Skip to main content

Operation Atlantic: How Coinbase, the Secret Service, and the NCA Froze $12M in Stolen Crypto in One Week

· 9 min read
Dora Noda
Dora Noda
Software Engineer

In January 2026 alone, phishing attacks drained more than $311 million from crypto users. By the time most victims realized their wallets had been compromised, the funds were already cascading through mixers and cross-chain bridges. For years, law enforcement played catch-up — investigating crimes months after they occurred, recovering pennies on the dollar.

Then came Operation Atlantic.

Launched on March 16, 2026, from the UK National Crime Agency's London headquarters, Operation Atlantic brought together the US Secret Service, Canadian law enforcement, blockchain analytics firms Chainalysis and TRM Labs, and crypto exchanges Coinbase and Kraken for an unprecedented week-long sprint. The result: $12 million frozen, $45 million in fraud mapped, 20,000 victim wallets identified across 30 countries, and over 120 scam domains disrupted — all within seven days.

This was not a typical investigation. It was a proof of concept that public-private partnerships can shift crypto security from reactive forensics to real-time intervention.

What Is Approval Phishing — and Why Is It So Dangerous?

Unlike traditional phishing that steals login credentials, approval phishing exploits the permission architecture built into smart contracts themselves. Victims are lured by what appear to be legitimate investment opportunities, NFT mints, or DeFi yield platforms. They sign a transaction that looks routine but actually grants the attacker unlimited spending permission over their wallet tokens.

The attacker does not need your private key. They already have your permission.

What makes approval phishing particularly insidious is the time delay. Attackers often wait days or weeks before draining wallets, making it nearly impossible for victims to connect the malicious approval to the theft. By the time funds disappear, victims may have signed dozens of legitimate transactions, burying the fraudulent approval deep in their transaction history.

According to Chainalysis's 2026 Crypto Crime Report, approval phishing and authorization abuse remain the dominant attack vectors in the crypto ecosystem. The technique scales efficiently: a single phishing campaign can generate thousands of malicious approvals, and attackers can drain wallets on their own schedule.

Inside Operation Atlantic: A Week-Long Sprint

Operation Atlantic was not months of slow investigation. It was designed as a concentrated operational sprint, bringing together agencies and private-sector partners physically at the NCA's London headquarters.

The participants included:

  • Law enforcement: US Secret Service, UK National Crime Agency (NCA), Canadian authorities
  • Blockchain analytics: Chainalysis and TRM Labs provided transaction tracing and wallet clustering
  • Crypto exchanges: Coinbase's Global Intelligence team and Kraken contributed exchange data, wallet identification, and fund freezing capabilities

The operation worked in three phases:

Phase 1 — Identification. Using blockchain analytics, investigators mapped approval phishing transaction patterns across multiple chains. They identified more than 20,000 wallet addresses linked to fraud victims in over 30 countries.

Phase 2 — Intervention. Rather than building cases for future prosecution, the team prioritized real-time victim protection. Over 3,000 individuals identified as actively at risk were contacted directly — warned that their wallets had been compromised and guided on revoking malicious approvals before attackers could drain remaining funds.

Phase 3 — Freezing. Working with exchanges and stablecoin issuers, $12 million in stolen funds were frozen at exit points where attackers attempted to cash out. An additional $33 million in fraudulent flows were mapped and flagged for ongoing investigation. Over 120 web domains used by scammers were identified and disrupted.

The Paradigm Shift: From Post-Hack to Pre-Drain

The traditional crypto crime investigation timeline looks something like this: a hack occurs, victims report losses weeks later, investigators spend months tracing funds, and by the time assets are frozen — if they ever are — most have been laundered through mixers, bridges, and offshore exchanges.

Operation Atlantic compressed this timeline from months to days. The critical innovation was not any single technology but the operational model itself: co-locating law enforcement and private-sector analysts in the same room, with real-time access to both blockchain data and exchange systems.

This matters because blockchain transactions are irreversible but not instantaneous at the cash-out layer. Attackers still need to convert stolen crypto to fiat through exchanges, OTC desks, or stablecoin redemptions. That exit point is where intervention is possible — but only if investigators can trace and freeze funds faster than attackers can move them.

Coinbase's track record demonstrates the potential. Before Operation Atlantic, Coinbase's Global Intelligence team had already helped the Secret Service seize $225 million in USDT from pig-butchering scams, supported the recovery of $28.6 million from a phishing campaign targeting over 1,000 users, and assisted in dismantling a violent crime ring with $3.5 million in traced stolen funds.

The Scale of the Problem: Why This Matters Now

Operation Atlantic's $12 million freeze is significant not for its size — it is a fraction of total crypto crime — but for what it proves about operational speed. The urgency is driven by the sheer scale of the problem:

  • $154 billion in illicit cryptocurrency flows were recorded in 2025, a 162% year-over-year increase according to Chainalysis
  • $17 billion was stolen globally through crypto scams and fraud in 2025
  • $2 billion was stolen by DPRK-linked hackers alone in 2025
  • AI-enabled scams are 4.5 times more profitable than traditional scams, with impersonation scams surging over 1,400% in 2025

The industrialization of crypto crime is accelerating. Phishing-as-a-service platforms allow low-skilled attackers to deploy sophisticated approval phishing campaigns. AI-generated deepfakes enable convincing impersonation of exchange support agents, project founders, and even government officials. And as DeFi total value locked grows, the attack surface expands.

Against this backdrop, the question is not whether public-private partnerships work — Operation Atlantic answered that. The question is whether they can scale.

Can the Model Scale? Challenges Ahead

Operation Atlantic was a success, but it was also an exception. A week-long sprint at NCA headquarters with dedicated teams from multiple agencies and companies is expensive and difficult to replicate continuously. Several structural challenges remain:

Jurisdiction fragmentation. Crypto crime is inherently cross-border, but legal frameworks for freezing assets, sharing intelligence, and prosecuting offenders vary dramatically by country. Operation Atlantic succeeded partly because it focused on allied nations (US, UK, Canada) with compatible legal systems. Extending this to jurisdictions less cooperative with Western law enforcement is far harder.

Speed vs. privacy. Real-time intervention requires real-time surveillance of blockchain transactions and exchange accounts. This creates tension with privacy advocates who argue that the same capabilities used to protect victims can be used for mass financial surveillance. The Tornado Cash prosecution demonstrated how thin the line can be between anti-money-laundering enforcement and criminalizing privacy tools.

Centralization risk. Coinbase's intelligence capabilities create a competitive moat — institutional clients trust the exchange that actively recovers stolen funds. But critics note that concentrating surveillance capabilities in a private company raises questions about who watches the watchers. If Coinbase can trace and freeze funds, what prevents those capabilities from being misused?

Attacker adaptation. Sophisticated attackers are already moving toward privacy chains, cross-chain bridges, and decentralized exchanges that have no compliance team to call. Operation Atlantic primarily froze funds at centralized exit points. As DeFi infrastructure matures and attackers find more decentralized off-ramps, the intervention window narrows.

The Blockchain Forensics Arms Race

Operation Atlantic did not happen in isolation. It sits within a rapidly growing blockchain forensics ecosystem:

  • Chainalysis has received over $130 million in cumulative government contracts and recently launched AI-powered Blockchain Intelligence Agents trained on more than 10 million cases
  • TRM Labs deployed its Co-Case Agent for natural language blockchain investigation and directly supported Operation Atlantic's analytical work
  • Coinbase recently partnered with Microsoft to disrupt Tycoon 2FA, a phishing-as-a-service platform powering credential theft at global scale

The convergence of AI and blockchain analytics is accelerating detection capabilities. But the same AI tools that help investigators are also available to attackers. The question of whether defense can keep pace with offense remains open.

What is clear is that the old model — wait for a hack, investigate for months, recover almost nothing — is obsolete. Operation Atlantic showed that with the right operational model, intervention can happen in days rather than months. The challenge now is making that the norm rather than the exception.

What Users Can Do Today

While institutional-level operations like Atlantic protect victims at scale, individual users can take immediate steps to protect themselves:

  1. Audit your token approvals regularly. Tools like Revoke.cash and Etherscan's Token Approval Checker let you see and revoke any active approvals on your wallet.
  2. Be skeptical of any transaction you are asked to sign. Legitimate platforms rarely require unlimited token approvals. If a dApp requests approval for more tokens than your transaction requires, that is a red flag.
  3. Use hardware wallets for significant holdings. Even if you sign a malicious approval, having assets on a separate hardware wallet limits exposure.
  4. Monitor your wallet activity. Set up alerts through services that notify you of outgoing transactions, so you can respond quickly if an attacker activates a dormant approval.

Looking Ahead: The Future of Crypto Security

Operation Atlantic represents a turning point in how the crypto industry approaches security. The shift from reactive investigation to proactive intervention mirrors what happened in traditional financial crime over the past two decades — from post-breach forensics to real-time fraud detection systems that flag suspicious transactions before they settle.

For crypto, this evolution is overdue. The technology to trace blockchain transactions has existed for years. What has been missing is the operational framework to act on that intelligence fast enough to matter. Operation Atlantic proved that framework can work. Now the industry — exchanges, analytics firms, regulators, and law enforcement — must decide whether to invest in making it permanent.

The $12 million frozen in a single week is a small number relative to the $154 billion in annual illicit flows. But the 20,000 victims identified and the 3,000 people warned before their funds could be drained represent something more valuable than any dollar figure: proof that the crypto ecosystem can protect its users, not just after the fact, but in real time.

BlockEden.xyz provides enterprise-grade blockchain API and node infrastructure for developers building secure, transparent Web3 applications. As blockchain forensics and on-chain security become critical infrastructure, reliable node access and real-time data form the foundation that makes operations like Atlantic possible. Explore our API marketplace to build on infrastructure designed for the next era of blockchain security.

Share on Twitter