A new phishing scam has been uncovered that has resulted in the theft of over $5.9 million worth of cryptocurrency. The scam, which was discovered by security firm Scam Sniffer, utilizes a Permit2 exploit to steal users’ funds.

Permit2 is a simplified version of the token approval process that allows users to approve a third-party application to access their tokens without having to enter their private keys. The Permit2 exploit takes advantage of this by allowing scammers to trick users into approving malicious applications.

Once a user approves a malicious application, the scammers can then steal their tokens by calling the application’s withdraw function. In the case of this scam, the scammers have stolen over $5.9 million worth of cryptocurrency from victims across various networks, including Ethereum, Arbitrum, Polygon, and BNB Chain.

The scam was discovered after a Twitter user who goes by the name of 0xSaiyanGod, also known for their interest in security matters, stumbled upon a promoter of the scam service while browsing the Scam Sniffer Telegram channel. Upon reporting the scammer to the channel, the security service initiated an investigation.

Scam Sniffer then uncovered a screenshot evidencing a $103,000 transaction made through a phishing scam that utilized a Permit2 exploit. With the transaction hash in hand, the Scam Sniffer team went on to search for the exploiter’s address, which was eventually discovered.

The address was linked to over 689 phishing websites created since March 27, amounting to more than $5.9 million stolen across various networks. The report further noted that one of the biggest victims has lost $400,000 worth of assets.

“By analyzing the on-chain funds collection addresses, it is estimated that there were approximately 1,699 ETH stolen and distributed among these 5 large addresses,” the report said, adding that they keep around 300 to 400 ETH in each address.