Targeted Approval Phishing Scams On the Rise

bitcoin, money, decentralized-2008262.jpg

Approval phishing is a scamming tactic that has existed for many years. But whereas approval phishing scammers have historically targeted wide swaths of crypto users through the proliferation of fake crypto apps, romance scammers (also known as pig butchering scammers) appear to have adopted this technique to great effect in recent years. 

Approval phishing differs from other crypto scams in a small but important way. Typically, scammers trick victims into sending them cryptocurrency, usually through a phony investment opportunity or by impersonating somebody else. But in an approval phishing scam, the scammer tricks the user into signing a malicious blockchain transaction that gives the scammer’s address approval to spend specific tokens inside the victim’s wallet, allowing the scammer to then drain the victim’s address of those tokens at will. Some victims have lost tens of millions to these scams.

It’s important to note that in general, approval phishers send the victim’s funds to a separate wallet from the one granted approval to make transactions on the victim’s behalf. The on-chain pattern typically proceeds as follows:

  • Victim address signs transaction approving second address to spend its funds
  • Second address, which we’ll refer to as approved spender address, executes transaction to move funds to a new destination address

In general, if transactions unfold in this manner, and the approved spender address is the initiator of the draining transaction, rather than the victim address as we’d expect in a non-malicious transaction, it’s likely an instance of approval phishing. However, further investigation would be necessary to know for sure.

Many decentralized apps (dApps) on smart contract-enabled blockchains, like Ethereum, require users to sign approval transactions giving the dApps’ smart contracts permission to move funds held by the user’s address. Approvals granted to secure dApps are generally safe because properly designed smart contracts can only use that approval when directed to do so by the user, or when such approval is required in the normal functioning of the dApp. In those cases, we would generally expect the dApp user’s address to be the one initiating the transaction to spend the funds. But, approval phishers can take advantage of the fact that many crypto users are used to signing approval transactions — the trick is in what permissions are given, and the trustworthiness of the party receiving that permission. For instance, one approval phishing scam saw fraudsters promote a bogus story of a Uniswap approval phishing scam, and set up a fake Etherscan page where users could check their transaction approvals by connecting their wallets and signing an approval transaction to see if they’d fallen victim — that last transaction was the core of the actual approval phishing scam.

However, research suggests that approval phishers are now more and more targeting specific victims, building relationships with them and using tactics associated with romance scams to convince victims to sign approval transactions. Metamask lead product manager Taylor Monahan (aka @tayvano_) has tracked romance scam-style approval phishing on a custom Dune Analytics dashboard.

We identified a set of 1,013 addresses involved in what appears to be targeted approval phishing by starting with a smaller list of approval phishing addresses whose owners are known to be using romance scam tactics. We then identified other addresses connected to those in the initial list that had executed similar transactions, effectively allowing us to build out a more complete network of interconnected approval phishers’ on-chain activity. We estimate that victims of the addresses we started with, plus those we identified based on their distinct pattern of activity, have lost approximately $1.0 billion to approval phishing scams since the start of our dataset in May 2021. While it’s important to note that this $1.0 billion total is an estimate based on on-chain patterns, and that some of it could represent laundering of funds already controlled by the scammers, this figure is likely just the tip of a much larger iceberg. Romance scams are notoriously underreported, and our analysis began from a limited set of reported instances.

The suspected approval phishing scammers we’re tracking saw their revenue peak in May 2022. Overall, 2022 saw victims lose an estimated $516.8 million to approval phishing, versus just $374.6 million in 2023 through November. Like many forms of cryptocurrency-based crime, the vast majority of approval phishing theft is driven by a few highly successful actors. We can see this on the distribution graph below, which shows the approval phishing revenue of our 1,013 addresses during the time period studied, and the cumulative share of all value stolen through approval phishing by the addresses in our sample in descending order.

The most successful approval phishing address likely stole $44.3 million from thousands of  victim addresses, representing 4.4% of the total estimated stolen during the time period studied. The ten largest approval phishing addresses combined account for 15.9% of all value stolen during the time period studied, while the 73 biggest account for half of all value stolen.

We believe that the industry can address the approval phishing scam problem in a variety of ways, from user education to employing pattern recognition tactics similar to those we used to compile this data. Generally speaking, the relevant addresses and wallets in approval phishing scams are:

  • Approved spender wallets victims are tricked into designating as approved to spend funds in their wallet
  • Destination addresses to which victim funds are drained
  • Consolidation addresses where funds drained from many victims are gathered

Funds are typically moved from consolidation addresses to cash out points — primarily centralized exchanges — as we see on the graph below.

Based on the patterns identified above, exchange compliance teams could monitor the blockchain for suspected approval phishing consolidation wallets with heavy exposure to destination addresses. They could then see in real time when those wallets move funds to their platform, and then could take steps such as automatically freezing the funds or reporting to law enforcement. More broadly, the industry can work to educate users not to sign approval transactions unless they’re absolutely sure they trust the person or company on the other side, or understand the level of access they’re granting.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, investment, regulatory or other professional advice, nor is it to be relied upon as a professional opinion. Recipients should consult their own advisors before making these types of decisions. Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information herein. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Image by: Pixabay

Shopping Cart

Media Kit

    Data Protection

    Personal Data (“Data”) submitted for Media Kit (“Media Kit”), and/or collected in the form of first name, last name, email address and other contact details may be used for the purposes of inviting you to future events and for reaching out to you with content which may be of interest to you. For these purposes, The Digital Banker will share the Data with our associate companies (including event and content sponsors) to promote their products and services. You will also be automatically subscribed as a user on www.thedigitalbanker.com. If you would like to opt-out, email us at [email protected].

    By clicking Submit, you acknowledge that you consent/ have sufficient informed consent to the collection, use and disclosure of Data as set out above.

    The Digital Banker Summit

    Moving on from FTX: is 2023 the year of CBDCs?

    Indonesia, Jakarta

    Thailand, Bangkok

    Philippines, Manila

    Contact Us

      Data Protection

      The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

      Request Nomination Pack

        Data Protection

        The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

        Registration Form

          Data Protection

          The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

          Registration Form

            Data Protection

            The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

            Registration Form

              Data Protection

              The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

              Registration Form

                Data Protection

                The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

                Registration Form

                  Data Protection

                  The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

                  The world’s preeminent Private Banks and Wealth Managers are demonstrating a committed drive in innovation, advisory, new products and services to meet the sophisticated needs of their clients.

                  COVID-19
                  Amid economic activity revival on the back of the Covid-19 vaccine program, organisations moving from business continuity plans to stable working environments, together with the slightest improvement in unemployment numbers, forced the world to adjust to new realities. Coming to terms with the “new normal”, global investors are now on the look-out for attractive and stable investment opportunities.

                  Needs of Private Wealth customers and families worldwide have drastically changed due to the pandemic and banks have had to accelerate efforts to deploy a multi-channel service strategy and safeguard clients’ businesses and wealth against negative impacts of economic uncertainly.

                  The Global Private Banking Innovation Awards will recognise the world’s best private banks, wealth managers and asset managers that are championing innovation across advisory, service, products, customer experience and more.

                  Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. 

                  Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

                  Request Nomination Pack

                  Error: Contact form not found.