Approval phishing is a scamming tactic that has existed for many years, the Chainalysis team notes.
But whereas approval phishing scammers have historically “targeted wide swaths of crypto users through the proliferation of fake crypto apps, romance scammers (also known as pig butchering scammers) appear to have adopted this technique to great effect in recent years.”
Chainalysis also mentioned that approval phishing “differs from other crypto scams “in a small but important way.”
Typically, scammers trick victims into “sending them cryptocurrency, usually through a phony investment opportunity or by impersonating somebody else.”
But in an approval phishing scam, the scammer tricks the user into signing “a malicious blockchain transaction that gives the scammer’s address approval to spend specific tokens inside the victim’s wallet, allowing the scammer to then drain the victim’s address of those tokens at will. Some victims have lost tens of millions to these scams.”
As explained in a blog post by Chainalysis, approval phishers “send the victim’s funds to a separate wallet from the one granted approval to make transactions on the victim’s behalf.”
The on-chain pattern typically proceeds as follows:
- Victim address signs transaction approving second address to spend its funds
- Second address, which we’ll refer to as approved spender address, executes transaction to move funds to a new destination address
In general, if transactions “unfold in this manner, and the approved spender address is the initiator of the draining transaction, rather than the victim address as we’d expect in a non-malicious transaction, it’s likely an instance of approval phishing.”
However, further investigation would be necessary to “know for sure.”
Many decentralized apps (dApps) on smart contract-enabled blockchains, like Ethereum, require users to sign approval transactions “giving the dApps’ smart contracts permission to move funds held by the user’s address.”
The suspected approval phishing scammers they’re tracking “saw their revenue peak in May 2022. Overall, 2022 saw victims lose an estimated $516.8 million to approval phishing, versus just $374.6 million in 2023 through November.”
Like many forms of cryptocurrency-based crime, the vast majority of approval phishing theft is driven “by a few highly successful actors. ”
According to Chainalysis, the most successful approval phishing address likely stole $44.3 million from thousands of victim addresses, representing 4.4% of the total estimated stolen during the time period studied.”
The ten largest approval phishing addresses “combined account for 15.9% of all value stolen during the time period studied, while the 73 biggest account for half of all value stolen.”
Generally speaking, the relevant addresses and wallets in approval phishing scams are:
- Approved spender wallets victims are tricked into designating as approved to spend funds in their wallet
- Destination addresses to which victim funds are drained
- Consolidation addresses where funds drained from many victims are gathered
- Funds are typically moved from consolidation addresses to cash out points — primarily centralized exchanges — as we see on the graph below.
Based on the patterns identified above, exchange compliance teams “could monitor the blockchain for suspected approval phishing consolidation wallets with heavy exposure to destination addresses.”
They could then see in real time “when those wallets move funds to their platform, and then could take steps such as automatically freezing the funds or reporting to law enforcement.”