DEX / MEV-bot approval phishing — email claims a DeFi aggregator (1inch, Jupiter, Paraswap, Uniswap, CoW Protocol) detected a pending MEV-bot attack on the recipient's wallet and urges emergency approval revocation at a drainer URL. Chainalysis 2026; Certik 2026 DeFi approval-scam surge.

Email impersonating a DEX aggregator (Uniswap, 1inch, Paraswap, KyberSwap, CoW Protocol, Jupiter) or MEV-protection service (Flashbots Protect, MEV Blocker) urging the recipient to "approve this transaction to activate MEV protection," "claim your MEV rebate," or "emergency reauthorize to prevent front-running" — with an off-protocol link that triggers a malicious setApprovalForAll or approve(max) call, granting the attacker unlimited token-spend rights. Unlike the existing erc20-permit-eip712-signature-lure (which targets off-chain EIP-712 typed-data signatures), this signal targets on-chain approval calls framed as DEX optimization. Chainalysis's 2026 Web3 Crime Report found that approval-drain attacks surpassed seed-phrase theft as the #1 DeFi attack vector in 2025, with $340M+ drained via MEV-bot phishing; CertiK's Hack3d 2025 report documented $112M across 47 approval-drain incidents on DEX integrations. The signal fires on DEX/MEV brand name + approval/activation CTA or front-running urgency language + link to a non-official protocol domain. Real DEX newsletters never instruct users to approve transactions via email.