The U.S. Secret Service, the UK's National Crime Agency, Ontario Provincial Police, and the Ontario Securities Commission ran a joint week-long operation in late March that traced $45 million in cryptocurrency fraud across more than 30 countries. Of that, $12 million in stolen funds has been frozen. Another $33 million linked to investment fraud is under further investigation.
The operation, called Operation Atlantic, targeted a specific attack vector: approval phishing. Investigators identified over 20,000 wallet addresses belonging to victims, directly contacted more than 3,000 people believed to be at risk or already compromised, and seized over 120 web domains used by scammers.
How Approval Phishing Drains Wallets Without a Second Prompt
Approval phishing does not require stealing private keys or seed phrases. Instead, scammers trick users into signing an on-chain token approval, typically through a fake pop-up that mimics a trusted wallet interface or DeFi app. Once the victim signs, the attacker gains permission to move tokens out of the wallet without any further authorization.
This is different from a traditional phishing attack that captures login credentials. The signed approval lives on-chain and persists until explicitly revoked. Many victims do not realize they have been compromised until their balance drops to zero. There is no second confirmation, no email alert, and no way to reverse the transaction once it executes.
The FBI reported 181,565 cryptocurrency-related complaints in 2025, a 21% increase year-over-year, with $1.366 billion in losses. Approval phishing accounted for a growing share of those complaints, according to the agencies involved in Operation Atlantic.
Binance and Chainalysis Embedded With Law Enforcement
The operation was not strictly a government affair. Binance provided on-site support at NCA headquarters in London, running live account screening, feeding scam intelligence to investigators, and identifying active scam websites in real time. Binance clarified that no funds were frozen on its platform as part of the operation, meaning the traced funds moved through other venues.
Chainalysis provided blockchain analytics, helping investigators map the flow of stolen funds across chains and identify the 20,000+ victim wallets. The Ontario Securities Commission described the results as evidence of "strong commitment to capital markets enforcement and investor protection."
Brent Daniels, U.S. Secret Service Assistant Director, said the operation "prevented millions of dollars in fraud losses and disrupted millions more in fraudulent transactions."
120 Domains Seized, 3,000 Victims Contacted
Beyond freezing assets, investigators took down more than 120 web domains that served as the infrastructure for these scams. These sites typically posed as legitimate DeFi platforms or wallet services, presenting users with approval requests that looked routine.
Law enforcement directly contacted over 3,000 individuals across 30 countries who were identified as current or potential victims. The victim notification effort ran through dedicated portals: the Secret Service set up secretservice.gov/OperationAtlantic, the NCA published its own page, and the Ontario Provincial Police and OSC ran parallel outreach through their sites.
The Royal Canadian Mounted Police, City of London Police, U.S. Attorney's Office for the District of Columbia, and the UK Financial Conduct Authority also participated.
What Wallet Users Should Do Now
Approval phishing exploits a feature, not a bug. Token approvals are a standard part of how ERC-20 tokens interact with smart contracts. The problem is that most users sign unlimited approvals without understanding what they authorize, and those approvals remain active indefinitely.
Tools like Revoke.cash allow users to audit every outstanding token approval on their wallet and revoke any they did not intentionally authorize, or no longer need. For anyone using self-custody wallets to fund crypto cards or interact with DeFi, reviewing approvals periodically is a basic hygiene step that costs a small gas fee.
Hardware wallets and self-custody card setups add a physical confirmation layer, but they do not prevent approval phishing if the user signs the malicious transaction on the device itself. The defense is reading what you sign before you sign it.
Scale of the Problem Is Growing
The $45 million traced in Operation Atlantic is a fraction of the broader crypto fraud landscape. The FBI's 2025 data put total crypto-related losses at $1.366 billion from reported complaints alone, with the actual figure likely higher given underreporting. Approval phishing has become a preferred method because it scales efficiently: one successful signed approval can drain an entire wallet in a single transaction.
Operation Atlantic is the first public case of law enforcement agencies from three countries embedding private blockchain analytics firms in an active investigation of this type. Whether the model scales depends on whether the $12 million freeze translates into actual asset recovery for victims, a process that typically takes months or years depending on jurisdiction.
As of April 10, 2026, BTC is trading at $71,763 and ETH at $2,187, with the broader market in neutral territory (Fear & Greed index at 45).
Overview
Operation Atlantic, a joint effort by the U.S. Secret Service, UK National Crime Agency, Ontario Provincial Police, and the Ontario Securities Commission, traced $45 million in crypto fraud and froze $12 million in stolen funds across 30+ countries. The operation targeted approval phishing scams that trick users into signing wallet permissions, identified 20,000+ victim wallets, contacted 3,000 people directly, and seized 120+ scam domains. Binance and Chainalysis embedded with law enforcement during the week-long campaign.
