A week-long international enforcement campaign led by the US Secret Service and the UK's National Crime Agency traced $45 million in crypto fraud, froze $12 million, and disrupted over 120 scam domains.
The United States Secret Service and the UK's National Crime Agency led a week-long international operation that traced $45 million in cryptocurrency stolen through approval phishing schemes, froze $12 million of it, and identified more than 20,000 victim wallet addresses across 30 countries. The campaign, dubbed Operation Atlantic, was announced on 10 April from the NCA's London headquarters.
Approval phishing is a specific and increasingly common attack method. Unlike traditional phishing — which tricks users into handing over passwords or seed phrases — it exploits a feature of smart contract-based wallets. The victim receives what appears to be a legitimate notification from a trusted application or investment service and is asked to sign an "approval" transaction. That single signature grants the attacker unlimited access to withdraw tokens from the victim's wallet. The victim often doesn't realise anything has happened until their balance is zero.
The distinction matters because approval phishing leaves a forensic trail that conventional theft does not. Every approval transaction is recorded on-chain, which is precisely what allowed the coalition — which included Coinbase, Binance, Chainalysis, Kraken, and Tether alongside government agencies — to trace the flow of stolen funds across multiple blockchains and jurisdictions. Chainalysis provided the on-chain analysis tools; Coinbase and Binance flagged suspicious wallet activity from their platforms; law enforcement handled the legal machinery of freezing and seizing assets.
NCA Deputy Director Miles Bronfield said the operation demonstrated "what is possible when international agencies and private industry work side by side." That phrasing glosses over how difficult the coordination actually is. Freezing $12 million across decentralised networks and multiple jurisdictions requires simultaneous action from exchanges, stablecoin issuers willing to blacklist addresses, and courts in several countries prepared to issue orders on short notice. The fact that it worked is more notable than the dollar amount suggests.
The $45 million figure represents the total value of fraud the operation traced; the $12 million is what investigators managed to freeze before it was moved to non-custodial wallets or converted to cash. That recovery rate — roughly 27 per cent — is consistent with other large-scale crypto fraud operations, where speed is the attacker's primary advantage. Once funds leave a centralised exchange, recovery becomes exponentially harder.
Operation Atlantic also disrupted more than 120 web domains used to conduct fraudulent schemes. Law enforcement directly contacted over 3,000 of the identified victims to warn them that their wallets had been compromised — an unusual step that reflects the scale of the problem. Approval phishing has surged since 2023, with attackers increasingly targeting users of DeFi protocols and NFT marketplaces where approval transactions are routine.
The operation follows a broader pattern of cross-border enforcement actions. The DOJ's seizure of $3.36 billion in bitcoin from a Silk Road hacker in 2023 demonstrated that on-chain tracing could work at scale; Operation Atlantic applies the same logic to a more diffuse, harder-to-attribute category of crime. The challenge is that approval phishing doesn't rely on sophisticated hacking — it relies on social engineering, which means the attack surface is every crypto user with a wallet that supports token approvals.
The participating agencies framed Operation Atlantic as a template for future enforcement campaigns. Given that the crypto industry's fraud losses continue to run into the billions annually, $12 million in frozen funds is a start, not a solution. But the infrastructure — the relationships between exchanges, analytics firms, and law enforcement; the legal precedents for cross-border asset freezes; the speed at which the operation was executed — is arguably more valuable than the money recovered. The question is whether that infrastructure can scale faster than the fraud does.
