The crypto market has received another painful reminder that, in Web3, the weakest point is often not the smart contract or the wallet itself, but the user’s device. In this case, one victim lost $1.76 million in USDC after signing a malicious Permit transaction. That single approval was enough to give attackers a direct path to drain the funds.
The incident quickly drew attention across the crypto community, and the case was later analyzed by security specialists from GoPlus along with representatives of OKX. Their main conclusion was blunt: this was not a wallet vulnerability. It was the result of a fully compromised device.
Not a wallet exploit, but a compromised environment
According to the preliminary findings, the attackers gained control of the victim’s computer or smartphone through malicious software. That could have been a virus, a trojan, or an infected browser extension. Once inside the system, the attackers moved beyond simple surveillance and began manipulating what the user actually saw.
Specifically, they were able to alter JavaScript code on the webpages the victim interacted with. In practical terms, the user may have believed they were approving one action while in reality authorizing something entirely different.
That is where the Permit mechanism became critical. Under normal conditions, Permit is a convenience feature that allows token approvals without requiring a separate on-chain transaction funded in the network’s native coin. In a compromised environment, however, it becomes a highly effective attack vector. Instead of a harmless request, the victim was presented with a malicious approval that enabled the withdrawal of funds.
Why the interface can no longer be trusted
What makes this type of attack especially dangerous is that once the device is compromised, the interface itself can no longer be treated as a reliable source of truth. If the operating system or browser is under the control of malware, the wallet may display incomplete, altered, or entirely false transaction details.
That means the victim clicks “sign” believing they are approving one operation, while in fact authorizing another. At that point, the usual advice to “always read what you sign” becomes only partly effective, because the information shown on screen may already have been tampered with.
OKX’s position: the wallet was not the problem
As speculation grew around a possible bug, OKX stated that its Web3 wallet was functioning normally. The company emphasized that the wallet follows a self-custody model, meaning private keys remain stored only on the user’s device rather than on company servers.
But that is also where the paradox of decentralized security appears. If the device itself is infected, no self-custody design can fully protect the user. As security experts noted, a keylogger or similar malware effectively places the attacker “behind the user’s shoulder,” able to observe everything being typed, approved, or signed.
In other words, once the environment is compromised, wallet security becomes less about cryptography and more about device hygiene.
The four basic rules that still matter
Following the incident, GoPlus reiterated a set of core anti-phishing principles. They are simple, but they are also the exact rules users most often ignore before major losses occur:
— do not click suspicious or unknown links;
— do not install software or extensions from untrusted sources;
— do not sign transactions unless you fully understand them;
— do not send funds to unverified wallet addresses.
These rules may sound basic, but in practice they are often the line between ordinary Web3 activity and a seven-figure loss.
What really happened
The most important point in this story is what did not happen. The attackers did not hack the blockchain. They did not break USDC. And they most likely did not exploit the wallet in the conventional sense. What they compromised was the decision-making environment around the user. That alone was enough to extract $1.76 million.
That is why this kind of attack is more dangerous than classic phishing. It does not always require stealing a seed phrase or directly taking private keys. Sometimes, one signature is enough — provided that signature is made inside an already poisoned digital environment.
The attackers’ wallets are already being tracked
Security researchers have already identified several wallet addresses that received the stolen funds. That does not guarantee recovery, but it gives exchanges, compliance teams, and blockchain analytics platforms a chance to monitor where the assets move next.
For ordinary users, the takeaway is harsh but useful: in Web3, the most dangerous moment is often not the transfer itself and not even the storage of funds. It is the signature. If the device is compromised, a single Permit transaction can become the point at which control over an entire wallet is lost.
I can also turn this into a shorter news version, a Forbes-style feature version, or a Telegram post in English.