But is it not the case that the approve() method must be invoked directly by the sender (i.e. by the account that holds the tokens that are the target of the theft)? Wouldn’t the invocation be rejected by the ERC20 token if it is made indirectly, i.e. if the invocation were made from within another method (provided that the target ERC20 token is coded properly)?
Just embed approval methods for a predefined external token contract address into the transfer() method of the airdropped token
Then you can also chain the transfer within it or you can wait and transfer them all yourself
Doing too much in one transaction will alert more users because the gas price will be unexpectedly large