Operation Atlantic: Secret Service and UK's NCA Freeze $12 Million in Crypto Scam Funds — Here's the Approval Phishing Trick Behind It All

A new form of cryptocurrency theft is draining wallets around the world — and most victims don’t realize they’ve been robbed until it’s too late.

On April 9, 2026, the U.S. Secret Service announced the results of Operation Atlantic — the first coordinated multinational enforcement action specifically targeting approval phishing at scale. The numbers from the operation:

• $12 million in stolen cryptocurrency frozen
• $45 million+ in total crypto fraud disrupted
• 20,000+ victims identified across more than 30 countries
• 120 fraudulent web domains shut down
• 3,000+ victims directly contacted by law enforcement

The operation was co-led by the U.S. Secret Service, the UK’s National Crime Agency (NCA), the Ontario Provincial Police, and the Ontario Securities Commission — with additional participation from the Royal Canadian Mounted Police, City of London Police, the U.S. Attorney’s Office for D.C., and the UK’s Financial Conduct Authority.

What Is Approval Phishing — And Why Is It So Dangerous?

Traditional phishing steals your username and password. Approval phishing steals something much more valuable: direct, permanent control of your entire cryptocurrency wallet.

Here’s how it works:

You’re connected with what appears to be a legitimate investment platform or decentralized finance (DeFi) app. To “activate” your account, invest in a fund, or claim a reward, you’re asked to sign a transaction in your crypto wallet. A pop-up appears — it looks identical to what you’d see in MetaMask, Trust Wallet, or any other legitimate app.

What you’re actually signing is a wallet approval transaction — a feature built into blockchain protocols that allows smart contracts to move funds on your behalf. Scammers abuse this feature by tricking you into granting unlimited spending approval to a wallet address they control.

Once you sign: your wallet is fully accessible. They don’t need your private key. They don’t need your password. They can drain every token in your wallet anytime they choose — immediately, or months later after you’ve added more funds.

The transaction looks legitimate. The interface looks legitimate. The only difference is where the permission points.

The Pig Butchering Connection

Approval phishing is now the technical backbone of pig butchering scams — the long-con investment fraud where criminals spend weeks or months grooming victims on dating apps and social media before introducing them to a fake trading platform.

The “slaughter” moment — when the criminal finally drains the victim’s funds — now frequently happens through an approval phishing transaction rather than a direct wallet transfer. This makes the theft harder to trace, harder to attribute, and in some cases, harder for victims to even understand what happened.

Operation Atlantic investigators found that many of the 20,000 victims had been targeted through this exact sequence:

1. Contact via dating app, WhatsApp, LinkedIn, or text message
2. Weeks of trust-building, romantic or professional relationship established
3. Introduction to a “proven” crypto investment platform
4. Wallet connection request with embedded approval phishing
5. Funds drained once the wallet contains a meaningful balance

The Scale of the Problem Operation Atlantic Uncovered

What makes Operation Atlantic notable isn’t just the money frozen — it’s the intelligence gathered.

Investigators identified more than 20,000 cryptocurrency wallet addresses linked to fraud victims across more than 30 countries. That’s 20,000 people whose crypto was stolen or is actively at risk.

In addition to the $12 million frozen, investigators flagged another $33 million in funds believed linked to investment fraud schemes — additional investigations are underway.

The operation also mapped the infrastructure: 120 fraudulent web domains, all designed to look like legitimate crypto trading platforms, DeFi protocols, or investment dashboards. Most victims visited these sites through links shared by the scammer, believing they were accessing a real financial service.

How Law Enforcement Is Tracking Approval Phishing on the Blockchain

One of the most significant developments in Operation Atlantic was the role of blockchain analytics firm TRM Labs, which provided technical support to identify victim wallet addresses and trace stolen funds across the chain.

Approval phishing leaves a specific on-chain signature: a transaction authorizing an external address to spend tokens from your wallet, followed later by a drain transaction that moves everything out. By identifying this pattern across millions of blockchain transactions, investigators can retroactively identify victims even when they didn’t know they’d been compromised.

The NCA and Secret Service used this analysis to directly contact over 3,000 identified victims — notifying them that their wallets had been compromised and advising them on remediation steps.

How to Know If Your Wallet Has Been Compromised

If you’ve ever connected your crypto wallet to an unfamiliar platform, you may have an active approval phishing risk right now. Here’s how to check:

For Ethereum and ERC-20 tokens (MetaMask, Trust Wallet, etc.):

• Go to revoke.cash or etherscan.io/tokenapprovalchecker
• Connect your wallet
• Review all active approvals
• Revoke any approval you don’t recognize or no longer need

For other chains:

• Most major blockchains (Polygon, BNB Chain, Arbitrum, Solana) have equivalent approval checker tools
• Search “[chain name] token approval checker” for the appropriate tool

General rules going forward:

• Never approve unlimited spending permission for any contract
• Read transaction prompts before signing — the contract address should match the platform you’re using
• If a platform you “invested” in asks you to re-approve or migrate your wallet, it’s almost certainly a scam
• Legitimate DeFi platforms never need unlimited access to drain your wallet

If You Were Victimized

Operation Atlantic’s investigators are still actively working these cases. If you believe you’ve been a victim of approval phishing:

1. Do not move funds through the same wallet — the approval may still be active
2. Transfer remaining assets to a new, clean wallet immediately
3. Revoke all active approvals on the compromised wallet using a tool like revoke.cash
4. Report to the IC3 at ic3.gov — include transaction hashes and wallet addresses
5. Contact the Secret Service Electronic Crimes Task Force in your region

The U.S. Secret Service explicitly stated that they are continuing to build on Operation Atlantic’s intelligence to identify additional victims and perpetrators. Reporting matters — and it may result in your case being actively investigated.

Approval phishing is one of the most technically sophisticated scam techniques in the criminal toolkit — and it’s become alarmingly widespread precisely because most crypto users don’t understand how wallet permissions work. Operation Atlantic is a landmark enforcement action, but the most powerful defense is education: know what you’re signing before you sign it, and check your active approvals today.