Subscribe to the Non-Human & AI Identity Journal

Why do crypto platforms need both fraud and AML controls?

Because scams and laundering are often the same chain from different angles. Fraud detects how value enters the ecosystem through deception, while AML detects how that value is converted, dispersed or obscured. If the two functions are siloed, teams miss the full lifecycle of abuse and respond too late.

Why This Matters for Security Teams

Crypto platforms sit at the intersection of consumer-facing abuse, financial crime, and rapid value movement, so fraud and AML cannot be treated as separate queues. Fraud teams look for deception at account opening, payment initiation, and transaction abuse, while AML teams look for layering, structuring, and suspicious movement after funds enter the system. That split matters because the same actor often uses both patterns in one chain.

Current guidance suggests platforms should treat this as a shared risk surface rather than two unrelated compliance functions. A weak onboarding control, a hijacked account, or a synthetic identity can start as fraud and end as laundering within minutes. The FATF Recommendations make clear that customer due diligence and transaction monitoring are complementary, not interchangeable. On the identity side, NHIMG notes that only 5.7% of organisations have full visibility into their service accounts, a reminder that poor identity visibility amplifies abuse across both human and non-human workflows.

In practice, many security teams encounter laundering patterns only after the fraud event has already created irreversible on-chain or off-platform movement.

How It Works in Practice

Operationally, the best model is a shared detection pipeline with separate decision thresholds. Fraud controls focus on account creation risk, device and session anomalies, velocity spikes, mule behavior, card testing, bonus abuse, and rapid cash-out patterns. AML controls focus on beneficial ownership, source of funds, unusual counterparties, chain hopping, peel chains, smurfing, sanctions exposure, and typologies that indicate concealment rather than simple abuse.

Those functions work best when they feed one case-management view. A fraud alert on a newly created account that immediately deposits, trades, and withdraws to a fresh wallet should enrich the AML narrative. Likewise, an AML alert on suspicious transaction layering should trigger review of onboarding signals, identity assurance, and possible account takeover. This is where identity governance matters: crypto platforms increasingly depend on API-driven settlement, custodial tooling, bots, and automated risk engines, so NHI controls help reduce blind spots around privileged service accounts and machine access. NHIMG’s Hugging Face Spaces breach and Schneider Electric credentials breach show how credential compromise can become an operational trust problem, not just an IT issue.

  • Use fraud signals to score onboarding, login, and transaction initiation.
  • Use AML rules to trace movement, obfuscation, and beneficiary patterns.
  • Share one risk engine, but preserve separate investigative playbooks.
  • Escalate when the same entity shows both deception and laundering indicators.

Framework-wise, teams should map account controls and monitoring to NIST SP 800-53 Rev. 5 Security and Privacy Controls and align AML governance to FATF expectations. These controls tend to break down when fraud and compliance are separated across vendors, because the event data needed to connect identity abuse to transaction laundering never reaches the same analyst queue.

Common Variations and Edge Cases

Tighter fraud and AML integration often increases false positives and investigator workload, so organisations have to balance detection depth against customer friction and alert fatigue. That tradeoff is especially visible in high-volume crypto businesses, where low-value retail activity, high-frequency traders, DeFi bridges, and custody workflows can look suspicious for different reasons.

Best practice is evolving for several edge cases. In some jurisdictions, AML obligations are strict but fraud signals may not be explicitly regulated, so teams must document how fraud analytics support financial-crime outcomes without conflating legal duties. In DeFi and non-custodial environments, there is no universal standard for this yet: platforms may not control the wallet, but they still control risk scoring, user experience, and withdrawal policies. For custodial platforms, automated withdrawals, internal treasury wallets, and payment processors can all behave like non-human identities in practice, so lifecycle controls, key management, and privileged access review become part of financial-crime defence. NHIMG’s Ultimate Guide to NHIs — Standards is useful here because it connects access governance, visibility, and rotation to real operational risk.

Where fraud and AML most often diverge is intent: fraud may be opportunistic theft, while AML is about concealment and placement. But platforms cannot wait for intent to become obvious, because the same attacker often uses both. Current guidance suggests using shared identity signals, shared telemetry, and shared escalation paths, then preserving distinct legal and investigative outcomes. The hardest cases are cross-border platforms with fragmented KYC data and rapid settlement, where the combined abuse path outpaces manual review.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Risk management should unify fraud and AML signal handling across the platform.
NIST SP 800-53 Rev 5 AU-6 Audit review supports detection of suspicious account and transaction patterns.

Correlate logs, alerts, and cases to spot abuse chains across onboarding and movement.