Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Approval phishing scams: what they mean for fraud and identity teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Operation Atlantic linked approval phishing scams to more than 20,000 victims across the UK, Canada, and the United States, with over $12 million in suspected criminal proceeds frozen and more than $45 million in stolen cryptocurrency identified, according to Chainalysis. The operational lesson is that fraud response now depends on real-time intelligence, victim outreach, and permission-aware controls, not post-loss investigation.

NHIMG editorial — based on content published by Chainalysis covering Operation Atlantic and approval phishing fraud disruption

By the numbers:

Questions worth separating out

Q: What breaks when users approve malicious wallet permissions?

A: The control that breaks is delegated authority.

Q: Why do approval phishing scams create such a fast recovery problem?

A: Because the attacker can move funds immediately after the approval is granted, often before the victim or investigator understands what happened.

Q: How do security teams know whether wallet permissions are operating outside their intended boundary?

A: Look for approvals that are broader than the transaction required, stay active longer than expected, or are granted to unfamiliar contracts and services.

Practitioner guidance

  • Map approval flows to permission risk Inventory the wallet approval patterns your users encounter and flag any flow that grants open-ended or hard-to-read transfer authority.
  • Build a rapid wallet triage process Set up a case-handling path that can assess high-confidence blockchain alerts, identify affected wallets, and trigger exchange contact before funds are layered across services.
  • Coordinate with response partners in advance Pre-establish escalation contacts with exchanges, investigators, and compliance teams so suspicious activity can be paused and evidence preserved without delay.

What's in the full article

Chainalysis's full post covers the operational detail this post intentionally leaves for the source:

  • How Operation Atlantic used Reactor and Data Solutions together to trace suspicious addresses and prioritise wallets at highest risk
  • The investigative workflow used to support victim outreach and determine what assets were still recoverable
  • How law enforcement and private-sector partners coordinated freezing actions and suspicious activity reporting
  • The earlier Operation Spincaster context that shows how the same fraud pattern has scaled over time

👉 Read Chainalysis’s analysis of Operation Atlantic and approval phishing disruption →

Approval phishing scams: what they mean for fraud and identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Approval phishing is a permission governance failure, not just a scam vector. The core abuse is delegated authority that the victim does not understand well enough to revoke in time. That makes this closer to standing privilege than to simple social engineering. For fraud and identity teams, the control problem is visibility into what was approved and whether that approval still matches intent.

A question worth separating out:

Q: Who is accountable when crypto fraud succeeds through approval phishing?

A: Accountability is shared across the victim experience, platform controls, and response process. Users may be tricked, but providers and security teams are responsible for making approvals understandable, detectable, and revocable. Fraud governance should therefore include disclosure, triage, and remediation ownership.

👉 Read our full editorial: Approval phishing shows how crypto fraud scales through wallet permissions



   
ReplyQuote
Share: