Crypto experts, law enforcement shut down network stealing billions through ‘approval phishing’

Cryptocurrency experts and law enforcement agencies across six countries worked together to shut down scam networks that made more than $1 billion from “approval phishing” scams — where hackers trick people into allowing them to spend tokens inside a victim’s crypto wallet.

The effort — named “Operation Spincaster” — involved 17 crypto exchanges including Binance and NDEX working with 12 public sector agencies on a series of “operational sprints” designed to disrupt the scams. 

The operation started in Canada in March, when the Calgary Police Service worked with Chainalysis on the initial pilot project. 

Danny Leong, the blockchain investigations team sergeant with the Calgary police, said in a statement that his team worked with Chainalysis earlier this year to host a private workshop where they identified more than 770 individuals, 119 which were Canadians, as victims of cryptocurrency fraud, with an estimated combined loss of $59 million. 

Through the workshop, several Canadian law enforcement agencies were able to notify those impacted and prevent further crypto theft. 

“Through this workshop, the participating organizations took swift action in notifying the impacted individuals to prevent further victimization,” Leong said. 

Chainalysis said it initially embarked on the effort after reporting in December about $1 billion in losses due to approval phishing scams since May 2021. After that report, the company’s experts identified more illicit addresses and updated the number to more than $2.7 billion in losses since 2021. 

Chainalysis used their findings to work with law enforcement agencies in the U.S., U.K., Canada, Spain, the Netherlands and Australia on a series of sprints from April to June 2024 that saw them train officers on how to identify compromised wallets and trace the stolen funds. 

“Over 7,000 leads were disseminated during these sprints relating to approximately $162 million of losses. These leads were used to close accounts, seize funds and build intelligence to prevent future scams,” Chainalysis explained. 

“In fact, in one of the sprints, participants were able to contact a victim directly to warn them of an ongoing scam, prompting the victim to take preventative action on-chain by revoking the approval before the scammer was able to steal a six-figure sum.”

Celestino Calabrese, acting head of illicit finance threat at the U.K.’s National Crime Agency, said they were able to identify 230 victims in their country and found more than $33 million of funds that they believe were the result of approval phishing.

“This work has protected victims here in the UK, and provided opportunities for us to pursue organized crime groups causing significant harm,” Calabrese said. “Many of these groups are based overseas, and utilize sophisticated methods to gain the trust of unsuspecting investors.”

Chainalysis did not respond to requests for comment about how much of the money was clawed back by law enforcement and returned to victims. 

Approval phishing is a tactic typically used alongside other popular scamming techniques like romance scams or fake crypto app schemes. 

The scammers usually trick victims into signing a malicious blockchain transaction that gives the scammer’s address approval to spend specific tokens inside the victim’s wallet, allowing the scammer to then drain the victim’s address of those tokens at will.

Tim Stainton, detective superintendent with the Australian Federal Police, said Operation Spincaster has “shed a clear light on new tactics used by cybercriminals in their continued efforts to defraud Australians,” adding that it will form a key part of their ongoing investigations to identify cybercrime victims and disrupt offenders in Australia.

Binance’s Erin Fracolli added that the effort helped crypto firms trace stolen funds, identify affected users and warn them of the scam. 

Earlier this year, Singapore-based cyber firm Group-IB published its own report on a similar scam where victims were tricked into connecting their cryptocurrency wallets with an attackers’ infrastructure. That scheme saw hackers steal at least $80 million in assets from its victims' digital wallets.

According to the FBI, $3.94 billion of losses suffered by Americans last year were connected to cryptocurrency investment fraud.