Attacker Siphons $10 Million in Crypto Following Phishing Attack on Whale's Account

In a significant security incident traced back to September 2023, a cryptocurrency investor fell victim to a sophisticated phishing attack that ultimately cost them $24 million in staked assets. Most notably, attackers successfully siphoned $10 million worth of Ethereum to Tornado Cash, a cryptocurrency mixing service commonly used to obscure fund origins. This incident highlights the growing sophistication of cyber threats targeting crypto investors and the critical vulnerabilities in how users interact with smart contracts.

The compromise began when the victim inadvertently authorized what seemed like a routine token transaction. Through a technique known as “Increase Allowance,” the attacker gained programmatic access to the investor’s crypto holdings. Blockchain security firms including CertiK identified the compromised account on March 21, revealing that approximately 3,700 ETH had been diverted to Tornado Cash—part of a larger $24 million loss that included both stETH from Rocket Pool’s liquid staking service and rETH tokens. With ETH trading near $2.98K at the time, this represented an enormous capital loss for the victim.

How Token Approvals Became a Weapon Against Crypto Users

The attack exploited a fundamental feature of Ethereum’s ERC-20 token standard. When users interact with decentralized applications, they often grant smart contracts permission to move their tokens—a convenience feature that has become a prime target for attackers. According to fraud detection specialists at Scam Sniffer, the victim unknowingly approved spending rights through the token allowance mechanism, effectively handing the attacker a key to their crypto treasury.

This technique isn’t new, but its prevalence is alarming. PeckShield’s analysis showed the attacker converted the stolen assets into approximately 13,785 ETH and 1.64 million DAI (each worth approximately $1.00 at current market rates). While some of the DAI were transferred to FixedFload exchange, the majority of stolen funds flowed through multiple wallets designed to obscure the trail.

The Tornado Cash Connection: Laundering Stolen Crypto

Tornado Cash serves as a critical piece of the criminal infrastructure. By depositing cryptocurrency into this mixing service, attackers break the blockchain’s transparency—a key advantage that cryptocurrencies are supposed to eliminate. The $10 million transfer to Tornado Cash represents the attacker’s attempt to separate themselves from the traceable theft and cash out or move the stolen funds without detection.

A Pattern of Rising Losses: February’s $47 Million in Phishing Thefts

The September 2023 incident wasn’t an isolated event. Scam Sniffer’s comprehensive report revealed that nearly $47 million was lost to phishing-related scams in February alone. Disturbingly, 78% of these thefts occurred on the Ethereum network, with ERC-20 tokens comprising 86% of all stolen assets. This data underscores a troubling reality: despite years of security warnings, investors continue to lose staggering sums through relatively straightforward exploitation techniques.

Recent incidents further demonstrate the scope of this vulnerability. On March 20, threat actors exploited an outdated Dolomite exchange contract to drain $1.8 million from users who had previously granted token approvals to that contract. Dolomite’s developers urgently advised users to revoke all permissions granted to the old contract address, a reactive measure that came too late for already-compromised funds.

When Security Responses Work: The Layerswap Case Study

Not every crypto security incident results in total asset loss. On the same day Dolomite was exploited, the Layerswap team managed to contain an attack on their website after detecting unauthorized access. Though their quick response prevented a complete disaster, attackers still siphoned approximately $100,000 from roughly 50 users before the breach was contained. Layerswap committed to refunding affected users and providing additional compensation—a rarity in the often-unforgiving crypto ecosystem.

The Bottom Line: Why Attackers Target Phishing and Token Approvals

The persistence of phishing attacks in cryptocurrency stems from their effectiveness and relative simplicity. Unlike complex smart contract exploits that require significant technical expertise, token approval scams leverage social engineering and user negligence. Each stolen asset—whether $10 million siphoned to Tornado Cash or smaller amounts drained through compromised contracts—represents a failure in both user awareness and broader security infrastructure.

For cryptocurrency participants, the lessons are critical. Vigilance means scrutinizing every contract approval, understanding what permissions you’re granting, and regularly auditing active approvals on platforms like Etherscan. For the industry, it demands collaborative development of better detection tools, clearer warning systems, and educational initiatives that help users recognize phishing attempts before they authorize malicious transactions. Until these measures become standard practice, attackers will continue to siphon millions in crypto through phishing and token approval exploitation.