Skip to content
Case Study · CW-2026-0431 · DeFi yield / arbitrage bot

The ‘AI Arbitrage Bot’ That Drained a Wallet Through One Approval: £71,500

A Leeds software contractor joined a friendly DeFi community and connected his wallet to an ‘audited’ arbitrage bot promising 1.8% a day. The catch wasn’t a deposit — it was a single token approval. Here’s how the drain worked and what we recovered.

Scam typeDeFi yield / arbitrage bot
MethodMalicious token approval (unlimited allowance)
Reported loss£71,500 (USDT + ETH)
Timeline~6 weeks
Recovered38% recovered
OutcomePartial recovery

Illustrative case study. Details are a dramatized composite based on real recovery patterns; the broker, client and figures are fictional and shown for education. Outcomes vary case by case.

How the scam unfolded

Through a Discord ‘DeFi yield’ group, he was invited to a dApp called ArbiNode that claimed to run cross-exchange arbitrage automatically. A glossy ‘audit certificate’ and a dashboard of steady gains built trust. To ‘activate the bot,’ he connected his wallet and approved the protocol to spend his USDT — granting an unlimited allowance.

Where it went wrong

The dashboard gains were fake. When he tried to withdraw ‘profits,’ the bot demanded a ‘performance gas fee.’ Shortly after, the unlimited approval he’d signed was used to drain his USDT, and a follow-on transaction took his ETH. The ‘audit’ linked to a cloned page.

“I never sent them money — that’s what fooled me. I just clicked ‘approve.’ I didn’t realise one signature handed over everything.”— Client statement (illustrative)

How the recovery worked

  1. 1
    Identified the approval. We pinpointed the exact unlimited-allowance transaction and the contract that exploited it.
  2. 2
    Revoked active permissions. We helped him revoke remaining approvals to stop further loss on his other tokens.
  3. 3
    Traced the drained funds. The USDT moved across a bridge, then to two exchanges; the ETH followed a separate path.
  4. 4
    Engaged the exchanges. Evidence packets went to both platforms; one held a tranche that hadn’t yet been withdrawn.
  5. 5
    Recovered the held tranche. After compliance review, that tranche was returned — 38% of the reported loss.
Recovered for the client38%

Approval-based drains are quick and often irreversible. We recovered the portion that paused on an exchange; the bridged funds were not retrievable.

Warning signs to remember

  • Any dApp that needs an ‘unlimited’ token approval to ‘activate’ — set spending limits and revoke after use.
  • Guaranteed daily returns (‘1.8% a day’) — sustainable arbitrage doesn’t look like this.
  • An ‘audit certificate’ hosted on the project’s own site rather than the auditor’s.
  • Withdrawals gated behind a new ‘performance’ or ‘gas’ fee.
What you can learn
  • Connecting a wallet and approving a token are powerful actions — a single approval can authorise a full drain.
  • Use a revoke tool to review and cancel old approvals regularly.
  • Treat ‘AI’ or ‘arbitrage’ bots promising fixed daily yields as red flags, not opportunities.

Think this has happened to you?

If you’ve lost crypto to a scam like this, the first hours matter. Our team will review your case and tell you honestly what can and can’t be recovered — at no upfront cost.

Talk to a recovery specialist →
Disclaimer: Cryptowledge provides digital-asset investigative and recovery-assistance services. Past case outcomes do not guarantee future recovery. Recovery is not possible in every case and depends on the specific circumstances, transaction path, and cooperation of third parties. Cryptowledge is not a law firm, financial advisor, or regulated financial institution and does not provide legal, tax, or investment advice. All consultations are confidential. © 2026 Cryptowledge. All rights reserved.