Inside Operation Atlantic: How blockchain analytics helped disrupt approval phishing at scale

On March 16, law enforcement agencies from the United States, United Kingdom and Canada commenced Operation Atlantic, a joint initiative targeting approval phishing networks linked to cryptoasset investment fraud. Elliptic participated as a private-sector partner, providing blockchain analytics, enriched data and investigative support across the operation.

The sprint was co-hosted by the US Secret Service, the UK's National Crime Agency (NCA), the Ontario Provincial Police (OPP) and the Ontario Securities Commission (OSC), with participation from the Royal Canadian Mounted Police, City of London Police, the US Attorney's Office for the District of Columbia and the UK's Financial Conduct Authority (FCA).

Operation Atlantic has already resulted in:

• $12 million in illicit funds frozen

• 20,000 victims identified across the UK, Canada and the United States

• More than $45 million identified as stolen in cryptocurrency fraud schemes

Why Operation Atlantic targeted approval phishing

Approval phishing is a form of on-chain fraud where an attacker tricks a victim into signing a malicious transaction that grants the attacker permission to move certain cryptoassets from their wallet. This might appear as a routine interaction with a decentralized application, a fake "liquidity mining" process or a fraudulent investment platform.

Once the victim approves the transaction, the attacker can transfer funds out of the wallet. Because blockchain transactions are irreversible, recovering stolen funds is extremely difficult without rapid intervention.

How victims are drawn into these schemes varies. In many cases, approval phishing is the final step in a longer cryptoasset investment fraud, in which the attacker builds a relationship with the victim over weeks or months before directing them to a malicious platform. These relationship-based schemes are often run from scam facilities across Southeast Asia.

The FBI's 2024 Internet Crime Report recorded $9.3 billion in cryptoasset-related fraud losses in the US alone. In the UK, fraud is the most commonly reported crime, accounting for 45% of all offences, with the UK Government's Fraud Strategy 2026-2029 identifying cryptoasset investment fraud as one of the fastest-rising threats.

Operation Atlantic builds on Project Atlas, a 2024 Canadian-led initiative hosted by the OPP that identified over 2,000 compromised wallets across 14 countries, disrupted approximately $70 million in potential fraud and froze roughly $24 million in stolen cryptoassets. Operation Atlantic expanded this model into a real-time, multinational sprint with dedicated tracing, victim contact and legal process teams working in parallel.

How did Operation Atlantic work?

Operation Atlantic brought together law enforcement investigators, prosecutors, regulators and private-sector blockchain analytics providers in a coordinated sprint. Three workstreams ran simultaneously:

1. Tracing teams conducted forward and backward tracing on compromised cryptoasset wallets to identify offramps, consolidation points and the flow of stolen funds. Elliptic supplied enriched data that was aggregated into a shared intelligence picture used across all teams.
   
   
2. Victim contact teams from the UK, Canada and the US conducted direct outreach to affected individuals, prioritizing victims with unspent funds, active approvals or significant losses. Victims were directed to official reporting portals to ensure evidence was captured in a standardized format.
   
   
3. Legal process teams prepared and coordinated requests for information, subpoenas and freezing orders, working with the US Attorney's Office for the District of Columbia and virtual asset service providers (VASPs) to act on investigative leads as quickly as possible.

What was Elliptic's role in Operation Atlantic?

Elliptic directly contributed to Operation Atlantic across four levels of support, from data processing through to independent investigations. To operate at the speed and scale the sprint demanded, Elliptic built a custom workflow using Data Fabric, which provided participants with flexible, rich and scalable access to Elliptic’s blockchain data and intelligence.

Data Fabric enabled the team to ingest, process and enrich blockchain data programmatically, delivering structured outputs directly to investigators rather than requiring manual analyses of individual wallets. This infrastructure underpinned every stage of Elliptic's contribution.

Elliptic's contribution spanned four areas:

1. Data processing and blockchain enrichment

Elliptic processed large volumes of on-chain data to provide the enrichment layer that investigators relied on throughout the sprint. This included transaction value analysis across multiple blockchains, actor attribution and exposure data.

Tracing teams used this enriched output to accelerate investigations and identify the exchanges where victims' funds had been received or were at risk. Investigators also used Elliptic’s unique insights to identify when laundered funds were sent to Guarantee marketplaces, an ecosystem which has fragmented since the shutdown of Tudou Guarantee.

Throughout the operation, law enforcement partners recognized Elliptic's unique attribution capabilities, which provided identification of actors and entities that other providers could not match.

2. Prioritized early-stage leads

Using enriched data, Elliptic generated prioritized leads for investigators. Rather than presenting raw tracing results, the team delivered actionable intelligence that identified the highest-value investigative targets, enabling tracing teams and VASP liaison teams to focus their efforts where they could have the greatest impact.

3. Independent investigations

Beyond data support, Elliptic conducted its own investigations into approval phishing networks, delivering finished investigative leads with accompanying evidence packages.

These were validated by law enforcement investigators and forwarded to legal process teams for submission of freezing orders and formal legal requests. This capability allowed Elliptic to contribute directly to the operation's enforcement outcomes.

4. Peer review and expert advisory

Elliptic's team also supported law enforcement investigators with peer reviews of complex tracing challenges and expert advisory on blockchain analysis methodologies, helping ensure that investigative conclusions were robust and evidentially sound.

How real-time intelligence changed the operation

Operation Atlantic demonstrates the operational value of real-time collaboration between law enforcement and private-sector blockchain analytics providers. 

By embedding blockchain intelligence directly into the sprint workflow, investigators were able to identify victims, trace funds and secure freezing orders within the same operational window.

The operation also reinforces a broader trend: Government agencies are increasingly leveraging blockchain analytics not just for retrospective investigations, but as a real-time operational capability. The transparency of blockchain technology makes this possible. On-chain transactions leave a permanent, traceable record, and with solutions like Elliptic’s Data Fabric, investigators can follow the money at the pace it requires.

For Elliptic, Operation Atlantic represents a milestone in how we work with government partners. The combination of Data Fabric's programmatic data processing, Elliptic's attribution and exposure data and our team's investigative expertise allowed us to contribute at every stage of the operation, from raw data through to finished intelligence.

We look forward to continuing our work with the US Secret Service, the NCA and our other law enforcement partners as this model of collaboration evolves.