Crypto Scam Crackdown Exposes 20,000 Victims, Freezes $12M Globally

Operation Atlantic: Key Takeaways At A Glance

• $12 million in suspected crypto scam proceeds was frozen during Operation Atlantic, a coordinated week-long enforcement action led by the UK’s National Crime Agency.
• Over 20,000 victim wallet addresses were identified across more than 30 countries, with total suspected fraud linked to the operation exceeding $45 million.
• Approval phishing — where scammers trick users into signing malicious on-chain permissions — is the core method behind these attacks, and it’s one of the hardest crypto scams to recover from once executed.
• Chainalysis and Binance both played active roles in supporting law enforcement, signaling a shift toward public-private collaboration in crypto crime enforcement.
• Keep reading to find out exactly how to check if your own wallet has been compromised — and what to do if it has.

One operation just exposed how deep the approval phishing problem really goes.

In March 2025, law enforcement agencies from the UK, United States, and Canada ran a coordinated, week-long campaign that froze over $12 million in suspected criminal proceeds and mapped out a fraud network touching more than 30 countries. The operation, known as Operation Atlantic, wasn’t just a seizure — it was a systematic dismantling of infrastructure built specifically to drain crypto wallets at scale. Blockchain analytics firm Chainalysis and crypto exchange Binance both contributed intelligence to support the crackdown, showing how the line between public enforcement and private industry is increasingly blurred when it comes to crypto crime.

If you hold cryptocurrency, this story directly affects you. Approval phishing is not a fringe attack — it’s one of the fastest-growing threats in the space, and most victims don’t even realize they’ve been compromised until their funds are already gone.

$12M Frozen, 20,000 Victims — Here’s What Went Down

Operation Atlantic ran as an intensive, week-long initiative in March 2025. The UK’s National Crime Agency (NCA) led the effort, working alongside the US Secret Service, the Ontario Provincial Police, and the Ontario Securities Commission. Together, they identified over 20,000 cryptocurrency wallet addresses linked to fraud victims and traced suspected criminal infrastructure across more than 30 countries. The $12 million frozen represents funds that were secured before scammers could move them further through the laundering chain — a critical distinction from after-the-fact asset recovery.

The total scale of fraud connected to the identified infrastructure, however, tells a bigger story: over $45 million in stolen cryptocurrency was mapped during the operation. The $12M frozen is what was catchable in time. The rest had already moved.

What Is Approval Phishing and Why Is It So Dangerous

Approval phishing is a scam designed to trick people into unknowingly granting full access to their cryptocurrency wallets. Unlike a standard phishing attack that steals your password, this one works entirely on-chain — meaning it exploits the legitimate smart contract permission system that most crypto wallets use. Once a victim signs the malicious approval, the attacker doesn’t need any further interaction. They can drain the wallet whenever they choose, often immediately.

How Scammers Trick You Into Signing Away Your Wallet

The attack typically starts with a fake platform, a compromised link, or a social engineering message that appears to come from a trusted source — a known DeFi protocol, an NFT marketplace, or even a wallet provider. The victim is prompted to “connect their wallet” and sign a transaction. That transaction, buried in technical language most users don’t read, contains a token approval granting the scammer unlimited access to one or more token types in the wallet. The request looks routine. The consequence is anything but.

Why This Attack Is Harder to Reverse Than a Regular Hack

With a regular hack or phishing attack, there’s often a window to intervene — change a password, freeze an account, contact support. With approval phishing, the permission is already on-chain. There’s no customer service line for a blockchain. Once the approval is signed and the attacker drains the wallet, the transaction is irreversible by design. This is precisely why Operation Atlantic prioritized identifying victims before funds were moved rather than tracing them afterward.

The On-Chain Mechanics That Make It Work

Most ERC-20 tokens and similar assets on other blockchains use an approve() function that allows a third-party address to spend tokens on a user’s behalf. This is a legitimate and necessary feature for decentralized exchanges and DeFi protocols. Scammers exploit it by deploying a malicious contract address as the “approved spender.” Once that approval is signed, the scammer’s wallet has the technical right to call transferFrom() and move any amount of the approved token — up to whatever limit was set in the original approval, which is almost always set to unlimited.

Operation Atlantic: The Global Crackdown Explained

• Led by the UK National Crime Agency (NCA) as the primary coordinating body
• US Secret Service contributed investigative resources and cross-border financial tracing
• Ontario Provincial Police and the Ontario Securities Commission handled Canadian jurisdiction involvement
• Chainalysis provided blockchain analytics, mapping wallet addresses and tracing fund flows
• Binance supported the operation and publicly described approval phishing as “one of the most damaging types of scams targeting crypto users today”
• Over 120 fraudulent domains were identified as part of the scam infrastructure
• More than 20,000 victim wallet addresses were flagged across 30+ countries

Miles Bonfield, Deputy Director of Investigations at the NCA, stated that the operation was focused on identifying victims who had lost — or were at risk of losing — cryptocurrency through approval phishing, with the goal of securing assets before they could be laundered further.

Which Agencies Were Involved and What Each One Did

The NCA served as the operational lead, coordinating intelligence sharing across jurisdictions. The US Secret Service brought financial crimes expertise and the ability to trace dollar-denominated on-ramps and off-ramps tied to the fraud network. The Ontario Provincial Police and Ontario Securities Commission handled Canadian victims and any regulatory dimensions tied to securities fraud overlap — a relevant angle given that many approval phishing scams are disguised as investment platforms.

How the Operation Ran in Real Time Over One Week

Rather than a single seizure event, Operation Atlantic was structured as a sustained, week-long push. Investigators used real-time blockchain data provided by Chainalysis to identify active fraud infrastructure, flag at-risk wallets, and move to freeze assets before scammers could bridge or swap them into harder-to-trace assets. The speed of execution mattered — crypto moves fast, and waiting even 24 hours after identifying a suspect wallet can mean the difference between freezing funds and losing them entirely.

The Role Chainalysis and Private Firms Played

Chainalysis didn’t just assist — they were embedded in the operation’s intelligence layer. Their blockchain analytics platform allowed investigators to trace wallet-to-wallet fund flows across chains, identify clusters of addresses linked to the same fraud operators, and flag victims whose funds were still at risk. Binance contributed exchange-level data that helped connect on-chain activity to real-world identities where KYC information existed. This kind of public-private collaboration is increasingly how major crypto enforcement actions get done — and Operation Atlantic is one of the clearest examples of it working at scale.

The Scale of the Fraud Goes Well Beyond $12M

The $12 million headline number is significant, but it only represents what authorities were able to freeze in time. The broader picture painted by the operation is considerably darker. Investigators mapped over $45 million in total suspected cryptocurrency fraud tied to the infrastructure they identified — meaning the majority of stolen funds had already moved, been swapped, or laundered before the operation began. That gap between $12M frozen and $45M identified tells you exactly how fast these scammers operate once a victim signs an approval.

Why the $45M Figure Matters More Than the $12M Frozen

The $45 million figure represents the full known footprint of the fraud network, not just what was recoverable. It’s the number that shows the true cost of approval phishing at an operational level. For victims, funds that moved before the freeze are almost certainly unrecoverable through legal channels. The $45M total also signals to other law enforcement agencies globally that this isn’t a small-scale scam operation — it’s organized, cross-border, and generating tens of millions in criminal proceeds annually. That scale justifies the kind of multi-agency, multi-country response that Operation Atlantic represented.

120 Fraudulent Domains and 20,000 Wallets: How the Infrastructure Was Mapped

One of the most operationally significant outcomes of Operation Atlantic was the mapping of over 120 fraudulent domains used as entry points for the approval phishing scams. These weren’t random one-off fake websites — they were purpose-built platforms designed to mimic legitimate DeFi protocols, crypto investment dashboards, and token claim portals. Each domain served as a funnel, directing victims toward wallet connection requests that contained the malicious approval transactions hidden beneath a layer of professional-looking UI.

The 20,000+ wallet addresses identified as belonging to victims were distributed across more than 30 countries, confirming that this wasn’t a regionally targeted operation. The scammers cast a genuinely global net, and the victim profile was broad — from individual retail crypto holders to people who had never used DeFi before and were lured in through social media ads or direct messaging campaigns.

How Scammers Built a Web of Fake Platforms Across 30+ Countries

The fraudulent infrastructure behind these scams follows a recognizable pattern. Operators build convincing fake platforms — often clones of real, well-known DeFi protocols — hosted on domains with subtle misspellings or different top-level domains. They drive traffic through paid social media ads, Telegram groups, Discord servers, and in some cases romantic scam setups where victims are gradually introduced to the “investment platform” by someone they trust. By the time the victim connects their wallet and signs the approval, they believe they’re interacting with a legitimate service.

The cross-border nature of the infrastructure is deliberate. Hosting domains across multiple jurisdictions, using crypto mixing services, and routing funds through dozens of intermediate wallets all serve to complicate law enforcement tracing. The fact that Operation Atlantic was able to identify 120 fraudulent domains and map victim wallets across 30+ countries represents a significant intelligence achievement — the kind that only becomes possible when blockchain analytics firms work in real time alongside investigators.

What Happens to the Frozen $12M Now

According to statements from the operation, the frozen $12 million in suspected criminal proceeds is intended to be returned to victims. The process of doing so, however, is complex. Authorities must match frozen wallet addresses to identifiable victims, navigate legal asset recovery frameworks across multiple jurisdictions, and convert or distribute funds in a way that complies with each country’s laws. For the over 20,000 identified victims spread across 30+ countries, the timeline for recovery will likely vary significantly depending on jurisdiction and the strength of evidence connecting each victim to a specific loss.

How to Check If Your Wallet Was Compromised

If you’ve connected your wallet to any platform in the past 12 months — especially anything involving token claims, DeFi yield products, or NFT mints — it’s worth auditing your active token approvals right now. Most users have no idea how many open approvals their wallet has accumulated over time, and some of those approvals may be sitting on malicious contracts just waiting to be triggered.

1. Use a Token Approval Checker Like Revoke.cash

Revoke.cash is a free, open-source tool that connects to your wallet in read-only mode and displays every active token approval you’ve granted, along with the contract address that holds the permission. It works across Ethereum, Polygon, BNB Chain, Arbitrum, Optimism, and several other EVM-compatible networks. Simply connect your wallet, select your network, and review the full list of approvals. Any approval granted to an address you don’t recognize — especially one with an unlimited spend limit — should be treated as a potential threat.

2. Revoke Any Suspicious Token Permissions Immediately

Revoking an approval requires a small on-chain transaction, which means you’ll pay a minor gas fee. That cost is negligible compared to the risk of leaving an unlimited approval on a malicious contract. Through Revoke.cash or a similar tool like DeBank or the approval manager built into wallets like Rabby, you can revoke individual permissions one at a time. Prioritize any approvals where the spender address is unverified, the approval limit is set to unlimited, or the approval date coincides with a time when you connected to an unfamiliar platform.

3. Move Funds to a Fresh Wallet If Approvals Were Granted

If you discover that you’ve signed an approval to an address you don’t recognize, revoking it is the right first step — but it may not be enough. If the malicious contract operator has already noted your wallet as a target, the safest move is to transfer all of your assets to a completely fresh wallet address that has never interacted with the suspicious platform. Generate a new wallet, record the seed phrase securely offline, and move your funds before the attacker has a chance to act on the existing approval. Think of it like changing the locks after someone has already copied your key.

Approval Phishing Is Growing — And Enforcement Is Catching Up

Operation Atlantic is a landmark moment, but it’s also a signal of what’s coming. Approval phishing attacks have been scaling rapidly alongside the growth of DeFi and on-chain activity. Chainalysis described it as “a fast-growing threat” during their support of the operation, and the infrastructure uncovered — 120 fraudulent domains, 20,000+ victims, $45M in traced fraud — confirms this isn’t a niche problem anymore. The encouraging shift is that enforcement is no longer purely reactive. Operation Atlantic demonstrated that when blockchain analytics firms, crypto exchanges, and multi-national law enforcement agencies operate together in real time, they can freeze funds, identify victims, and dismantle infrastructure faster than scammers can launder their proceeds. That’s a meaningful change from even two years ago, when crypto crime recovery was largely considered impossible once funds moved on-chain.

For individual holders, the takeaway is straightforward: the technology to audit and protect your wallet exists right now, and the cost of using it is a few minutes and a small gas fee. The cost of ignoring it could be everything in your wallet. Regularly reviewing your token approvals, avoiding unfamiliar wallet connection requests, and moving funds to fresh wallets after any suspicious interaction are the three habits that meaningfully reduce your exposure to this type of attack.

Frequently Asked Questions

Here are the most common questions people are asking about Operation Atlantic, approval phishing, and what it all means for everyday crypto holders.

What Is Operation Atlantic and Who Led It?

Operation Atlantic is a coordinated international law enforcement action that ran as a week-long campaign in March 2025. It was led by the UK’s National Crime Agency (NCA), with participation from the US Secret Service, the Ontario Provincial Police, and the Ontario Securities Commission. The operation froze over $12 million in suspected crypto scam proceeds, identified more than 20,000 victim wallet addresses across 30+ countries, and mapped over $45 million in total suspected fraud tied to approval phishing schemes.

What Is Approval Phishing in Crypto?

Approval phishing is a scam where victims are tricked into signing a malicious on-chain transaction that grants a scammer unlimited permission to move tokens out of their wallet. It exploits the legitimate approve() function used by ERC-20 tokens and similar assets on other blockchains, which normally allows DeFi protocols to interact with user funds.

The key difference from regular phishing is that no password is stolen and no account is hacked. The victim willingly signs the transaction, believing it’s a routine wallet connection or token claim. Once signed, the scammer’s contract holds a legal on-chain permission to drain the wallet at any point — and there is no way to reverse the transaction after funds are moved.

How Were Over 20,000 Victims Identified Across 30 Countries?

Investigators used blockchain analytics provided by Chainalysis to trace wallet-to-wallet fund flows, identify clusters of addresses connected to the same fraud infrastructure, and flag victim wallets that still held at-risk funds. Binance contributed exchange-level data that helped link on-chain activity to real-world identities where KYC records existed.

The victim identification process worked by mapping the fraudulent smart contracts back to every wallet address that had signed an approval to them. From there, investigators could determine which wallets had already been drained, which were still at risk, and which jurisdictions each victim was likely operating from based on transaction patterns and exchange interactions.

• Chainalysis traced wallet clusters and fund flows in real time throughout the operation
• Binance provided KYC-linked exchange data to help identify real-world victims
• Over 120 fraudulent domains were mapped as entry points to the phishing infrastructure
• Victim wallets were identified across more than 30 countries, confirming the global reach of the fraud network
• Authorities prioritized wallets where funds were still present and at immediate risk of being drained

The scale of the identification effort — 20,000 wallets across 30+ countries in a single week — would not have been possible without the real-time blockchain intelligence layer that private analytics firms provided to the investigation.

Will Victims Get Their Frozen Crypto Returned?

Authorities have stated that the frozen $12 million in suspected criminal proceeds is intended to be returned to victims. However, the process is legally complex and will vary significantly by jurisdiction. Each victim must be matched to a verifiable loss, and asset recovery must comply with the legal frameworks of multiple countries simultaneously. For victims across 30+ countries, the timeline will not be uniform — some may see faster resolution depending on where they are located and the strength of evidence connecting their wallet to a specific loss event.

How Do I Know If I Have Been Targeted by an Approval Phishing Scam?

The most reliable way to check is to audit your active token approvals using a tool like Revoke.cash, DeBank, or the approval manager built into wallets like Rabby Wallet. Connect your wallet in read-only mode, select each network you’ve used, and review every active approval. Any unlimited approval granted to an unrecognized contract address is a red flag.

Common signs that you may have already been targeted include unexpected token transfers out of your wallet that you didn’t authorize, approvals in your history that coincide with connecting to an unfamiliar platform, or receiving a prompt to sign a transaction from a platform you didn’t directly navigate to yourself. If your wallet was drained and you never shared your seed phrase, an approval phishing attack is one of the most likely explanations.

If you find suspicious approvals, revoke them immediately, move remaining funds to a fresh wallet address, and report the incident to your country’s relevant financial crimes authority. In the UK that’s the NCA, in the US it’s the Secret Service’s financial crimes division, and in Canada the relevant contact is the Ontario Securities Commission if the scam involved any investment-related framing. Acting quickly is the only meaningful defense once a malicious approval has already been signed.

Staying ahead of crypto threats starts with staying informed — Binance continues to be an active partner in global enforcement efforts like Operation Atlantic, working alongside law enforcement to protect users and make crypto safer for everyone. Recently, disruptions like the X outage have highlighted the importance of robust security measures in the digital space.