Approval Phishing Detection and Disruption: Compliance and Investigation Playbooks
On-chain scams pulled in at least $14 billion in 2025, with approval phishing sitting at the centre of many investment fraud operations. The mechanism is deceptively simple: a victim clicks "approve" believing they are initiating a routine transaction, but the authorisation hands a malicious actor complete control over their wallet. What makes this typology particularly dangerous for compliance teams is that scammers systematically reuse wallets, spender contracts, and cash-out routes across multiple victims, meaning a single identified case is almost always the entry point to a much larger network.
Chainalysis investigators Seth DuBois and Renato Bastos recently walked through a live approval phishing case in the firm's Chain of Thought webinar series, covering social engineering indicators, on-chain mechanics, and the disruption playbook behind two major law enforcement operations. What follows draws on that session to give compliance officers, auditors, and digital asset accounting teams a structured view of the threat and a repeatable response.
The Numbers Behind the Typology
Scale and profitability in 2025
Chainalysis data shows on-chain scams generated at least $14 billion in 2025, with that figure likely rising to $17 billion as additional illicit addresses are attributed. Two data points stand out for risk-assessment purposes. The average payment to a single scam address rose 253% year on year, indicating scammers are becoming more selective and more patient with individual targets. Scams augmented by AI were 4.5 times more profitable than those run without it, a gap that is closing the cost of social engineering dramatically.
Investment scams remained the dominant category, and approval phishing is the on-chain execution layer for many of them. Firms relying on crypto accounting software to monitor client or counterparty flows need to understand that the approval transaction itself can look entirely routine until the drain event occurs.
How Approval Phishing Works
The social engineering setup
The technical exploit is typically preceded by a sustained social engineering campaign. Chainalysis investigators note that the human signals are consistent across cases, and each one is a point at which a compliance professional, fraud prevention team, or regulated exchange can intervene before the on-chain attack lands.
Four patterns appear repeatedly:
- Victims repeat rehearsed, generic phrases about "personal use" or "value storage" but cannot explain the underlying investment in any detail.
- Victims are directed off regulated exchanges into self-custody wallets, with the exchange account used only as a pass-through for funds.
- A supposed advisor controls every step, demanding real-time screenshots and pushing fast execution to maintain psychological pressure.
- Sudden large wire transfers arrive from customers with no prior digital asset activity.
Any one of these signals warrants enhanced due diligence. All four together constitute a near-certain indicator of active victimisation.
The on-chain mechanics
Once the victim clicks approve, the scammer holds a standing authorisation to drain the wallet at any point of their choosing. They may act immediately or wait until the victim deposits fresh funds from an exchange. When they do move, stolen crypto is routed rapidly through a series of wallets, across bridges, and into exchange deposit addresses for conversion to fiat or less traceable assets.
The transactions are irreversible. That is not, however, the end of the story. Because scammers route funds through the same consolidation wallets, reuse the same spender contracts, and cash out at the same exchange deposit addresses across many victims, each case generates intelligence that is immediately applicable to the next. As Renato Bastos put it: "Because the criminals reuse infrastructure, the typology becomes a query you can automate."
For teams using digital asset accounting software to reconcile on-chain activity, the signature to watch is straightforward: the address spending the funds is not the address that owns them. That mismatch, cross-referenced against known drain-destination wallets, is the operational trigger for intervention.
What Coordinated Disruption Looks Like
Operation Spincaster
In 2024, Chainalysis launched Operation Spincaster, bringing together law enforcement and private sector participants from six countries. Over several sprints, more than 7,000 leads were processed, helping investigators disrupt an estimated $162 million in losses. Crucially, one would-be victim was warned before the drain event, allowing law enforcement to revoke the scammer's approval before six figures in crypto were lost. Follow-on action in Delta, Canada, a city of around 100,000 people, led to the freezing, seizure, and return of victim funds.
Operation Atlantic
Operation Atlantic, led by the UK's National Crime Agency alongside the US Secret Service, the Ontario Provincial Police, and the Ontario Securities Commission, with Chainalysis providing on-chain intelligence, identified more than 20,000 victims across the United Kingdom, Canada, and the United States. The operation froze over $12 million in suspected criminal proceeds and traced a further $45 million to related schemes. Investigators used on-chain data to identify at-risk wallets and interrupt the social engineering chain before the technical exploit could complete.
Both operations illustrate the same principle: because criminal infrastructure is reused, mapping it once creates a standing detection capability that extends across victims, jurisdictions, and time.
This infrastructure-reuse dynamic is directly relevant to blockchain analytics data quality and due diligence: the evidentiary value of on-chain attribution depends on how reliably a platform maps addresses to clusters and entities. It is also worth situating approval phishing within the broader illicit ecosystem; for context on how large-scale fraud infrastructure operates, see our coverage of Huione Group and illicit marketplace AML risk.
A Four-Point Compliance Response
Building detection into standing operations
The Chainalysis session distilled the operational response into four steps that translate directly into compliance programme design.
1. Wire the typology into automated monitoring. Approval phishing should not surface only when a victim files a report. The spender-not-owner mismatch is machine-detectable. Building it into transaction monitoring rules means exposure is flagged in near real time rather than weeks after the drain event.
2. Map the full phishing cluster, not just the presenting address. When a flagged address is identified, the response should pivot immediately to the consolidation wallets and spender contracts it shares with other cases. That pivot expands the scope from one victim to a network and allows proactive alerts to other customers or counterparties at risk.
3. Plug into crypto-to-bank coordination channels. The cash-out leg is the most disruptable point. In the United States, Section 314(b) information-sharing rules allow banks and exchanges to share intelligence and coordinate freezes before funds reach fiat. Compliance teams should have active 314(b) relationships and know which exchange contacts to call. Similar coordination frameworks exist in the UK and Canada through existing financial intelligence unit channels.
4. Build internal expertise through documented playbooks. Detection becomes repeatable when investigators document what they found, how they found it, and what the on-chain signatures looked like. Each case compounds institutional knowledge. Training fraud prevention and compliance staff on the typology, and refreshing that training as tactics evolve, turns a reactive capability into a proactive one.
Red Flags for Customer-Facing Teams
When to intervene with a retail or institutional customer
Seth DuBois outlined a practical checklist for customer-facing staff. Any of the following should trigger a pause and a welfare conversation before a transaction is processed:
- The customer cannot explain the investment they are funding in plain terms.
- Someone else is present on the call or directing the customer's actions in real time.
- There is urgency: the customer says they need to send funds immediately or will miss an opportunity.
- The destination is a self-custody wallet the customer set up recently at an advisor's instruction.
- The transaction is large relative to the customer's historical profile.
These are not crypto-specific behaviours. They are the same coercion and pressure signals that financial crime teams have been trained to spot in wire fraud and authorised push payment scams. The channel is different; the human pattern is not. For firms using crypto bookkeeping software to track client flows, an unusual transaction that matches the profile above warrants a call before it settles, not a review after.
The Compliance Programme Implications
Approval phishing is not a niche or exotic threat. At $14 billion and rising, it represents a material exposure for any firm that touches digital asset flows: exchanges, custodians, banks with crypto-active customers, and the accounting and audit practices that serve them. The good news is that the same infrastructure reuse that makes the scam scalable also makes it systematically detectable.
For compliance programmes, the priority actions are clear: automate typology detection, build cluster-mapping into investigation workflows, activate information-sharing channels before a drain event completes, and ensure front-line staff can recognise the social engineering precursors. Those steps, taken together, move the response from reactive to genuinely disruptive.
For a broader view of how on-chain intelligence integrates into crypto compliance reporting, the pillar section covers the data architecture and reporting obligations that underpin this kind of standing capability.
Source: Chainalysis
FAQ
In a standard wallet compromise, an attacker gains access to a victim's private key. In approval phishing, the victim's key is never stolen. Instead, the victim is tricked into signing a transaction that grants a malicious contract the right to spend funds from their wallet. The scammer can then drain the wallet at any time without needing further interaction from the victim. The exploit uses a legitimate blockchain feature, the token approval mechanism, in a fraudulent way.
The primary signal is a mismatch between the address that owns funds and the address that initiates spending. When an address that has not received funds directly begins moving tokens out of another address, that is the approval mechanism in use. Cross-referencing that spender address against known drain-destination wallets or previously flagged phishing clusters immediately indicates whether the activity is suspicious. Automated monitoring should also flag large or sudden outflows from wallets that have recently received an approval-type transaction.
Section 314(b) of the USA PATRIOT Act allows banks and other financial institutions to share information with each other about suspected money laundering or terrorist financing, with protection from liability. In the approval phishing context, this means a crypto exchange that identifies a suspected drain wallet can share that intelligence with a receiving bank before the cash-out completes, allowing the bank to freeze funds. Active 314(b) relationships between exchanges and banks are one of the most effective disruption mechanisms available in the United States.
The audit or due diligence review should ask whether the platform has automated detection for the spender-not-owner mismatch, whether it maintains cluster maps linking known phishing infrastructure, whether it has active information-sharing arrangements under applicable rules (314(b) in the US, equivalent channels in the UK and Canada), and whether front-line staff are trained to recognise social engineering precursors. A platform that identifies phishing only from victim reports lacks a proactive capability and represents a higher residual risk in a crypto compliance assessment.
No. Once a drain transaction is confirmed on-chain, it cannot be reversed at the protocol level. However, funds can potentially be frozen or seized if law enforcement acts quickly enough at the cash-out point, typically an exchange deposit address. Operations Spincaster and Atlantic demonstrate that coordination between on-chain intelligence providers, exchanges, and law enforcement can freeze criminal proceeds even after the drain event. The window is short, which is why proactive, pre-drain detection is a significantly better outcome than post-drain investigation.
