By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished January 13, 2026

TL;DR: Crypto scams and fraud stole an estimated $17 billion in 2025, with impersonation scams growing 1400% year over year and AI-enabled scams proving 4.5 times more profitable than traditional scams, according to Chainalysis. The pattern is no longer isolated fraud but industrialized criminal infrastructure that security, fraud, IAM, and identity verification teams must treat as a governance problem, not a user-awareness problem.


At a glance

What this is: Chainalysis reports that crypto scams and fraud reached an estimated $17 billion in 2025, driven by rapid impersonation growth, AI-enabled deception, and industrialized laundering networks.

Why it matters: Fraud teams, IAM leads, and identity verification programmes need to account for how impersonation, insider access, and trust abuse now combine across digital channels and payment rails.

By the numbers:

👉 Read Chainalysis's 2026 Crypto Crime Report on AI-enabled scam growth


Context

Cryptocurrency fraud has moved beyond opportunistic scams into a repeatable business model built on impersonation, phishing infrastructure, AI-generated deception, and money-laundering services. The article shows how criminals now combine social engineering, technical tooling, and cross-border laundering to scale victim acquisition and cash-out.

For identity and fraud practitioners, the important shift is that trust exploitation now spans customer service, government impersonation, insider abuse, and digital-wallet handoff. That creates overlap between IAM, identity verification, PAM, and anti-fraud controls, because the attack surface is increasingly the relationship between claimed identity and trusted action rather than a single login event.


Key questions

Q: What fails when organisations rely on brand trust alone to verify payment requests?

A: Brand trust alone fails because attackers can imitate legitimate support, government, or financial communications well enough to trigger action before suspicion sets in. The control gap is not only authentication. It is channel assurance and step-up verification for risky requests. Organisations need to treat the request context as something that must be verified, especially when money movement or account recovery is involved.

Q: Why do impersonation scams create a governance problem for IAM teams?

A: Impersonation scams exploit the gap between identity proofing and authorised action. A user may be correctly authenticated while still being manipulated into approving a transfer or reset. IAM teams must therefore look beyond login controls and assess where recovery, support, and exception workflows can be abused to make fraudulent activity look legitimate.

Q: How can security teams spot scam activity before funds are lost?

A: Look for bursts of outbound contact, cloned websites, repeated payment-urgency language, unusual wallet changes, and beneficiary edits that do not match prior behaviour. Strong fraud detection combines channel telemetry, behavioural baselines, and transaction monitoring. The most useful signals usually appear before the victim completes the transfer, not after.

Q: Who is accountable when AI-driven fraud bypasses identity controls?

A: Accountability usually sits across IAM, fraud operations, and product security, because the failure spans authentication, session trust, and abuse response. If the organisation cannot explain why an automated actor was treated as trustworthy, the gap is governance, not just detection. That is the level leaders should review.


Technical breakdown

Why impersonation scams scale so quickly

Impersonation scams work because they weaponise familiar trust cues. Attackers pose as government agencies, customer support, or financial institutions, then use SMS, fake websites, and social engineering to create urgency. Once the victim accepts the premise, the scam no longer depends on malware alone. It depends on the victim authorising a transfer, revealing credentials, or routing funds to a wallet the attacker controls. The article shows that phishing-as-a-service and low-cost template marketplaces have collapsed the barrier to entry, making scam volume easier to scale than scam sophistication.

Practical implication: fraud and identity teams need controls that validate the legitimacy of contact channels, not just the legitimacy of the account holder.

How AI changes scam economics and identity verification

AI changes scams by making them faster to produce, harder to distinguish, and more personalized at scale. Deepfakes, voice cloning, and polished language can make fraudulent outreach feel operationally credible, especially in customer support and investment contexts. That does not replace classic social engineering. It amplifies it. The real effect is economic: criminals can run more campaigns, test more variants, and recover faster when one path fails. For identity verification, the issue is no longer simply verifying a face or name. It is proving that the interaction context, communication channel, and request are authentic.

Practical implication: identity verification programmes should add channel-integrity checks and step-up verification for high-risk transfers.

Why laundering networks matter to security governance

Modern scam operations are not only fraud events. They are end-to-end criminal supply chains. The article describes phishing vendors, mule activity, stablecoin settlement, and laundering services as a connected operating model. That matters because disruption opportunities exist at multiple points, from payment rails to account creation to transaction tracing. For governance teams, this means the control problem extends beyond preventing the initial scam. It includes detecting mule behaviour, verifying account provenance, and preserving evidence across jurisdictions.

Practical implication: security, fraud, and compliance teams should align around transaction tracing, mule detection, and account provenance controls.


Threat narrative

Attacker objective: The attacker objective is to convert trust into transferable value by moving victim funds into controlled wallets and laundering them through layered criminal infrastructure.

  1. Entry occurs through impersonation channels such as SMS phishing, fake websites, or insider-leaked contact data that make the scam appear legitimate.
  2. Escalation follows when the victim or compromised employee authorises transfers, shares account access, or moves funds to attacker-controlled wallets.
  3. Impact is realised through laundering networks, stablecoin movement, and cross-border cash-out that obscure attribution and make recovery harder.

NHI Mgmt Group analysis

Impersonation fraud is now an identity governance problem, not just a fraud problem. When a scam succeeds because the victim trusts a brand, support desk, or government message, the control failure sits in identity assurance and channel verification as much as in fraud analytics. That boundary matters for IAM and identity verification teams because the question becomes whether an interaction can be trusted before any payment or credential event occurs. Practitioners should treat impersonation as a governance issue across identity, communications, and payout controls.

AI has reduced the cost of believable deception more than it has increased the sophistication of the underlying attack. Deepfakes, templated phishing, and automated messaging make it cheaper to manufacture credibility, which means more attempts, more variants, and faster scam iteration. The field should stop treating AI fraud as a niche innovation and start treating it as an industrial scaling layer for existing social engineering patterns. Practitioners should respond by tightening verification on high-risk interactions rather than relying on user judgement alone.

Identity proofing and customer support controls are converging. The article highlights insider abuse, impersonation, and support-channel exploitation as part of the same threat pattern. That means authentication strength alone is not enough if a support process can override it too easily. For IAM, PAM, and verification leaders, the governance gap is often delegated trust without lifecycle control. Practitioners should map where support staff, recovery workflows, and exception handling can authenticate a fraudster as if they were the customer.

Criminal infrastructure is now the unit of analysis. The most useful concept here is fraud-as-a-service convergence: phishing kits, AI tooling, laundering services, mule activity, and account resale now operate as one supply chain. That convergence changes how defenders should model the threat, because disruption at a single point is rarely enough. Practitioners should assume the scam ecosystem will adapt unless they can break multiple links in the chain at once.

Record seizures show that on-chain traceability is becoming a real defensive lever. The enforcement cases in the article demonstrate that laundering networks leave evidence even when scams are transnational and industrialised. That should encourage security, fraud, and compliance teams to design for traceability, preservation, and cross-functional escalation rather than treating post-fraud recovery as an afterthought. Practitioners should align incident response with financial tracing and evidence retention.

What this signals

Fraud programmes should now be designed around trust-path verification. The control question is no longer only whether a customer is legitimate. It is whether the communication channel, support path, and transaction request are legitimate at the same time. That pushes fraud operations closer to IAM, PAM, and verification controls, because a trusted identity can still be a fraudulent request. The governance model should therefore treat exception handling as a risk surface, not an operational convenience.

The next maturity step is to connect fraud analytics to identity lifecycle and recovery controls. Where support teams can reset access, rebind devices, or override verification, attackers will keep looking for the weakest procedural edge. Programmes that align transaction monitoring with account recovery governance will be better positioned to disrupt impersonation at the point of decision, not after the cash-out.


For practitioners

  • Tighten high-risk transfer verification Require secondary verification for wallet changes, urgent payment requests, and account recovery actions, especially when the request originates from SMS, chat, or voice support. Use out-of-band confirmation for any transfer that exceeds normal behavioural patterns.
  • Harden support and recovery workflows Review customer-support and help-desk procedures that can override MFA, reset access, or redirect funds. Remove single-step exception paths and require supervisor approval plus immutable logging for recovery actions.
  • Detect impersonation patterns across channels Correlate phone, SMS, email, and web activity to identify repeated domain patterns, cloned templates, and outbound message bursts that match scam infrastructure. Feed this into fraud rules and takedown workflows.
  • Instrument mule and laundering detection Add behavioural signals for mule accounts, rapid beneficiary changes, layered crypto movement, and repeated cash-out patterns across exchanges and wallets. Coordinate fraud, AML, and security teams so alerts are triaged together.
  • Preserve evidence for cross-border tracing Retain message metadata, login events, transfer details, and wallet addresses in a form that supports law enforcement tracing and asset freezing. The value of later recovery depends on clean evidence now.

Key takeaways

  • Crypto fraud has become an industrialised identity and trust abuse problem, not a collection of isolated scams.
  • The 2025 numbers show both scale and efficiency, with AI-enabled deception, impersonation growth, and cheap phishing infrastructure all increasing attacker return.
  • Practitioners need to align fraud, IAM, verification, and recovery controls so that legitimacy is checked across the entire request path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity proofing and access assurance are central to impersonation-fraud resistance.
NIST SP 800-53 Rev 5IA-2Authentication alone is insufficient when attackers exploit support and recovery paths.
GDPRArt.32Fraud cases often involve personal data misuse and identity-related processing.
NIST SP 800-63SP 800-63AIdentity proofing is relevant where attackers impersonate users through support channels.

Treat support and recovery data as protected information and apply security controls proportionately.


Key terms

  • Impersonation: Impersonation is a controlled administrative action that lets an authorised operator assume a user context for debugging or support. In a well-governed setup it preserves audit logging, limits exposure of credentials, and keeps production authentication separate from local troubleshooting.
  • Scam-as-a-Service: Scam-as-a-Service is a fraud model where tools, templates, infrastructure, and distribution methods are packaged for repeated abuse. It lowers the cost of impersonation and phishing, making it easier for attackers to rotate domains, copy interfaces, and scale campaigns against identity journeys.
  • Identity proofing: The process of verifying that a person is who they claim to be before granting or restoring access. In higher-risk recovery paths, proofing can include stronger evidence checks such as government ID validation or liveness-based facial verification so the assurance level matches the sensitivity of the request.
  • Mule Account: A mule account is an identity or account used to receive, move, or obscure illicit funds on behalf of another party. In financial crime operations, it is the bridge between the initial deception and the laundering phase, often appearing legitimate until behavior reveals coordination.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Per-scam category breakdowns that show how impersonation, pig butchering, and investment fraud differ in monetisation paths.
  • Operational examples of phishing-as-a-service, fake websites, and laundering services that underpin the criminal supply chain.
  • Case detail on the E-ZPass campaign, Coinbase impersonation, and major law-enforcement seizures.
  • On-chain tracing context that shows how investigators linked scam clusters to laundering networks and criminal infrastructure.

👉 Chainalysis's full report covers the scam typologies, laundering patterns, and enforcement cases in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity for practitioners responsible for access and trust decisions. It gives security teams a practical foundation for governing machine identities alongside human identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org