The rising popularity of approval phishing scams is due to the prolific approval requests by applications and the lack of scrutiny from users.
Blockchain data company, Chainalysis, revealed that over US$374 million has been stolen in 2023 through the use of approval phishing scams. While the figure may seem substantial, it also represents a 27% drop from the estimated US$516.8 million that attackers stole using this type of method.
The modus operandi itself is where scammers trick their targets into signing a malicious transaction that allows them to spend specific tokens inside the victim’s wallet. According to CoinDesk, this method is also known as ice phishing, or it could take the form of address poisoning which is where scammers send malicious address that look similar to other addresses that users are accustomed to, and place it where they may mistakenly copy and paste it for their next transaction.
This is due to the need for decentralised apps (dApps) on smart contract-enabled blockchains, like Ethereum, to be signed and approved by users to give the dApps’ smart contracts permission to move funds held by the user’s address. Approval phishers are also now mixing up their tactics by building relationships with their victims via romance scams
“While approvals granted to secure dApps are generally safe, approval phishers can take advantage of the fact that many crypto users are used to signing approval transactions. The key difference is in what permissions are given, and the trustworthiness of the party receiving that permission,” Eric Jardine, Cybercrime Research Lead at Chainalysis, explained.
Despite the amount, most of the exploits are a result of a handful of successful attempts. Of the 1,013 addresses that Chainalysis identified as being involved in this type of scam, the single most successful approval phishing address alone stole US$44.3 million, which repesents 4.4% of the total estimated stolen during the time studied. The ten largest approval phishing addresses combined accounted for 15.9% of all value stolen, while the 73 biggest, account for half of all value stolen over the period examined.
Overall, approval phishing scams raked in US$374 million for malicious actors. But according to Chainalysis, that is a 27% drop from the estimated US$516.8 million stolen previously with the same method. In comparison, US$3.8 billion in cryptocurrencies were stolen in 2022.
“Given that these scammers typically cash out using centralised exchanges, compliance teams at these service providers could monitor the blockchain for suspected approval phishing consolidation wallets with heavy exposure to destination addresses. They could then see in real-time when those wallets move funds to their platform, and then could take steps such as automatically freezing the funds or reporting to law enforcement,” said Jardine.
“More broadly, the industry can work to educate users not to sign approval transactions unless they’re absolutely sure they trust the person or company on the other side, or understand the level of access they’re granting.”
