Chain of Thought is our new expert-hosted webinar series, taking you behind the scenes of real investigations, emerging typologies and the crypto crime trends our experts are seeing first-hand. The first session, Inside an Investment Scam Operation, brought Chainalysis investigators Seth DuBois and Renato Bastos in front of a live audience to walk through an active approval phishing operation — from the social engineering playbook that primes the victim, to the on-chain infrastructure that drains the wallet. Here’s what went down.Setting the stage, the duo presented the numbers behind the typology – and they are stark. Chainalysis research showed that on-chain scams pulled in at least $14 billion in 2025, likely rising to $17 billion as more illicit addresses are attributed. The average payment to a single scam address rose 253% year on year. Scams augmented by AI were 4.5 times more profitable than those without.Investment scams remained the dominant category, and approval phishing is how some of them play out on-chain. “The reality is, one case is never just one. Scammers reuse the same wallets, legitimate approval features from contracts and cash-out routes across victims, which means each report exposes a wider network”, says Renato, who has witnessed this trend across several cases he’s investigated.What is approval phishing?Approval phishing tricks a victim into giving a malicious actor access to their wallet. It can take the form of an innocuous-seeming transaction. The victim falsely believes that clicking “approve” will only initiate a minor task, like making a trade or moving some funds. But hidden inside are far more serious implications. The scammer gets the approval they need to drain all of the funds.A complex social engineering operation often precedes this strike, and our investigators say the human signs are consistent. Each is a red flag for compliance professionals to intervene before the technical attack occurs: