Romance scams are labor-intensive and time-consuming schemes to run. They can be lucrative, pulling in millions in stolen cryptocurrency, but they also can end up going nowhere if the targeted victim becomes suspicious or the bad actor decides there won’t be a payoff.

However, these cybercriminals – also known as “pig butchering scammers” – are now adopting a method known as approval phishing, which increases the odds that their efforts will be successful, according to researches with blockchain analysis firm Chainalysis.

The researchers have seen the use of approval phishing scams skyrocket over the past couple of years, with victims linked to more than 1,000 addresses tracked by Chainalysis having lost about $1 billion since 2021, including $516.8 million last year and $374.6 million through November in 2023.

“While it’s important to note that this $1.0 billion total is an estimate based on on-chain patterns, and that some of it could represent laundering of funds already controlled by the scammers, this figure is likely just the tip of a much larger iceberg,” the researchers wrote in a report this week. “Romance scams are notoriously underreported, and our analysis began from a limited set of reported instances.”

Romance scams have been around for a while but have caught fire over the past couple of years with the rise of cryptocurrencies. The FBI said in a report that in 2022, more than 19,000 people reported being victims of confidents or romance scams, with the estimated total losses reaching almost $735.9 million.

Butchering the Pig

The more colorful “pig butchering” term gives a hint to laborious nature of typical romance scams. The bad actor makes contact with someone online, beginning with an innocent chat. The criminal continues to build on the relationship over time, eventually introducing the idea of a – phony – investment scheme that promises big returns over short periods of time. This is “fattening the pig.”

If successful, the bad actor convinces the victim to investment a certain amount of crypto into the scheme. If the victim hands over the investment funds – it can be via cryptocurrency or digital payment platforms – with the expectation it will be invested, the scammer will disappear and become unreachable, usually when they’ve collected enough money or the victim tries to withdraw fund from the account, according to Trend Micro. Thus the “butchering.”

These scams can take a long time of pull off, but romance scammers are increasingly using the approval phishing method, which is faster and gives the threat actor more control over the outcome.

“Approval phishing differs from other crypto scams in a small but important way,” the Chainalysis researchers wrote. “Typically, scammers trick victims into sending them cryptocurrency, usually through a phony investment opportunity or by impersonating somebody else.”

However, “in an approval phishing scam, the scammer tricks the user into signing a malicious blockchain transaction that gives the scammer’s address approval to spend specific tokens inside the victim’s wallet, allowing the scammer to then drain the victim’s address of those tokens at will. Some victims have lost tens of millions to these scams.”

How Approval Phishing Works

Decentralized apps – or dApps – on blockchains that enable smart contracts, such as Ethereum, require users to assign approval transactions, which give the apps smart contracts permission to move funds that are held by the users address, the researchers wrote.

“Approvals granted to secure dApps are generally safe because properly designed smart contracts can only use that approval when directed to do so by the user, or when such approval is required in the normal functioning of the dApp,” they wrote. “In those cases, we would generally expect the dApp user’s address to be the one initiating the transaction to spend the funds.”

That said, approval phishers rely of the fact that many crypto users are used to signing approval transactions. The key is in the permissions that are given, and the trustworthiness of the party receiving that permission.

Normally, non-malicious transactions involve the victim address being the initiator. However, if the approved spender address can initiate the transaction, it’s usually an approval phishing scam, with the bad actor – in control of the approved spend address – executing a transaction to move the fund in a new destination address outside of the victim’s reach.

From there the funds are sent to a consolidation address, where the bad actors collect money stolen from multiple victims.

A Blending of Scams

Chainalysis’ report shows a blending of the two types of investment scams. Romance scammers are adopting the approval phishing techniques in their schemes. Meanwhile, approval phishing scammers – which typically target large numbers of crypto users through fake crypto apps – are “now more and more targeting specific victims, building relationships with them and using tactics associated with romance scams to convince victims to sign approval transactions.”

The researchers found that the most successful approval phishing addresses in their research likely stole $44.3 million from thousands of addresses, or about 4.4% of the estimated total taken since May 2021. The 10 largest combined for 15.9% of all the stolen funds, while the 73 biggest accounted for half of the amount stolen.

The adoption of approval phishing is the latest example of romance scammers adopted new technologies and tactics in their campaigns. In August, Sophos found that bad actors were using AI chatbots like OpenAI’s ChatGPT to craft the messages they’re using in their initial approaches to targets using iPhones or Android devices.

Four Arrested for Money Laundering

Chainalysis’ report about romance and approval phishing scams came the same day the Justice Department announced that four men were indicted for laundering millions of dollars of cryptocurrency stolen in pig butchering scams in a case unrelated to Chainalysis’ research.

The four opened shell companies and bank accounts that were used to launder the stolen funds, which were transferred to domestic and international financial institutions, according to the DOJ. The syndicate involved in the investment frauds – which involved at least 284 transactions – collected more than $80 million from victim, with more than $20 million being directly deposited into bank accounts associated with the defendants.

The four men – Lu Zhang, Justin Walker, and Joseph Wong, from California; and Hailong Zhu, from Illinois – were charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering.