A joint enforcement initiative led by the US Secret Service and UK National Crime Agency targets organised crypto fraud schemes that have drained billions through approval phishing since 2021.
Law enforcement agencies from the United States, United Kingdom, and Canada have launched Operation Atlantic, a joint international initiative targeting organised cryptocurrency fraud networks that have stolen an estimated $2.7 billion through approval phishing schemes since 2021. The operation, announced on 16 March 2026, represents the most significant coordinated cross-border action against crypto-specific fraud to date and signals a shift from reactive asset recovery toward proactive victim identification and network disruption.
The operation is co-led by the US Secret Service, the UK National Crime Agency, the Ontario Provincial Police, and the Ontario Securities Commission. Additional participating agencies include the Royal Canadian Mounted Police, the City of London Police, the US Attorney's Office for the District of Columbia, and the UK Financial Conduct Authority. The breadth of the coalition reflects growing recognition among Western governments that cryptocurrency fraud has become a transnational organised crime problem requiring intelligence-sharing and operational coordination that individual agencies cannot achieve alone.
How Approval Phishing Works
Approval phishing differs from conventional credential theft in a critical respect. Rather than stealing private keys or seed phrases, attackers trick victims into signing blockchain transactions that grant the attacker permission to move tokens from the victim's wallet. These permissions — known as token approvals — are a standard feature of Ethereum and EVM-compatible blockchains, designed to enable smart contract interactions such as decentralised exchange trading and lending protocol deposits.
Criminal networks exploit this mechanism through elaborate social engineering campaigns. Victims typically encounter fake investment platforms, fraudulent decentralised application interfaces, or spoofed wallet alerts that prompt them to approve a token transfer. Once the approval transaction is signed, the attacker can drain the wallet at any time without further interaction from the victim. Because the approval is recorded on-chain as a legitimate signed transaction, blockchain analytics tools initially classify the subsequent theft as an authorised transfer — complicating detection and delaying law enforcement response.
Chainalysis data cited by the Secret Service indicates that approval phishing has grown from a niche attack vector into one of the most financially damaging categories of cryptocurrency crime, surpassing traditional exchange hacks in cumulative losses during 2025. The $2.7 billion figure encompasses identified on-chain losses across Ethereum, BNB Chain, Polygon, and Arbitrum networks, though investigators believe the true total is significantly higher due to underreporting.
Operational Scope and Objectives
Operation Atlantic has three stated objectives: disrupting active fraud networks, identifying and assisting victims, and recovering stolen assets. The initiative builds on Project Atlas, a 2024 operation led by the Ontario Provincial Police's Cyber-Enabled Fraud Team that identified more than 2,000 compromised wallets across 14 countries, disrupted approximately $70 million in potential fraud, and froze roughly $24 million in stolen cryptocurrency. Operation Atlantic represents a significant escalation in both scope and ambition.
Investigators are using on-chain analytics to map approval phishing networks, identifying clusters of attacker wallets, tracing fund flows through mixers and cross-chain bridges, and correlating blockchain data with traditional intelligence on known organised crime groups. The Secret Service confirmed that several arrests have already been made in connection with the operation, though details remain sealed pending ongoing proceedings. The UK National Crime Agency described the operation as 'the largest coordinated action against crypto-enabled fraud that British law enforcement has participated in.'
Victim Identification and Public Awareness
A distinctive feature of Operation Atlantic is its emphasis on proactive victim identification. Rather than waiting for fraud reports, investigators are scanning blockchain data for wallets that have granted suspicious token approvals and attempting to contact affected individuals before their funds are stolen. The Ontario Securities Commission has established a dedicated portal where individuals can check whether their wallet addresses appear in the operation's database of compromised approvals.
Public awareness campaigns accompanying the operation focus on educating cryptocurrency users about the risks of token approvals and the importance of regularly reviewing and revoking unnecessary permissions. The FCA has published guidance recommending that users employ approval management tools — such as Etherscan's token approval checker or Revoke.cash — to audit their wallet permissions and remove access grants to unfamiliar smart contracts. Law enforcement officials stressed that many victims remain unaware their wallets have been compromised until funds are actually moved, creating a window during which intervention can prevent losses.
Industry Response and Criticism
The cryptocurrency industry has broadly welcomed the operation, though some participants have questioned whether law enforcement resources would be better directed at larger-scale state-sponsored threats. Jake Chervinsky, chief legal officer at the Blockchain Association, described Operation Atlantic as 'an encouraging sign that governments are investing in crypto-specific enforcement capabilities rather than relying on blunt regulatory tools.' Blockchain analytics firm Elliptic offered technical support to the operation and published a public advisory detailing common approval phishing patterns.
Critics, however, have noted that the operation does not address the underlying protocol design choices that make approval phishing possible. Ethereum researcher Dankrad Feist argued on social media that 'the approval model is fundamentally broken for retail users' and called for protocol-level changes — such as time-limited approvals or mandatory spending caps — that would reduce the attack surface regardless of law enforcement activity. Wallet providers including MetaMask and Rabby have responded by implementing more prominent approval warnings, though adoption of these safety features remains inconsistent.
What to Watch Next
Operation Atlantic is expected to continue for at least six months, with participating agencies planning to expand the coalition to include law enforcement from Australia, Germany, and Singapore. The Secret Service has indicated that additional arrests and asset seizures are forthcoming and that the operation's on-chain intelligence will be shared with private sector partners to improve automated fraud detection systems. Parallel legislative efforts in the US and UK are considering whether to mandate wallet-level fraud warnings and require exchanges to flag transactions involving wallets with known malicious approval histories.
The operation's ultimate impact will be measured not only in arrests and recovered funds but in whether it produces a lasting deterrent effect on organised crypto fraud networks. Previous enforcement actions — including the takedown of Hydra Market in 2022 and the sanctioning of Tornado Cash — demonstrated that law enforcement can disrupt crypto-criminal infrastructure, but the decentralised and pseudonymous nature of blockchain networks ensures that determined actors can reconstitute operations relatively quickly. For the agencies behind Operation Atlantic, the challenge is to impose costs high enough to shift the economics of approval phishing from profitable enterprise to unacceptable risk.
