Chainalysis Suspected stolen at least $374 million in targeted phishing scams approved by 2023

Chainalysis Uncovers Approximate $374 Million in Stolen Funds through Targeted Phishing Scams by 2023

Source: Chainalysis; Translation: Songxue, LianGuai

Approved phishing is a scam strategy that has been around for many years. However, despite the fact that scammers have traditionally targeted a wide range of cryptocurrency users through the spread of fake crypto applications, piggyback scammers in recent years seem to have adopted this technique and have achieved significant results.

Approved phishing has a small but important difference from other cryptocurrency scams. Typically, scammers deceive victims by offering false investment opportunities or impersonating others, tricking them into sending cryptocurrency to them. But in the case of approved phishing scams, scammers lure users into signing malicious blockchain transactions that allow the scammer’s address to approve the use of specific tokens within the victim’s wallet, thereby allowing the scammer to freely deplete these tokens from the victim’s address. Some victims have lost tens of millions of dollars due to these scams.

It is worth noting that in general, approved phishers send the victim’s funds to a wallet different from the wallet that is supposed to represent the victim for the approved transaction. The on-chain pattern typically proceeds as follows:

• Scorpion Casino Hits $2.2 Million Jackpot as Investors Flock to Secure Passive Income.
• From Russia (and China) with Love The Anticipated Debut of CBDC Payments in 2024
• Bankless Four Cryptocurrencies Worth Paying Attention to in the AI Integration Direction

• The victim’s address signs a transaction approving the second address to spend its funds;

• The second address (referred to as the approved spending address) executes a transaction to transfer the funds to a new destination address.

In general, if a transaction unfolds in this manner and the approved spender address is the initiator of the depleted transaction rather than the victim’s address we would expect in a non-malicious transaction, then it is likely an instance of approved phishing. However, further investigation is needed to confirm.

Analysis of Approved Phishing Scams

Many decentralized applications (dApps) running on smart contract-enabled blockchains, such as Ethereum, require users to sign approval transactions that allow the dApp’s smart contract to move funds from the user’s address. Granting approval to secure dApps is typically safe because well-designed smart contracts can only use that approval when instructed by the user or when the dApp is operating normally and requires the approval. In these cases, we typically expect the address of the dApp user to be the one initiating transactions to use funds. However, approved phishers can exploit the fact that many cryptocurrency users are accustomed to signing approval transactions—the trick lies in what permissions are granted and the trustworthiness of the recipient of that permission. For example, in an approved phishing scam, the scammer promotes a false Uniswap phishing scam and sets up a fake Etherscan page where users can check their transaction approvals by connecting their wallets and signing approval transactions to see if they have become victims—the final transaction being the core of the actual approved phishing scam.

However, research indicates that phishers are increasingly targeting specific victims, building relationships with them, and using tactics associated with Ponzi schemes to convince victims to sign off on approved transactions. Metamask’s Chief Product Manager, Taylor Monahan (aka @tayvano_), tracked Ponzi-like approved phishing schemes on a custom Dune Analytics dashboard.

We started by identifying a set of 1,013 addresses involved in targeted approved phishing, beginning with a smaller list of approved phishing addresses believed to be using Ponzi tactics. Then, we identified additional addresses associated with the addresses in the initial list, which executed similar transactions, effectively allowing us to build a more complete interconnected on-chain activity network of approved phishers. We estimate that victims from our initial addresses, as well as those addresses identified based on their unique activity patterns, have lost approximately 1 billion USD since the start of our dataset in May 2021 due to approved phishing scams. It is worth noting that this total of 1 billion USD is an estimation based on on-chain patterns, some of which may represent money laundering of funds controlled by scammers, and this number could be just the tip of a much larger iceberg. Ponzi schemes are notorious for being underreported, and our analysis starts from limited reported instances.

Value stolen due to suspected web phishing scams from May 2023 to November 2023

The income of the suspicious approved web phishing scammers we tracked peaked in May 2022. Overall, victims lost an estimated 516.8 million USD in 2022 due to approved web phishing, compared to only 374.6 million USD from 2023 to November. Like many forms of cryptocurrency-based crimes, the vast majority of approved web phishing thefts are driven by a small number of highly successful participants. We can see this in the distribution graph below, which shows the income from approved web phishing for the 1,013 addresses we studied during the timeframe, as well as the cumulative share of all stolen value through approved web phishing by addresses in our sample (sorted in descending order).

Distribution of income from suspected approved phishing addresses from May 2022 to November 2023

The most successful approved web phishing addresses may have stolen 44.3 million USD from thousands of victim addresses, representing 4.4% of the estimated total stolen during the research period. The top ten approved phishing addresses combined accounted for 15.9% of all stolen value during the research period, while the 73 largest phishing addresses accounted for half of all stolen value.

We believe that the industry can address the issue of approval phishing scams in various ways, from user education to adopting pattern recognition strategies similar to the ones we use to compile this data. In general, relevant addresses and wallets in approval phishing scams include:

• Approved spending wallets, where victims are tricked into authorizing the expenditure of funds from their wallets;

• Target addresses where victims’ funds are depleted;

• Consolidation addresses that collect funds lost by many victims.

Funds are typically transferred from consolidation addresses to cash-out points (primarily centralized exchanges), as shown in the diagram below.

Identifying patterns of approval phishing

Based on the aforementioned pattern, compliance teams at exchanges can monitor the blockchain to find suspicious consolidation wallets involved in approval phishing, as these wallets are often exposed to target addresses in large numbers. They can then see in real time when these wallets transfer funds to their platforms and take measures such as automatically freezing the funds or reporting to law enforcement agencies. On a broader scale, the industry can make efforts to educate users not to authorize transactions unless they are absolutely certain of trusting the individual or company they are dealing with, or understand the access level they are granting.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!