A scam tactic called ‘Approval Phishing’ is gaining prominence targeting crypto users. Traditionally, this approach involved targeting victims through the distribution of fraudulent crypto apps. However, in recent years, romance fraudsters, also known as pig butchering scammers, seem to have successfully integrated this method into their strategies.
Chainalysis identified 1,013 addresses engaged in a deliberate form of approval phishing. This process started with a smaller list of recognized approval phishing addresses that employed romance scam tactics. The blockchain analysis firm then found additional addresses tied with those in the initial list through similar transaction patterns.
Approval Phishing Wreaks Havoc
According to the press release shared with CryptoPotato, Chainalysis estimated that victims, including those recognized based on distinct activity patterns, have suffered approximately $1 billion in losses to approval phishing scams since May 2021.
The $1 billion estimate by the firm is based on on-chain patterns and could include laundered scam funds. This figure likely underrepresents the true losses due to the notorious underreporting of romance scams and Chainalysis’ analysis starting from a limited dataset.
The revenue of suspected approval phishing scammers, monitored by Chainalysis, reached its peak in May 2022 when victims lost an estimated $516.8 million to approval phishing, compared to $374.6 million in 2023 through November. Similar to other crypto-based crimes, a small number of highly successful actors drive the majority of approval phishing theft.
The most lucrative approval phishing address is believed to have stolen $44.3 million from thousands of victim addresses, constituting 4.4% of the total estimated stolen during the studied period. The ten largest approval phishing addresses collectively contributed to 15.9% of all stolen value during this time, while the top 73 accounts were responsible for half of the total value stolen.
How Does Approval Phishing Work?
In approval phishing, the scammer tricks users into approving a malicious blockchain transaction. This approval grants the scammer permission to expend specific tokens within the victim’s wallet, enabling them to deplete the victim’s address of those tokens at their discretion.
Chainalysis found that approval phishers typically send the victim’s funds to a separate wallet from the one granted approval to make transactions on the victim’s behalf. The on-chain sequence generally follows this pattern:
- Victim address signs the transaction approving the second address to spend its funds.
- The second address, which we’ll refer to as the approved spender address, executes transactions to move funds to a new destination address.
If transactions unfold in this manner, with the approved spender address initiating the draining transaction instead of the victim address, as expected in a non-malicious transaction, it is likely a case of approval phishing.
In the case of decentralized apps (dApps) on smart contract-enabled blockchains such as Ethereum, approval phishers exploit the familiarity of many crypto users with signing approval transactions, with the key factor lying in the nature of permissions granted and the reliability of the party receiving those permissions.
