By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: ChainalysisPublished January 13, 2026

TL;DR: 2025 crypto fraud reached an estimated $17 billion, impersonation scams jumped 1,400% year over year, and AI-assisted fraud generated about 4.5 times more profit than traditional scams, while phishing-as-a-service and laundering networks made operations more industrialised, according to Chainalysis. The lesson for identity and fraud teams is that trust abuse, not just technical compromise, is now the core control problem.


At a glance

What this is: Chainalysis shows that crypto fraud has become more industrialised, with impersonation, AI-assisted scams, and laundering networks driving larger and faster-moving losses.

Why it matters: This matters because identity verification, customer trust, and account recovery controls are now part of the fraud kill chain, not just the onboarding flow.

By the numbers:

👉 Read Chainalysis' full 2026 Crypto Crime Report on impersonation fraud and AI-driven scams


Context

Crypto fraud now operates as an industrial ecosystem rather than a collection of isolated scams. The article shows how impersonation, AI-generated deception, phishing services, and laundering networks combine to increase both scale and conversion, which makes identity verification and account protection central to fraud defence.

For identity and security programmes, the governance gap is that trust signals are being reused across onboarding, support, recovery, and payment flows without enough assurance that the claimant is genuine. That creates direct overlap between fraud prevention, customer identity, privileged support access, and non-human infrastructure that enables the scam economy.


Key questions

Q: What breaks when customer identity verification is too weak for support and recovery requests?

A: Weak verification turns support and recovery into an attacker’s easiest path. If a scammer can impersonate a customer, a help desk, or a payment provider with enough confidence, they can reset access, redirect funds, or trigger unsafe account changes. Stronger controls are needed at the points where trust is most likely to be exploited.

Q: Why do impersonation scams scale so quickly in digital channels?

A: They scale because the attacker can automate the first contact, reuse the same brand story across many victims, and outsource the rest of the workflow through phishing kits and laundering services. Once the narrative works, the operational cost per victim falls while the volume of attempts rises sharply.

Q: How can teams tell whether AI-driven fraud controls are keeping up?

A: Teams should measure how quickly fraud patterns are detected, validated, and pushed into controls compared with how fast attackers adapt. If rule updates lag behind observed attack variants, the programme is falling behind. Useful signals include repeated failures at the same workflow step, rising exception usage, and suspicious consistency across many supposedly different sessions.

Q: Who is accountable when impersonation fraud succeeds through support or recovery channels?

A: Accountability is shared across fraud, identity, support operations, and payments, because the attack crosses all four boundaries. The strongest model assigns ownership for verification design, staff privilege, customer recovery, and transaction freeze decisions so no team can assume another layer will catch the failure.


Technical breakdown

How phishing-as-a-service lowers the barrier to impersonation fraud

Phishing-as-a-service turns fraud into a modular supply chain. One group builds templates and fake websites, another distributes SMS or email traffic, and a third handles monetisation and laundering. That separation reduces the skill needed to run large-scale impersonation campaigns and makes takedown less effective because the parts are distributed across operators, hosts, and payment channels. The result is not just more phishing, but a repeatable fraud production line with interchangeable components.

Practical implication: Security teams need to treat impersonation infrastructure as a managed threat ecosystem, not a one-off campaign.

Why AI changes fraud conversion, not just message quality

AI increases fraud efficiency by improving the credibility, speed, and volume of attacker interactions. Deepfakes, synthetic personas, and large-language-model-generated scripts help scammers sustain believable conversations, imitate support staff, and respond in real time. In practice, the biggest change is conversion at scale. More targets can be engaged simultaneously, and more of them are persuaded to move money or reveal sensitive information before they detect the deception.

Practical implication: Fraud controls must evaluate interaction quality and behavioural anomalies, not just message authenticity.

How laundering networks make identity abuse harder to disrupt

Once funds leave the victim, laundering services, mule networks, and exchange hopping reduce the value of delayed response. The article shows that scam proceeds move through layered wallets, exchanges, and regional laundering channels that specialise in cash-out. That means the fraud lifecycle extends beyond the original identity deception and into transaction monitoring, beneficiary screening, and recovery workflows. Without faster detection and freezing, the attacker’s operational window is already over before investigation begins.

Practical implication: Fraud and identity teams should align with payments and AML functions on rapid freeze and tracing procedures.


Threat narrative

Attacker objective: The attacker aims to convert trust into immediate financial transfer and then move the proceeds through laundering infrastructure before the victim or exchange can intervene.

  1. Entry occurs through impersonation channels such as SMS phishing, fake support outreach, or cloned government and exchange websites that convince victims to start a conversation or submit credentials.
  2. Escalation happens when the attacker or scam operator uses that trusted interaction to redirect payments, capture wallet access, or move the victim into a fraudulent support workflow.
  3. Impact is realised when funds are transferred into laundering networks, mule paths, or exchange-based cash-out channels that make recovery slow and incomplete.

NHI Mgmt Group analysis

Impersonation fraud is becoming an identity governance problem, not just a fraud problem. The article shows that attackers succeed by hijacking trust in brands, support desks, and government channels. That means customer identity, support verification, and recovery procedures now sit inside the fraud attack surface. Practitioners should govern trusted interaction paths as carefully as authentication flows.

AI fraud scales because it compresses the cost of believable interaction. Deepfakes, synthetic support personas, and automated conversation loops do not replace social engineering, they industrialise it. The control gap is not only detection but assurance of who or what is on the other side of the exchange. Teams should treat AI-assisted impersonation as a live risk to account recovery and step-up verification.

Fraud infrastructure now behaves like a distributed non-human identity ecosystem. Phishing kits, laundering services, spam vendors, and shopper networks operate as reusable services with their own credentials, channels, and payment paths. That is a useful lens for identity teams because the abuse pattern resembles unmanaged NHI sprawl: many actors, many tokens, few durable controls. The practitioner conclusion is to govern the ecosystem, not the individual scam.

Verification trust gap: this article exposes the gap between a claimant being reachable and a claimant being genuine. Security and identity programmes often assume that a successful conversation, login prompt, or help-desk exchange proves legitimacy. The better assumption is that trust must be re-established at each high-risk step. Practitioners should redesign verification so that support and recovery never become the easiest route around authentication.

What this signals

Verification trust gap: fraud teams should expect attackers to keep targeting the seam between identity proofing and payment execution. The practical response is to make recovery, support, and payout actions harder to abuse than they are to complete, especially where social engineering can be industrialised through AI and phishing services.

The growing overlap between identity abuse and laundering means security leaders should not treat fraud as a front-end issue alone. Controls now need to span identity proofing, privileged support access, transaction screening, and rapid freeze capability, because the attacker’s workflow crosses all of them.

For identity programmes, the lesson is that trust signals decay faster than many governance models assume. When a brand, help desk, or platform is impersonated at scale, the control objective is to re-establish genuine identity at each sensitive step rather than rely on the original contact path.


For practitioners

  • Harden support and recovery verification Require stronger proofing for password resets, account recovery, and wallet-change requests, especially when the request follows an impersonation-style contact path. Use separate verification steps for high-value accounts and ensure support staff cannot override controls with a single conversation.
  • Instrument impersonation-detection signals Track brand impersonation, fake support domains, and suspicious contact patterns across SMS, email, and social channels. Pair that intelligence with takedown processes and user education so fraud teams can disrupt campaigns before victims move funds.
  • Align fraud response with AML freezing workflows Pre-agree escalation paths with payments, legal, and AML teams so suspicious transfers can be frozen or traced quickly. The article shows that laundering speed is a core part of the attack, so response must target the movement of funds as well as the initial deception.
  • Review privileged support access and customer data exposure Limit which internal roles can see sensitive customer details that would make impersonation more convincing. Protect service desk and CRM access with least privilege and strong logging, because insider-enabled detail exposure can turn an ordinary scam into a credible one.

Key takeaways

  • Crypto fraud has become an industrial supply chain, with impersonation, AI, phishing kits, and laundering services combining to drive larger losses.
  • The evidence points to a sharp conversion problem, with impersonation scams rising 1,400% and AI-assisted fraud producing materially higher returns than traditional scams.
  • Fraud defence now depends on identity verification, privileged support controls, and rapid fund-freezing workflows working together.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BThe article centres on identity verification and account recovery abuse.
NIST CSF 2.0PR.AC-1Fraud campaigns exploit weak identification and authentication paths.
GDPRArt.32Identity data and support records can be abused to enable impersonation.
ISO/IEC 27001:2022A.5.15Access control governance matters where support staff can expose or override identity data.
NIST AI RMFMANAGEAI-assisted fraud needs lifecycle controls over deceptive model use and human oversight.

Strengthen recovery and step-up verification so impersonation cannot bypass assurance requirements.


Key terms

  • Impersonation: Impersonation is a controlled administrative action that lets an authorised operator assume a user context for debugging or support. In a well-governed setup it preserves audit logging, limits exposure of credentials, and keeps production authentication separate from local troubleshooting.
  • Phishing-as-a-service: A criminal service model that packages phishing infrastructure, templates, delivery tools, and sometimes evasion features for reuse by multiple attackers. It lowers the skill threshold for advanced campaigns and makes targeted identity abuse more repeatable across victims and sectors.
  • Laundering Network: A laundering network is the set of wallets, accounts, exchanges, mule handlers, and cash-out services used to obscure and move criminal proceeds. In fraud cases, it is the mechanism that converts a successful scam into realised profit and often determines whether recovery is still possible.
  • Verification Trust Gap: The verification trust gap is the space between a system proving that someone can interact and proving that the person or system is genuine. Fraud attackers exploit that gap when a login, support exchange, or recovery flow is treated as sufficient evidence of legitimacy without re-assurance at the point of risk.

What's in the full report

Chainalysis' full report covers the operational detail this post intentionally leaves for the source:

  • Per-campaign laundering path analysis showing how scam proceeds move through exchanges, wallets, and regional cash-out services.
  • Breakdowns of the most active impersonation clusters, including the infrastructure patterns behind SMS and support-channel abuse.
  • On-chain evidence linking phishing kits, AI vendors, and laundering services to specific fraud ecosystems.
  • Case-by-case enforcement actions and seizure details that help investigators compare disruption strategies.

👉 Chainalysis' full report covers the laundering infrastructure, enforcement actions, and campaign-level attribution behind the fraud trends.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity control design to real-world abuse patterns across support, recovery, and access flows.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org