Authorities identify 20,000 victims of approval-phishing scams targeting full wallet access

A cross-border law-enforcement effort is homing in on a phishing method designed to look legitimate just long enough for victims to hand over full control of their wallets.

According to NewsData.io, UK, US, and Canadian authorities have identified over 20,000 victims of “approval phishing scams.” These attacks push users to approve a connection or transaction, then the scam uses that granted permission to move funds.

The scam pattern: “approve” instead of “send”

In classic phishing, the victim is tricked into sending crypto or sharing seed phrases. Approval phishing flips the script. NewsData.io reports the victims were “trick[ed] into handing over full crypto wallet access.”

That matters because the victim often believes they are merely authorizing an action in a wallet interface. If the approval is fraudulent, the attacker can effectively act as the wallet’s delegate.

What investigators have confirmed

NewsData.io’s account is specific about victim counts and the basic mechanism. Authorities “identified over 20,000 victims” across the UK, US, and Canada, and the scams targeted people into giving “full crypto wallet access.”

NewsData.io does not provide additional technical details in the excerpt provided to the newsroom. That means the exact approval flow, which platforms were targeted, and how the permission was executed remain unconfirmed here.

Why these scams scale fast

Approval phishing is well suited to high-volume fraud. If attackers can generate fake prompts that look like routine wallet activity, they can run large campaigns with little per-victim effort.

Once a user grants permission, the attacker does not need to keep persuading them. The access can be used immediately or held for later use, depending on how the permission is structured.

For victims, the damage is usually measured in lost assets and cleanup time. Revoking permissions after the fact may not undo transfers that already happened.

Unanswered questions authorities still need to answer

The NewsData.io excerpt points to the broad outlines of the operation, but leaves key forensic questions open.

Which dApps, wallet providers, or web portals were used to deliver the fake approval requests. How the fraudster detected which users would comply. Whether investigators have linked the campaigns to infrastructure in the same cluster.

Those details matter because they determine what defenders can block. Without them, security teams can only treat the threat as a class of phishing behavior rather than a pinpointed set of indicators.

What to watch for next

Even with the disclosed victim count, the immediate story is still about identification and follow-up. NewsData.io frames the effort as authorities finding victims across multiple countries.

As investigations progress, the next useful updates would include concrete indicators that can be used for detection and prevention. That usually means technical artifacts like domains, signatures, or wallet approval patterns tied to the scam flow.

Until then, the core lesson from NewsData.io’s report is blunt. If a wallet asks for “approval” that grants more access than the user expects, treat it as suspicious until proven otherwise.