Chainalysis estimated losses from cryptocurrency phishing at $1 billion.

The peak of scammers' earnings occurred in May 2022, according to the analytical company.

Chainalysis assessed the losses from cryptocurrency phishing over 2.5 years at $1 billion. Losses for just this incomplete year amounted to about $374 million, according to the analytical company's report.

The type of fraud in question is "approval phishing," which operates as follows: a fraudster deceives a user into signing or "approving" a malicious transaction on the blockchain, granting the scammer's address permission to operate in the victim's wallet, such as withdrawing funds to other addresses.

Many decentralized applications (dApps) on blockchains with smart contract support, such as Ethereum, require users to sign approval transactions, giving dApp smart contracts permission to transfer funds stored at the user's address. Such permissions are typically secure and necessary for the normal functioning of dApps.

Malicious smart contracts of scammers facilitating fund transfers are called "drainers." From a technical standpoint, by approving a phishing transaction, the user voluntarily transfers access to their assets into the hands of the scammers.

Chainalysis began tracking this fraudulent scheme in May 2021. According to the company's information, losses since then have reached around $1 billion. However, this may be just the "tip of the iceberg" since not all phishing cases become known, especially when it involves cases where the fraudster allegedly builds trust with victims for romantic purposes, later convincing them to approve malicious transactions, as stated in the report.

The peak of earnings for "approval" phishers, according to Chainalysis, occurred in May 2022. In total, in 2022, victims lost $516.8 million, and for the first 11 months of 2023, $374.6 million.

Like many forms of cryptocurrency-related crimes, the vast majority of phishing thefts are committed by only a few successful participants, according to the research. Chainalysis identified 1,013 phishing addresses, with half of all stolen assets going to 73 of them.

One solution suggested by analysts is to educate users and participants in the crypto industry not to sign approval transactions for other addresses unless they are absolutely sure they trust the person or company on the other side or understand well the level of access they are granting.

On December 14, due to a vulnerability in the authorization service of the Ledger cryptocurrency wallet, an unknown hacker stole about half a million dollars in various cryptocurrencies. The hacker managed to embed drainer code into the interfaces of the websites of several popular crypto services that used the software code of the Ledger Connect service.