EVM Wallet Hack 2026: How to Check and Revoke Token Approvals

Your crypto wallet might have a backdoor you don't even know about.

In early January 2026, on-chain investigator ZachXBT discovered a silent attack draining hundreds of wallets across EVM-compatible networks. Unlike dramatic hacks that steal millions in one transaction, this attacker is methodically siphoning small amounts—often under $2,000 per wallet—flying under the radar of most security tools.

The suspected culprit? Token approvals—permissions you've granted to smart contracts that never expire and can be exploited years later.

This guide explains what token approvals are, why they're dangerous, and exactly how to audit and revoke them before it's too late.

The 2026 EVM Wallet Hack: What We Know

Here's what's been confirmed so far:

• $107,000+ stolen from 100+ wallets (and counting)
• Multiple chains affected: Ethereum, BSC, Polygon, Arbitrum, and other EVM networks
• Small amounts per wallet: typically under $2,000 each
• No single exploit identified: no specific dApp, bridge, or wallet provider blamed
• Attack is ongoing: new victims appearing daily

What makes this attack particularly insidious is its stealth. Traditional security monitoring looks for large, suspicious transactions. By keeping each theft small, the attacker avoids triggering alerts while accumulating significant totals.

What Are Token Approvals?

When you interact with decentralized applications (dApps), you often need to grant them permission to move tokens on your behalf. This is called a token approval or allowance.

For example:

• Swapping tokens on Uniswap? You approve Uniswap to spend your USDC.
• Providing liquidity on Aave? You approve Aave to access your ETH.
• Minting an NFT? You might approve the marketplace to spend tokens.

The problem is that most dApps request unlimited approvals by default. When you click "Approve" in MetaMask, you're often granting permanent, unlimited access to that token—not just for one transaction.

How Approvals Work Technically

Under the hood, ERC-20 tokens have an approve() function that looks like this:

approve(spender_address, amount)

When a dApp requests approval, it typically asks for:

approve(0xDappContract, 115792089237316195423570985008687907853269984665640564039457584007913129639935)

That huge number? It's the maximum possible value (2^256 - 1), meaning unlimited access forever.

Why This Is Dangerous

The key insight: approvals persist even after you've finished using a dApp. That Uniswap approval from 2021? Still valid. That sketchy NFT mint from last year? Still has access to your tokens.

How to Check Your Token Approvals

Several free tools let you audit your wallet's approvals. Here are the best options:

1. Revoke.cash (Recommended)

Revoke.cash is the gold standard for approval management. It's open-source, supports 80+ networks, and has a clean interface.

How to use it:

1. Go to revoke.cash
2. Connect your wallet (or enter any address to view)
3. Select your network (Ethereum, BSC, Polygon, etc.)
4. Review the list of all active approvals
5. Click "Revoke" on any suspicious or unnecessary permissions

2. Etherscan Token Approval Checker

Etherscan has a built-in approval checker for Ethereum mainnet:

1. Go to etherscan.io/tokenapprovalchecker
2. Connect your wallet or enter your address
3. Review and revoke approvals

Similar tools exist for other chains:

• BSC: bscscan.com/tokenapprovalchecker
• Polygon: polygonscan.com/tokenapprovalchecker
• Arbitrum: arbiscan.io/tokenapprovalchecker

3. Wallet Built-in Tools

Some wallets now include approval management:

• Rabby Wallet: Shows approvals directly in the interface
• MetaMask Portfolio: Recently added approval tracking
• Trust Wallet: Has a security scanner (though see our recent article on Trust Wallet security)

How to Revoke Token Approvals

Revoking an approval is a blockchain transaction that sets the allowance back to zero. Here's the step-by-step process:

How Much Does It Cost?

Each revocation requires a small gas fee:

• Ethereum: ~$1-5 depending on network congestion
• BSC: ~$0.10-0.30
• Polygon: ~$0.01-0.05
• Arbitrum: ~$0.10-0.50

Yes, it costs money to fix permissions you never should have granted. Consider it a security tax.

Best Practices for Token Approvals

Prevention is better than cure. Here's how to stay safe going forward:

1. Limit Approval Amounts

When MetaMask shows an approval request, you can click "Edit Permission" and set a specific amount instead of unlimited. Only approve what you need for that transaction.

2. Use a Dedicated dApp Wallet

Keep your main holdings in a "cold" wallet that never interacts with dApps. Use a separate "hot" wallet with limited funds for DeFi activities. If the hot wallet gets compromised, your main stack stays safe.

3. Revoke After Each Session

After using a dApp, immediately revoke the approval. Yes, you'll need to re-approve next time, but that's a small inconvenience compared to losing funds.

4. Audit Regularly

Set a monthly reminder to check your approvals across all chains. Treat it like reviewing your credit card statements.

5. Use Hardware Wallets

Hardware wallets like Ledger or Trezor add an extra confirmation step, giving you more time to review what you're approving. They also protect your private keys from malware.

6. Be Skeptical of New dApps

If a new DeFi protocol promises crazy yields, be extra cautious. Rug pulls often start by collecting approvals before draining users. Check:

• Is the contract verified on Etherscan?
• Has it been audited?
• How long has it been running?
• What are people saying on Twitter/Discord?

Frequently Asked Questions

If I revoke an approval, do I lose my tokens?

No. Revoking only removes the permission for a contract to move your tokens. Your tokens stay in your wallet. You're just closing a door you previously opened.

Why do dApps ask for unlimited approvals?

Convenience. If you approve only 100 USDC but want to swap 150 later, you'd need to approve again. Unlimited approvals mean "approve once, use forever." Unfortunately, this convenience creates security risks.

Can I see who approved my tokens?

Token approvals are public on the blockchain. Anyone can check any wallet's approvals using tools like Revoke.cash or Etherscan. This is how attackers find targets with vulnerable approvals.

What if I approved a scam site?

Revoke the approval immediately. If the scammer hasn't acted yet, you might save your funds. If they already drained your wallet, revoking won't recover stolen tokens, but it prevents further theft.

Are NFT approvals also dangerous?

Yes! NFT marketplaces like OpenSea require approvals to transfer your NFTs. The same risks apply. Revoke old marketplace approvals you no longer use.

The Bigger Picture: A Week of Crypto Attacks

This EVM wallet hack is part of a disturbing pattern. In just 10 days, we've seen:

• December 25: LastPass breach victims losing $35M+ in crypto from cracked password vaults
• December 26: Trust Wallet browser extension compromised via supply chain attack
• January 3: EVM wallet draining attack exploiting token approvals

Each attack uses a different vector:

• LastPass: password security failures
• Trust Wallet: software supply chain compromise
• EVM drains: smart contract permissions abuse

The lesson? Crypto security requires defense in depth. One protection isn't enough.

Action Checklist

Here's your immediate to-do list:

Stay Protected

Token approvals are a necessary part of DeFi, but they're also one of the biggest security risks in crypto. The ongoing 2026 EVM wallet hack proves that attackers are actively exploiting old, forgotten permissions.

The good news? You can protect yourself in about 15 minutes. Check your approvals, revoke the risky ones, and adopt better habits going forward.

Your future self will thank you.