Endorsement phishing is a scam tactic that has been around for many years. But while endorsement phishing scams have historically targeted broad swaths of crypto users by distributing fake crypto apps, romance scams (also known as pork butcher scams) appear to have adopted this technique to great effect in recent years.
Endorsement phishing differs from other crypto scams in a small but important way. Typically, scammers trick victims into sending them cryptocurrency, usually through a fake investment opportunity or by impersonating someone else. But in an endorsement phishing scam, the scammer tricks the user sign a malicious blockchain transaction which gives the scammer’s address approval to spend specific tokens in the victim’s wallet, which allows the scammer to then drain the victim’s address of those tokens at will. Some victims lost tens of millions to this scam.
It is important to note that approval phishers generally send the victim’s funds to a separate wallet than the one that granted approval to transact on the victim’s behalf. The chain pattern typically goes as follows:
Victim address sign transaction authorizing second address to spend its funds
Second address, which we will refer to as approved spender addressexecute transaction to move funds to a new destination address
In general, if transactions unfold this way, and the approved spender address is the initiator of the draining transaction, rather than the victim address as we would expect in a non-malicious transaction, this is likely a case of approval phishing. However, further investigation will be needed to know for sure.
Many decentralized applications (dApps) on smart contract-enabled blockchains, such as Ethereum, require users to sign approval transactions that give the dApps’ smart contracts permission to move funds held by the user’s address. Approvals granted to secure dApps are generally secure because properly designed smart contracts can use that approval only when directed by the user, or when such approval is required in the normal functioning of the dApp. In those cases, we would generally expect the dApp user’s address to be the one initiating the transaction to spend the funds. However, approval phishers can take advantage of the fact that many crypto users are used to signing approval transactions – the trick is in what permissions are given, and the trustworthiness of the party receiving that permission. For example, one endorsement phishing scam saw fraudsters promote a false story of a Uniswap approval phishing scam, setting up a fake Etherscan page where users can check their transaction approvals by linking their wallets and signing an approval transaction to see if they fell victim – that last transaction was the core of the real approval phishing scam.
However, research suggests that endorsement phishers are now increasingly targeting specific victims, building relationships with them and using tactics associated with romance scams to convince victims to sign endorsement deals. Metamask Chief Product Manager Taylor Monahan (aka @tayvano_) tracked romance scam endorsement phishing on a custom Dune Analytics Dashboard.
We identified a set of 1,013 addresses involved in what appeared to be targeted approval phishing by starting with a smaller list of approval phishing addresses whose owners are known to use romance scam tactics. We then identified other addresses related to those in the initial list that carried out similar transactions, effectively allowing us to build a more complete network of interconnected approval phishers’ on-chain activity. We estimate that victims of the addresses we started with, plus those we identified based on their distinct activity pattern, have lost approximately $1.0 billion to phishing scams since the start of our data set in May 2021. billion total is an estimate based on chain patterns, and that some of it may represent the laundering of funds already controlled by the fraudsters, this figure is probably only the tip of a much larger iceberg. Romance scams are notoriously underreported, and our analysis began with a limited set of reported cases.
The suspected approval phishing scammers we track saw their revenue peak in May 2022. Overall, victims lost an estimated $516.8 million to approval phishing in 2022, up from just $374.6 million in 2023 until November. Like many forms of cryptocurrency-based crime, the vast majority of endorsement phishing theft is driven by a few highly successful actors. We can see this on the distribution chart below, which shows the phishing revenue of our 1,013 addresses during the period studied, and the cumulative share of all value stolen by phishing by the addresses in our example in descending order.
The most successful approval phishing address likely stole $44.3 million from thousands of victim addresses, representing 4.4% of the total estimated stolen during the period studied. The ten largest approval phishing addresses together account for 15.9% of all value stolen during the studied period, while the 73 largest account for half of all value stolen.
We believe the industry can address the problem of consent phishing in a variety of ways, from user education to using pattern recognition tactics similar to the ones we used to compile this data. In general, the relevant addresses and wallets in approval phishing scams are:
Approved spending wallets victims are tricked into indicating as approved to spend funds in their wallet
Destination addresses to which victim funds are drained
Consolidation addresses where funds drained from many victims are collected
Funds are typically moved from consolidation addresses to disbursement points – mainly centralized exchanges – as we see on the chart below.
Based on the patterns identified above, exchange compliance teams can monitor the blockchain for suspected approval phishing consolidation wallets with heavy exposure to destination addresses. They could then see in real time when those wallets were moving funds to their platform, and could then take actions such as automatically freezing the funds or reporting them to law enforcement. More broadly, the industry can work to educate users not to sign endorsement deals unless they are absolutely sure they trust the person or company on the other end, or understand the level of access they are granting.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, investment, regulatory or other professional advice, nor should it be relied upon as a professional opinion. Recipients should consult their own advisors before making these types of decisions. Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information herein. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with the Recipient’s use of these materials.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
