Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
April 9, 2026

TRM Labs Supports Operation Atlantic: USD 12 Million Frozen and 20,000 Victims Identified in International Crackdown on Crypto Scammers

TRM Team
TRM Labs Supports Operation Atlantic: USD 12 Million Frozen and 20,000 Victims Identified in International Crackdown on Crypto Scammers

Key takeaways

  • Operation Atlantic, led by the UK's National Crime Agency and co-hosted by the US Secret Service, Ontario Provincial
  • Police, and Ontario Securities Commission, targeted cryptocurrency approval phishing scams across three countries
  • More than USD 12 million in suspected criminal proceeds has been frozen, with over USD 45 million in stolen cryptocurrency identified worldwide
  • More than 20,000 victims were identified across the UK, Canada, and the United States
  • TRM Labs supported the operation from planning through execution, providing blockchain intelligence, on-chain tracing, and real-time victim identification

{{horizontal-line}}

Today the UK's National Crime Agency (NCA) announced the results of Operation Atlantic, a weeklong international law enforcement sprint targeting criminals who steal cryptocurrency through a technique known as approval phishing.

The operation, co-hosted by the NCA, US Secret Service, Ontario Provincial Police, and Ontario Securities Commission, brought together investigators, analysts, and private sector partners at the NCA's London headquarters for a concentrated effort to identify victims, trace stolen funds, and disrupt active fraud networks.

TRM Labs was proud to support this operation as a private sector partner, providing blockchain intelligence and investigative expertise throughout.

What is approval phishing?

Approval phishing is a form of cryptocurrency fraud in which victims are manipulated into signing a blockchain transaction that grants a scammer control over their wallet. Unlike traditional phishing, where an attacker steals login credentials, approval phishing exploits the technical permissions built into smart contracts. Once a victim unknowingly approves access, the attacker can drain funds at will.

These schemes are often wrapped inside investment scams or romance fraud, where victims have been groomed over weeks or months before being directed to a malicious site. Many victims do not realize their funds have been compromised until long after the approval was signed.

How Operation Atlantic worked

Operation Atlantic followed a sprint model: an intensive, time-bound operational push in which law enforcement agencies and private sector partners work side by side in real time. Over the course of the week, teams at the NCA's London headquarters combined blockchain analytics, intelligence sharing, and direct victim outreach to identify and act on active approval phishing threats.

The results were significant:

  • More than USD 12 million in suspected criminal proceeds frozen
  • Over USD 45 million in cryptocurrency fraud schemes identified globally
  • More than 20,000 victims identified across the UK, Canada, and the United States

City of London Police, the Financial Conduct Authority, and other international law enforcement bodies also participated in the weeklong action.

TRM's role

TRM Labs supported Operation Atlantic from planning through execution. Ahead of the sprint, TRM worked with the US

Secret Service and NCA to prepare investigative workflows tailored to approval phishing typologies, so that investigators could begin triaging cases once the operation was underway.

During the week, TRM's tracing team worked alongside case officers in London, using TRM's blockchain analytics platform and intelligence from Chainabuse.com to triage thousands of addresses, identify high-risk victims, and map the movement of funds across exchanges and protocols.

That work produced multiple seizure-ready intelligence packages, including one linked to an approval phishing network responsible for more than USD 15 million in victim losses and contributed to the broader multi-million-dollar asset freezes announced by the authorities.

Crypto fraud by the numbers

Operation Atlantic is a powerful example of what coordinated action can achieve, and it underscores the scale of crypto-enabled fraud globally. TRM tracked approximately USD 35 billion in cryptocurrency flows to fraud schemes in 2025. Stablecoins now account for roughly 84% of verified fraud inflows, up from 70% in 2024, reflecting their prevalence across scam infrastructure. Fraud networks are also moving faster: many now shift stolen funds onward within 48 hours, compressing the window for intervention.

These trends make operations like Atlantic, where investigators and blockchain intelligence providers work together in real time, essential.

A model for public-private disruption

Operation Atlantic reflects a broader shift in how crypto crime is fought. Across the industry, the conversation has moved beyond public-private partnership toward public-private disruption: operational collaboration that produces real-world seizures, victim notifications, and criminal network takedowns.

The Financial Action Task Force (FATF) cited TRM's Beacon Network, which connects law enforcement agencies, exchanges, and stablecoin issuers in a shared real-time alerting system, as an example of this model. Beacon has helped freeze more than USD 330 million in illicit proceeds to date.

Operations like Atlantic build on the same principle: when investigators, analysts, and industry work in the same room with the same data, the results are tangible.

As NCA Deputy Director of Investigations Miles Bonfield said: "Operational Atlantic is a powerful example of what is possible when international agencies and private industry work side by side. This intensive action has led to the safeguarding of thousands of victims in the UK and overseas, stopped criminals in their tracks and helped save others from losing their funds."

Phil Ariss, director of UK public sector relations at TRM Labs, said: "Operations like Atlantic show what public-private disruption looks like in practice. When blockchain intelligence and law enforcement expertise come together in real time, across borders, the results are meaningful: funds frozen, victims protected, and criminal networks disrupted. TRM is proud to support the NCA, the US Secret Service, and their partners in this work."

What comes next

The NCA and its partners are now analyzing intelligence gathered during Operation Atlantic to support victims and investigate further criminal activity. For TRM, this operation demonstrates that the most effective response to crypto-enabled crime comes through sustained, cross-border, public-private collaboration.

If you have been a victim of cryptocurrency fraud, you can report it through https://www.chainabuse.com or contact your local authorities. UK residents can report fraud at https://reportfraud.police.uk or call 0300 123 2040.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is Operation Atlantic?

Operation Atlantic was a weeklong international law enforcement operation led by the UK's National Crime Agency (NCA) and co-hosted by the US Secret Service, Ontario Provincial Police, and the Ontario Securities Commission. It targeted criminals stealing cryptocurrency through approval phishing scams. The operation resulted in more than USD 12 million in suspected criminal proceeds frozen, over USD 45 million in fraud schemes identified globally, and more than 20,000 victims identified across the UK, Canada, and the United States.

2. What is approval phishing?

Approval phishing is a form of cryptocurrency fraud where victims are manipulated into signing a blockchain transaction that grants a scammer control over their wallet. Unlike traditional phishing that steals login credentials, approval phishing exploits technical permissions built into smart contracts. Once a victim unknowingly approves access, the attacker can drain funds at will. These schemes are often embedded in investment scams or romance fraud, where victims are groomed over weeks or months before being directed to a malicious site.

3. What role did TRM Labs play in Operation Atlantic?

TRM Labs served as a private sector partner throughout the operation, from planning to execution. Before the sprint began, TRM worked with the US Secret Service and NCA to prepare investigative workflows tailored to approval phishing. During the operation, TRM's tracing team worked alongside case officers in London, using TRM's blockchain analytics platform and intelligence from Chainabuse.com to triage thousands of addresses, identify high-risk victims, and map the movement of funds. This work produced multiple seizure-ready intelligence packages, including one linked to a network responsible for more than USD 15 million in losses.

4. How big is the crypto fraud problem globally?

TRM tracked approximately USD 35 billion in cryptocurrency flows to fraud schemes in 2025. Stablecoins now account for roughly 84% of verified fraud inflows, up from 70% in 2024, reflecting their prevalence across scam infrastructure. Fraud networks are also accelerating: many now move stolen funds within 48 hours, compressing the window for law enforcement intervention.

5. What should I do if I've been a victim of cryptocurrency fraud?

You can report cryptocurrency fraud through Chainabuse.com or contact your local authorities. UK residents can report fraud at reportfraud.police.uk or call 0300 123 2040. Early reporting helps law enforcement trace funds and potentially recover assets before they are moved beyond reach.

This is some text inside of a div block.

Related posts

arrow right
BLOG
April 5, 2026

How Indonesian Law Enforcement Used On-chain Intelligence to Secure Convictions for Terrorism Financing

arrow right
BLOG
June 14, 2025

Swedish Law Enforcement Secures First Conviction Under New Terrorism Financing Law

arrow right
BLOG
July 24, 2025

DOJ Targets Hamas-Linked BuyCash Exchange in $2 Million Civil Forfeiture for Terrorist Financing

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show
Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT