoo.