Most cryptocurrency fraud victims understand the basic mechanics of being scammed: they are tricked into sending money to a criminal. What many don’t realize is that there is a more sophisticated variant where victims never deliberately send anything — they simply sign a transaction that hands over permanent access to their entire wallet.

This technique, called approval phishing, is what the UK’s National Crime Agency, the US Secret Service, and Canadian law enforcement targeted in Operation Atlantic — a joint operation that ran through March 2026 and produced results announced in April: more than $12 million frozen, more than 20,000 victims identified, and more than $45 million in total suspected fraud disrupted.

What Is Approval Phishing?

In standard cryptocurrency transactions, you authorize the movement of specific funds: send this amount, from this wallet, to that address. The transaction is discrete and defined.

Approval phishing exploits a different function built into most major blockchain networks: token approval, which is designed to allow decentralized applications (DeFi platforms, exchanges, and other services) to access and move tokens on a user’s behalf, up to a specified limit, without requiring manual authorization for each transaction.

Legitimate DeFi platforms use this mechanism routinely. When you connect a wallet to a decentralized exchange and authorize it to “spend” your tokens, you are granting token approval to that platform’s smart contract address.

Approval phishing scams create fake DeFi platforms, fake wallets, fake investment interfaces, and fake “verification” pages — all of which prompt victims to sign approval transactions. From the victim’s perspective, it looks like they are completing a registration step, verifying their wallet, or connecting to a legitimate service. What they are actually doing is granting a criminal’s smart contract address permission to transfer all tokens from their wallet at any time.

The criminal does not need to act immediately. They can wait until the victim has accumulated a larger balance — through continued deposits into a fake investment platform, for example — and then execute a single transaction that drains everything.

How the Scam Typically Unfolds

Operation Atlantic’s investigation documented several delivery mechanisms:

Fake DeFi investment platforms: Victims are introduced to what appears to be a high-yield liquidity pool or staking opportunity. To participate, they are asked to connect their wallet and approve the smart contract. The approval grants the criminal unlimited access.

Fake wallet recovery: Scammers contact victims who have previously lost cryptocurrency, claiming to offer a recovery service. The “recovery” process requires signing an approval transaction on a fake recovery platform.

Romance and relationship fraud: Following the pig butchering model, a criminal builds a relationship and eventually introduces the victim to a “trading platform” that they use themselves. The initial setup process requires wallet connection and approval.

Airdrop and NFT scams: Fake notifications about unclaimed airdrops or NFT mints direct victims to sites that require wallet connection and approval to “claim” the assets.

In all cases, the victim’s experience at the moment of signing does not obviously signal danger. The interface is professional. The request appears routine. The damage may not occur for hours, days, or weeks.

The Operation Atlantic Investigation

Operation Atlantic was led by the UK’s National Crime Agency (NCA) and executed in partnership with the US Secret Service and Ontario Provincial Police / Ontario Securities Commission in Canada. Blockchain intelligence firm TRM Labs served as the primary private sector partner, providing on-chain analytics to trace approval phishing transactions and identify victims.

The operation worked backward from known criminal wallet addresses, tracing approval transactions to identify victims who had granted access to those wallets. This methodology revealed a victim pool of over 20,000 individuals who were either currently at risk (had granted approval to wallets the operation was investigating) or had already been drained.

Law enforcement could then notify at-risk victims in time for them to revoke the dangerous approvals — preventing further losses even where the initial phishing had already succeeded. For victims who had already been drained, the investigation worked to trace and freeze funds before they could be fully laundered.

The $12 million frozen represents funds successfully intercepted in the laundering pipeline. The $45 million figure represents the total value of fraud disrupted, including cases where victim notification prevented losses that would otherwise have occurred.

The Scale of Approval Phishing

Approval phishing is not new, but its combination with AI-generated fake platforms and relationship-building fraud has driven a significant increase in its use.

Chainalysis data from 2025 identified approval phishing as one of the fastest-growing sub-categories of cryptocurrency fraud by value. Because a single approval transaction can give access to a victim’s entire wallet — including tokens deposited after the approval was granted — the per-victim loss potential is higher than standard investment fraud, where criminals can only steal what the victim consciously sends.

The technique also scales well for criminals because it does not require ongoing victim interaction after the initial phishing. Once an approval is in place, the criminal can wait and drain at a time of their choosing, with a single automated transaction.

Protecting Yourself From Approval Phishing

For anyone who holds cryptocurrency in a self-custodial wallet — MetaMask, Coinbase Wallet, Trust Wallet, or any other wallet where you control your own keys — understanding approval risk is essential.

Key protections:

  1. Regularly review your active approvals. Tools like Revoke.cash, Etherscan’s Token Approval Checker, or similar blockchain-specific tools let you see which smart contracts have approval access to your wallet and revoke approvals you no longer need or don’t recognize.

  2. Never approve unfamiliar smart contracts. If a site or platform you don’t recognize is asking you to approve a transaction, decline until you have researched the contract address. Legitimate platforms are identifiable; scam contracts are not.

  3. Check the approval limit. When reviewing an approval request, your wallet should show you the amount being approved. “Unlimited” approval requests — which grant access to all current and future tokens — should be treated with extreme skepticism.

  4. Use a hardware wallet for significant holdings. Hardware wallets require physical button confirmation for transactions, adding a friction layer that prevents automated draining even if an approval was previously granted.

  5. If you suspect you’ve signed a bad approval, revoke immediately. Revoking an approval is a standard blockchain transaction and typically costs only a small gas fee. Act before the criminal executes the drain transaction.

Operation Atlantic’s identification of 20,000 victims reflects the scale of approval phishing before many of them understood what they had signed. The proactive victim notification that law enforcement conducted in this case is unusual — most victims of this technique discover the problem only after their wallet is empty.

The operation is a reminder that cryptocurrency security requires understanding not just how to keep your private keys safe, but also how to manage what you have already authorized on-chain.