8,935 Victims Notified — Operation Atlantic, Level Up, And The Public-Private Sprint Model

The April 9 release described:

- **$45 million-plus** total fraud disrupted - **$12 million** frozen across cooperating venues (exchanges, custodians, payment processors) - **20,000-plus** scam wallets identified - **3,000** victims contacted - **120-plus** scam domains seized

The intelligence flow that produced these numbers, per Chainalysis' public post-mortem and Elliptic's own write-up: blockchain analytics partners flagged suspicious addresses, connected them to known scam clusters, prioritized wallets at highest immediate risk, and provided real-time pattern attribution. The intelligence flowed to law enforcement, which then issued legal process to venues holding scam-attributed funds. The venues froze accordingly.

The 20,000 scam wallets were not publicly disclosed. The 120 scam domains were not published as a list. The intelligence is operational; it is not a public registry. This is a structural choice: publishing the wallet list would tip off operators who could rotate addresses before victims could be notified. The trade-off: the public cannot independently verify the work or use it as input to their own compliance pipelines.

As of May 15, 2026, no follow-on update to the April 9-10 numbers has been published by USSS, NCA, or OSC. The Operation Atlantic landing pages on the agency websites are static; the NCA's page is now flagged "Expired." The sprint phase produced its data; the analysis phase continues internally.

Operation Level Up is the FBI's parallel sprint pattern, focused on victim notification in pig-butchering investment fraud cases. The most recent confirmed Level Up numbers — through March 2026, per CryptoTimes' May 5 retrospective and adjacent reporting:

- **8,935 victims** notified that they were being scammed in real time - **77 percent** of those notified were unaware they were being scammed at the moment of contact - **$562.7 million** in estimated losses prevented (the precise current figure; rounds to $562M) - **93 victims** referred for suicide-intervention victim specialists

The mechanism: FBI agents identify active pig-butchering operations via on-chain forensics (often via Operation Spincaster predecessor coordination with Chainalysis), trace the funds to specific victim wallets, then contact those victims directly through state and local law-enforcement liaison. The contact happens while the scam is still ongoing — meaning the victim has not yet sent their full intended deposit, and notification can stop further loss.

The 77-percent-unaware figure is the operationally significant data point. Pig butchering scams are sophisticated enough that the average victim does not recognize the scam in real time. The FBI's intervention catches them mid-deception, which is when intervention is most valuable.

The 93 suicide-intervention referrals are the human-cost data point. Pig-butchering scams target victims who often invest savings, retirement funds, or borrowed money. When the scam is revealed, the financial loss is compounded by the psychological impact. The FBI's victim-services protocol includes mental-health resources because the precedent — multiple victim suicides documented across pig-butchering cases — makes the protocol necessary.

The defining structural feature of both Operation Atlantic and Operation Level Up is the embedded private-sector analytics partnership. This is a new model that has emerged in 2024-2026.

**Chainalysis** embedded at NCA's National Economic Crime Centre for Operation Spincaster (2024 predecessor) and now Operation Atlantic. The 2026 Global Fraud Summit side event with NCA's Matt Perfect publicly confirmed the embedded partnership pattern.

**TRM Labs** embedded in the T3 Financial Crimes Unit (Tron + Tether + TRM) since September 2024. The unit surpassed $300 million in frozen assets by early 2026 and now stands at $450 million-plus per the May 14 milestone. TRM also publicly claimed support of Operation Atlantic in its February 12, 2026 and April 2026 blog posts.

**Elliptic** named as private-sector partner providing blockchain analytics, enriched data, and investigative support in Operation Atlantic. Elliptic's law-enforcement engagement page lists ongoing FBI cooperation; specific personnel (Eric Yingling material referenced on Elliptic's public resource page) document the partnership at the named-staff level.

The embedded model differs from traditional vendor-customer relationships. The analytics staff sit physically at the law-enforcement facility during sprints, have direct access to law-enforcement systems, and produce intelligence in real time. The model leverages the vendors' proprietary data and tooling (Chainalysis Reactor, TRM Tactical, Elliptic Lens) while applying it to active law-enforcement investigations.

As of May 2026, the embedded model has not produced a permanent standing presence at any major agency. Sprints are time-limited (typically one week to a month) with the vendor staff returning to their normal roles after. The advantages: capacity scales to demand without permanent headcount expansion; the agencies get access to vendor-specific tooling without procurement overhead. The disadvantages: institutional knowledge is not retained at the agency between sprints; the vendor-staff handoff between sprints can produce continuity loss.

The April 9 Operation Atlantic data should be read alongside the April 23-29 Scam Center Strike Force action, which targeted pig-butchering compound infrastructure rather than approval-phishing infrastructure:

- **April 23, 2026**: DOJ unsealed wire-fraud charges against Huang Xingshan and Jiang Wen Jie tied to the Shunda Park compound (Myanmar). 503 fake investment websites seized. $701.96 million in crypto restrained. Telegram recruitment channel with 6,000-plus followers seized.

- **April 29, 2026**: Dubai Police arrested 275 suspects from nine fortified compounds. Six defendants charged in the Southern District of California: Thet Min Nyi ("Pixy"), Wiliang Awang, Andreas Chandra, Lisa Mariam, plus two fugitives.

The Scam Center Strike Force is the compound-side parallel to Operation Atlantic's approval-phishing-side focus. The two operations targeted different infrastructure layers of the broader crypto-fraud economy. Combined intervention dataset: approximately $759 million-plus restrained, identified, or frozen across the April 9-29 window.

The sprint model produces measurable outcomes in measurable windows. It does not solve the structural problem.

The drainer-as-a-service ecosystem (Inferno, Angel, Sector, Eleven, Rublevka, Riddance) continues to operate. New kits launch monthly. Affiliate operators rotate. The wallet clusters that Operation Atlantic identified will be largely useless within ninety days because the operators will have rotated to new addresses.

The pig-butchering compound infrastructure (Shunda Park, KK Park, Sihanoukville, Boten, Dubai) survives the takedowns. The Karen National Liberation Army's November 2025 seizure of Shunda Park did not stop the operator network; Chen Zhi's January 2026 extradition to China (avoiding the US trial) preserved the operator continuity at the leadership level. New compounds open. Operation Level Up's 8,935 victims is a fraction of the universe of victims; the FBI's resource constraints limit the intervention rate.

The structural fix would be: persistent on-chain monitoring with automated victim-notification, persistent cross-border legal-process infrastructure that turns wallet identification into freezing action without the friction of bilateral coordination, and persistent operator-side enforcement that imposes consequence on the people running the drainer kits and the compounds. The sprint model is a stopgap; it is not the structural fix.

For Sanctuary's screening, the sprint-model data does not directly enter our pipelines because the wallet lists are not publicly disclosed. The intelligence Chainalysis, TRM, and Elliptic produced for Operation Atlantic stays in their customer products.

However, the operational pattern Operation Atlantic illustrates — approval phishing as the dominant retail-loss vector in 2026 — is reflected in our behavioral detectors. Sanctuary's `approval_phishing_pattern` flag fires on wallets that have recently signed permit-2 grants to non-canonical contracts, which is the on-chain signature of an in-progress drain. The flag produces an alert that, combined with wallet-vendor UI integration, can warn a user before they sign the next prompt.

For exchanges and OTC desks receiving deposits from wallets that score high on the approval-phishing flag, the screening hook is: the wallet's recent activity suggests it was the target of a drain attempt. Inbound deposits from such wallets warrant enhanced documentation.

For consumer wallet users: integrate the screening at the signing layer. The wallet's UI warning is the last layer of defense before the permit-2 grant lands and the drain begins.

Sprint operations produce data. Standing capacity produces sustained reduction. The 2026 model is mostly sprints.

For compliance teams: the embedded-analytics model is now industry standard. Expect more sprint operations in 2026-2027. The intelligence produced will stay largely private; the operational lessons will inform vendor-side screening which will, in turn, inform our customers' screening.

For end users: the FBI is now operationally calling 8,935 victims a year. That is the floor — the rate at which the system can intervene. The actual harm rate is multiples larger. The screening that catches the wallet before the user signs the permit-2 grant is the difference between being one of the 8,935 contacted and being one of the multiples uncounted.

Screen the wallets. The sprint model has limits. The chain does not.