Chain of Thought is our new expert-hosted webinar series, taking you behind the scenes of real investigations, emerging typologies and the crypto crime trends our experts are seeing first-hand. The first session, Inside an Investment Scam Operation, brought Chainalysis investigators Seth DuBois and Renato Bastos in front of a live audience to walk through an active approval phishing operation — from the social engineering playbook that primes the victim, to the on-chain infrastructure that drains the wallet. Here’s what went down.
Setting the stage, the duo presented the numbers behind the typology – and they are stark. Chainalysis research showed that on-chain scams pulled in at least $14 billion in 2025, likely rising to $17 billion as more illicit addresses are attributed. The average payment to a single scam address rose 253% year on year. Scams augmented by AI were 4.5 times more profitable than those without.
Investment scams remained the dominant category, and approval phishing is how some of them play out on-chain. “The reality is, one case is never just one. Scammers reuse the same wallets, legitimate approval features from contracts and cash-out routes across victims, which means each report exposes a wider network”, says Renato, who has witnessed this trend across several cases he’s investigated.
What is approval phishing?
Approval phishing tricks a victim into giving a malicious actor access to their wallet. It can take the form of an innocuous-seeming transaction. The victim falsely believes that clicking “approve” will only initiate a minor task, like making a trade or moving some funds. But hidden inside are far more serious implications. The scammer gets the approval they need to drain all of the funds.
A complex social engineering operation often precedes this strike, and our investigators say the human signs are consistent. Each is a red flag for compliance professionals to intervene before the technical attack occurs:
- Coached answers: Victims repeat generic, rehearsed lines (“personal use”, “value storage”) but cannot describe the investment details themselves.
- Security stripping: Victims are guided off regulated exchanges and into self-custody, with the exchange account used only as a pass-through.
- “Mentor” dependency and urgency: A supposed advisor directs every step, demanding real-time screenshots and fast execution to maintain control.
- Out-of-character liquidity: Sudden large wires to crypto venues from customers with no prior digital asset activity.
Zoom back to the moment of approval. Renato walks through what exactly happens here: “The scammer can now drain the victim’s wallet whenever they please. They might move instantaneously or lurk until an ideal moment, like right after the victim deposits fresh funds from their exchange. No matter the timing, the scammer rushes the stolen crypto through a series of wallets, across bridges, and into exchanges for cash out.” He also highlights an important reminder: these blockchain transactions are inherently irreversible, but the damage doesn’t have to be.
How Chainalysis is tracking approval phishing
While scammers often tailor their tactics to individuals, they tend to move many victims’ funds through the same wallets. Tracing their activity is therefore easy with data platforms like Chainalysis DS. “Because the criminals reuse infrastructure, the typology becomes a query you can automate”, says Seth, recounting his experience in leading investigations into approval phishing.
Chainalysis has been tracking approval phishing rings for years. In 2024, we launched a pioneering initiative, Operation Spincaster, that aimed to bring together law enforcement and the private sector from six countries to disrupt and prevent approval phishing scams. Over 7000 leads processed during the several sprints helped investigators crack down on $162 million USD in losses, and even warned one would-be victim of their targeting. With the help of law enforcement they revoked the scammer’s approval before losing six figures in crypto. Follow-on actions like Operation DeCloak in the 100,000-person city of Delta, Canada, led to the freezing, seizing and return of approval phishing victim funds.
Operation Atlantic led by the UK’s National Crime Agency, the US Secret Service, the Ontario Provincial Police and the Ontario Securities Commission, with support from Chainalysis, identified more than 20,000 victims across Britain, Canada and the United States. The operation froze over $12M in suspected criminal proceeds and traced a further $45M to stolen crypto to related schemes. Officials used our on-chain data to identify at-risk wallets and disrupt the social engineering chain before scammers could strike.
How you can disrupt approval phishing
The same patterns that make approval phishing effective also make it catchable. Scammers route stolen crypto through the same consolidation wallets, reuse the same spender contracts, and cash out at the same exchange deposit addresses. That reused infrastructure is a vulnerability, and it’s the basis for turning ad hoc investigations into a standing capability.
Seth and Renato highlight four shifts that make the difference:
- Move detection upstream. Wire the approval phishing typology into your monitoring, so exposure surfaces automatically rather than waiting on a victim’s report. Map full phishing infrastructure, not only isolated cases. The Approval Phishing Scams dashboard in Chainalysis DS is built for this.
- Pivot faster on leads. Use on-chain intelligence to confirm exposure and scope a cluster quickly. When the address spending the funds isn’t the address that owns them, something could be wrong. By flagging this and cross-referencing it against known drain-destination wallets, compliance teams can freeze phishing-related funds before they leave the platform, or stop their own users from sending funds to addresses that have approved risky spenders, preventing potential and additional losses.
- Plug into the disruption network. Crypto-to-bank coordination is where this typology is most disruptable. Disrupting one operator prevents thousands of future victims. In the U.S., 314(b) information-sharing rules let banks and exchanges follow the money from fiat to crypto, acting before it’s too late.
- Build capability in-house. Train investigators, fraud prevention and compliance teams on the typology, and develop playbooks tailored to your operating environment, so the expertise compounds with each case and detection becomes repeatable.
Seth also ran through an approval phishing checklist that our webinar audiences could use with their retail customers: “For anyone holding crypto, practice common-sense security. Check the URL before connecting your wallet. Download apps from official stores, not from links in a group chat. And if someone you’ve never met is walking you through a transaction with urgency, take a pause. It may well be a scam”.
From signal to standing capability
Approval phishing operations are methodical, patient and increasingly automated. So is the response. Because criminals reuse the same wallets, legitimate approval features from contracts and cash-out routes across victims, one identified case exposes a wider network — and that network is fully queryable on-chain.
Operations Spincaster and Atlantic show what coordinated action achieves when on-chain intelligence reaches investigators in time. Turning that into a standing capability means moving detection upstream, pivoting faster on leads, plugging into the disruption network, and building the expertise in-house. Chainalysis supports each of those shifts. To discuss how, talk to our experts.
And to see how the experts dissect these cases to find victims and scale detection, watch the Chain of Thought session — Inside an Investment Scam Operation. To be notified about future Chain of Thought events, register your interest here.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
