AI-driven identity fraud is forcing continuous KYC for crypto platforms

At a glance

What this is: This is Sumsub’s analysis of how AI-driven fraud is pushing crypto platforms toward continuous identity assurance across onboarding and the user lifecycle.

Why it matters: It matters to IAM, NHI, and identity governance teams because the same shift from static checks to adaptive verification is now shaping how organisations handle users, service identities, and AI-enabled fraud.

By the numbers:

• AI-driven fraud attacks increased 180% year-on-year globally in 2025.

👉 Read Sumsub's analysis of AI-driven identity fraud and continuous KYC

Context

AI-driven identity fraud is a governance problem as much as a verification problem. When deepfakes and synthetic documents can be generated cheaply, one-time onboarding checks no longer give assurance that the person or account on the other side of the screen remains legitimate across the session, the lifecycle, or the relationship.

For crypto platforms, that changes the identity model in a practical way. KYC can no longer sit at the front door only; it has to extend into ongoing risk scoring, biometric checks, and lifecycle monitoring so that fraud controls can keep pace with user behaviour and adversarial automation.

Key questions

Q: How should security teams handle AI-driven identity fraud in remote onboarding?

A: They should treat onboarding as the start of identity assurance, not the end of it. Strong programmes combine liveness checks, document validation, behavioural review, and risk-based escalation so attackers cannot rely on a single successful check to gain durable trust. The control goal is to make impersonation more expensive and easier to detect across the lifecycle.

Q: Why do static KYC controls fail against AI-generated impersonation?

A: Static KYC fails because it assumes identity proof is durable after the initial check. AI-generated faces, documents, and synthetic behaviours can satisfy a front-door control without proving the account remains legitimate later. Once that happens, the organisation needs continuous assurance, not a stronger version of the same one-time checkpoint.

Q: What breaks when identity verification is treated as a one-time event?

A: Fraudsters can exploit the gap between acceptance and later review. If the platform only verifies identity once, it has no way to respond when risk changes after onboarding, recovery, or payout initiation. That creates a control gap where an initially approved identity can behave fraudulently without triggering fresh scrutiny.

Q: Who is accountable when continuous identity checks are missing?

A: Accountability usually sits with the product, security, and compliance owners jointly, because the failure spans verification design, fraud monitoring, and regulatory obligations. In regulated digital asset environments, teams need clear ownership for step-up checks, review thresholds, and exception handling so no one assumes another function is managing the risk.

Technical breakdown

Why static KYC fails against AI-driven impersonation

Static KYC assumes the identity event is front-loaded: verify once, then trust the result until something changes. AI-driven fraud breaks that model because attackers can generate convincing faces, documents, and behavioural signals that look legitimate at onboarding and then reuse the success path at scale. The technical issue is not only better forgeries, but faster attack iteration. Risk-based workflows, liveness checks, and database validation exist to re-test trust at different points in the journey rather than treating onboarding as a permanent proof of identity.

Practical implication: move from a single approval gate to layered verification that can re-check identity when risk changes.

Biometric liveness and source-of-funds checks as lifecycle controls

Biometric liveness checks are designed to detect whether the presenting subject is physically present rather than replaying or mimicking a captured identity signal. Source-of-funds checks add a different control plane by validating financial legitimacy instead of just document authenticity. Together, these are lifecycle controls because they extend assurance beyond account creation into activity that may indicate fraud, mule behaviour, or account takeover. In regulated trading environments, the point is not maximum friction. It is to preserve trust while making fraudulent scaling more expensive and more detectable.

Practical implication: align high-risk verification steps to transaction and behaviour thresholds, not just initial registration.

Continuous identity assurance for remote onboarding fraud

Continuous identity assurance means identity is treated as a state that can drift, not a binary outcome that is fixed after signup. In practice, that means combining document analysis, behavioural signals, database checks, and human review only where the model cannot establish confidence. This matters because remote onboarding fraud often exploits the gap between initial acceptance and later detection. The stronger the automation, the more important the policy logic becomes around when to escalate, step up, or pause verification.

Practical implication: define escalation rules for identity drift before fraud operations force you into manual triage.

Threat narrative

Attacker objective: The attacker’s objective is to create trusted access that can be monetised through financial fraud, account abuse, or compliance bypass.

1. Entry occurs when an attacker uses a deepfake or synthetic identity to pass remote onboarding checks and obtain a trusted account.
2. Credential access or abuse follows when the fraudulent identity is accepted into the platform and can interact with verification, trading, or funds movement workflows.
3. Impact occurs when that account is used to move value, bypass compliance controls, or scale fraud across multiple user profiles.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static onboarding trust is no longer a durable identity assumption. AI-driven fraud makes the first verification decision too weak to carry the whole relationship, because attackers can now produce passable identity signals on demand. In governance terms, the problem is not just fraud volume. It is that the old assumption of stable trust after initial KYC no longer holds. Practitioners should treat identity as something that degrades under adversarial pressure, not something that remains valid until manually revoked.

Continuous identity assurance is becoming the new baseline for digital trust. The article shows a shift from checkpoint thinking to lifecycle thinking, which is exactly where identity governance has been headed across human, NHI, and platform access models. Once verification becomes adaptive, the control question changes from 'did we check this identity?' to 'can we still justify trusting it right now?' That is a meaningful governance shift for regulated environments and for any programme trying to reduce fraud without freezing legitimate activity.

Risk-based verification works only when the policy logic matches the fraud path. Biometric liveness, document analysis, database validation, and source-of-funds checks each close a different part of the fraud chain, but they only matter if teams map them to the right decision point. The named concept here is identity drift under adversarial automation: trust degrades faster than legacy review cycles can observe. The implication is that verification strategy has to be lifecycle-native, not checkpoint-native.

Crypto platforms are moving toward fraud governance that looks increasingly like IAM governance. This article is about digital assets, but the pattern generalises: trust must be continuously reassessed, identity proofing must be risk-sensitive, and lifecycle controls must extend beyond the first login or first deposit. That is why IAM, KYC, and fraud operations are converging. Practitioners should stop treating them as separate programmes with separate failure models.

The scale of AI-enabled fraud makes inaction a control gap, not a timing issue. When attack economics improve this quickly, the governance failure is not that teams were slow to modernise. It is that their control assumptions were built for a slower adversary. The practical lesson is to re-evaluate where your programme still assumes static trust, because that is now the easiest place for fraud to scale.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• 46% confirmed, 26% suspected of organisations have experienced a breach of non-human identities, which shows how often identity compromise remains partially invisible at first detection.
• For a broader governance lens, see Ultimate Guide to NHIs , Why NHI Security Matters Now for the lifecycle and assurance problems that scale across machine identities and AI-enabled environments.

What this signals

Identity drift under adversarial automation: continuous verification is becoming a governance requirement, not a premium feature. As AI-driven fraud gets cheaper to produce and easier to iterate, platforms that still rely on a single onboarding decision will inherit risk they cannot reliably see or contain.

The programme signal for IAM and fraud teams is clear: assurance must move closer to the event stream, with step-up controls tied to behavioural change, payout risk, and account recovery. For teams building out lifecycle governance, the relevant reference point is the Ultimate Guide to NHIs , Key Challenges and Risks, because the same visibility and trust problems show up whenever identity becomes dynamic.

The broader market signal is that verification, fraud, and access governance are converging around the same question: can the organisation still justify trust right now? That is the same control logic that underpins NIST Cybersecurity Framework 2.0, especially where continuous monitoring and response have to follow identity risk rather than fixed review cycles.

For practitioners

• Replace one-time KYC with lifecycle verification gates Tie additional identity checks to account recovery, high-value trading, beneficiary changes, and other behaviour that increases fraud risk. Use the same assurance model across onboarding, activity changes, and payout decisions so trust can be re-evaluated when conditions change.
• Add biometric liveness to high-risk onboarding paths Require liveness checks where impersonation risk is highest, especially for remote onboarding and cross-border user flows. Combine liveness with document analysis so the control tests both presence and document authenticity.
• Use source-of-funds checks as a fraud signal, not just a compliance task Treat source-of-funds validation as a trigger for deeper review when account behaviour, deposit patterns, or transaction velocity diverge from the expected profile. That makes the control useful for fraud containment as well as AML compliance.
• Define escalation rules for identity drift Document when automated verification should step up to manual review, when an account should be paused, and which signals indicate that a previously trusted identity is no longer trustworthy. Build those rules before fraud operations force ad hoc decisions.

Key takeaways

• AI-driven fraud is exposing the limits of static KYC and one-time identity proofing.
• The scale of the problem is already measurable, with AI-powered fraud attacks rising 180% year on year globally in 2025.
• Practitioners should move toward continuous identity assurance, with lifecycle controls that re-check trust when risk changes.

Key terms

• Continuous Identity Assurance: Continuous identity assurance is the practice of re-evaluating trust in an identity after onboarding, not just at the point of initial proofing. It combines behavioural signals, step-up verification, and lifecycle monitoring so the organisation can respond when identity risk changes over time.
• Biometric Liveness Check: A biometric liveness check tests whether the person presenting an identity signal is physically present and not replaying a photo, video, or synthetic representation. It is used to reduce impersonation risk in remote onboarding and other high-trust verification flows.
• Identity Drift: Identity drift is the gradual loss of confidence that an identity remains trustworthy after it has been accepted. In practice, drift appears when behaviour, transaction patterns, or supporting evidence no longer match the profile used at approval time, requiring reassessment or step-up controls.

Deepen your knowledge

AI-driven identity fraud and continuous identity assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building lifecycle verification and trust controls in a similar environment, it is worth exploring.

This post draws on content published by Sumsub: MEXC and Sumsub’s partnership on AI-driven identity fraud and continuous verification. Read the original.