According to multiple reports, one crypto user lost approximately $1.08 million worth of Aave-wrapped Ethereum LBTC (aEthLBTC), which is a tokenized Bitcoin asset on the Aave protocol, in what is likely a phishing exploit.
According to ScamSniffer, the user in question had signed a malicious “permit” signature, which was what led to the theft. That signature was an off-chain approval mechanism, and it allegedly allows tokens to be spent without triggering an immediate on-chain transaction.
ScamSniffer shared screenshots of the transactions. As to how the victim was susceptible to the exploit, they believe the scammers would have gotten the victim to sign the permit via a phishing site or cloned dApp, giving them access to drain the wallet.
How did the scam happen?
SlowMist’s founder, Cosine, commented on the haul, pointing out that the specific phishing group behind the attack is not one of the “mainstream” drainer groups, which suggests an emergence of smaller, sophisticated independent attackers.
They also moved fast, rapidly converting the funds to ETH and then laundering the funds immediately via Tornado Cash.
The incident was highlighted on January 3 by ScamSniffer via its X page, not long after it dropped its 2025 yearly report. In the report, as reviewed by Cryptoplitan, it revealed there was an overall 83% drop in crypto phishing losses, falling from $494 million to $84 million.
However, it emphasized that sophisticated wallet drainers still abound. They just seem to be targeting high-value holders with permit-oriented attacks, as is often the case during a bull market.
Permit-based exploits depend on the user’s trust in routine signature requests that actually authorize token transfers off-chain. Unfortunately for scams like these, recovery is very unlikely as the draining happens on-chain and transactions are irreversible.
Crypto phishing losses went down, but wrench attacks went up
While ScamSniffer has confirmed crypto phishing losses went down in 2025, crypto security experts claim the frequency of so-called “$5 wrench attacks” went up.
Ari Redbord, the global head of policy and government affairs at crypto analytics firm TRM Labs, called 2025 a record year for wrench attacks, with roughly 60 reported physical assaults on crypto holders, up from 41 in 2024 and 36 in 2021. However, Redbord believes the actual number of attacks that have happened is significantly higher.
“Many incidents are logged simply as robberies or burglaries, with the crypto element omitted, while others are never reported due to victim hesitation or uncertainty about how law enforcement will handle crypto-related crimes,” Redbord claimed.
The cybersecurity risk called the “wrench attack” derives its name from the idea that even the most sophisticated forms of encryption and data security are susceptible to physical coercion — like getting threatened by a “$5 wrench.”
These attacks are inarguably worse than phishing exploits and protocol hacks as they not only put assets at risk but also lives, increasing the stakes for maintaining proper OPSEC beyond wallet management best practices.
“No matter how many technical precautions you take or how many factors you authenticate with, no individual is immune to human attack vectors,” Tor Bair, CEO of Hybrid Minds Advisory and former president of the Secret Foundation, said.
Although the true number of wrench attacks is difficult to quantify, there appears to be either a higher risk of victimization or, at least, a greater awareness of the threat.
Last year May, French Interior Minister Bruno Retailleau spoke up about the rise of crypto-related assaults in the country, which at the time was the site of about one-third of wrench attacks in 2025, including the high-profile kidnapping and torture of Ledger co-founder David Balland and his wife in January.
Join Bybit now and claim a $50 bonus in minutes
