Crypto fraud defense is becoming an identity trust problem

At a glance

What this is: This is a podcast discussion about how crypto fraud is evolving and how exchanges are responding with investigation, analytics, and user education.

Why it matters: It matters to IAM practitioners because fraud prevention in crypto increasingly depends on identity proofing, trust signals, and lifecycle controls that span human users, investigators, and platform access.

👉 Read SumSub's episode on Coinbase fraud investigations and crypto safety

Context

Crypto fraud is no longer just a problem of stolen funds or bad passwords. As scams become more organised and AI gives fraudsters better tooling, the operational question shifts to how platforms establish trust, detect abuse, and keep users safe before harm spreads.

The discussion centers on Coinbase’s fraud investigations, collaboration with law enforcement, and the role of education in reducing victimisation. For identity teams, the broader lesson is that security programmes cannot treat trust as a one-time login event. They have to connect identity verification, behavioural signals, and response workflows across the full user journey.

Key questions

Q: How should crypto platforms reduce scam losses without slowing legitimate users?

A: Use layered controls that combine identity verification, behavioural signals, and transaction risk scoring at the moment of action. The goal is not to block every unusual event, but to intervene when user intent and fraud indicators diverge. High-risk prompts, transfer friction, and fast manual review can reduce loss while preserving normal user flow.

Q: Why do pig butchering scams remain effective even with stronger security controls?

A: They exploit trust formation, not just technical gaps. Victims are persuaded over time, often through repeated contact and social engineering, so the decisive failure is usually behavioural rather than purely authentication-related. That is why controls must focus on contextual risk, user education, and timely intervention when a transfer is about to happen.

Q: How can teams tell whether fraud education is actually working?

A: Look for operational outcomes, not attendance metrics. Effective education reduces high-risk transfers, increases user hesitation when warnings appear, and improves escalation quality when suspected scams are reported. If completion rates rise but suspicious activity still converts, the programme is informational, not protective.

Q: Who should own fraud response when crypto scams cross platform and law-enforcement boundaries?

A: Ownership should sit with a coordinated response model that includes security, investigations, compliance, and legal teams. Internal analysts need clear authority to preserve evidence, escalate suspicious patterns, and coordinate external referrals. The key is documented handoff, because identity abuse in crypto often spans multiple jurisdictions and actors.

Technical breakdown

Pig butchering scams and fraud-as-a-service networks

Pig butchering is a long-con fraud pattern where attackers build trust over time before pushing victims into fake investment activity or asset transfers. Fraud-as-a-service turns that playbook into a scalable criminal supply chain, with shared tooling, scripts, and laundering methods that reduce attacker effort and increase volume. In crypto environments, the attack is not only technical. It exploits human trust, identity confirmation gaps, and the speed of irreversible transactions. The practical challenge is to correlate user behaviour, transaction context, and account history quickly enough to interrupt the scam before the transfer becomes unrecoverable.

Practical implication: build fraud workflows that combine identity signals, transaction risk, and behavioural anomaly detection before funds move.

Blockchain analytics and investigator-led response

Blockchain analytics helps trace wallet activity, cluster related addresses, and identify movement patterns that would be hard to see through manual review alone. But analytics is only useful when paired with human investigation, because attribution, escalation, and coordination with external agencies still require judgement. In practice, this is a blend of machine-assisted detection and identity-led response. The important governance point is that visibility does not equal control: seeing the trail is not the same as stopping the abuse. Teams need clear handoffs between detection, investigation, and containment.

Practical implication: define escalation paths that move from analytics findings to investigator action and law-enforcement coordination without delay.

Education as a control layer for crypto trust

User education in crypto should be treated as a control layer, not a side campaign. When scams depend on urgency, impersonation, and manipulated confidence, the platform’s ability to shape user behaviour becomes part of the defence model. Education works best when it is specific to active scam patterns and delivered at the moment risk appears, not as a generic awareness message. That makes it closer to contextual trust guidance than broad security training. The governance implication is that platforms need repeatable, measurable intervention points across the user lifecycle.

Practical implication: embed scam-warning prompts, high-risk transfer nudges, and plain-language guidance into the user journey where fraud decisions actually happen.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Crypto fraud is becoming an identity governance problem, not just an anti-scam problem. The article shows that attackers succeed by manipulating trust, identity cues, and user behaviour across a distributed financial environment. That moves the issue beyond simple account security and into the lifecycle of how platforms prove, monitor, and respond to identity risk. The practitioner conclusion is that crypto safety now depends on identity controls that can operate at transaction speed.

Education only works when it is timed to the point of risk. Generic awareness campaigns do little against pig butchering and fraud-as-a-service because the decision to trust happens in context, often under pressure. The stronger model is contextual intervention, where warning signs appear exactly when a user is about to act. The practitioner conclusion is that awareness must be operationalised as a control, not measured as a communications exercise.

Fraud investigation now sits at the intersection of identity, transaction telemetry, and external coordination. The episode points to a model where blockchain analytics, human investigators, and law enforcement each cover a different part of the response chain. That matters because no single signal is enough to establish intent, attribution, or containment on its own. The practitioner conclusion is that crypto platforms need governance for evidence handoff as much as for access control.

Fraud-as-a-service creates a reuse problem that identity teams cannot ignore. Criminal operators scale by reusing infrastructure, methods, and sometimes compromised identities across campaigns. That makes the underlying challenge less about one scam and more about repeated abuse of the same trust assumptions. The practitioner conclusion is that teams should treat patterned fraud activity as a lifecycle and attribution issue, not just an individual event.

From our research:

• 4.6% of all public GitHub repositories contain at least one hardcoded secret, according to The State of Secrets Sprawl 2025.
• 15% of commit authors have leaked at least one secret in their contribution history, according to The State of Secrets Sprawl 2025.
• For a broader identity lens on how hidden credentials fuel abuse, see Ultimate Guide to NHIs - The NHI Market.

What this signals

Trust is now a runtime control problem. Crypto platforms cannot rely on identity proofing at enrolment alone, because fraud pressure appears later, often at the moment of transfer. The programme implication is to treat warnings, review gates, and analyst escalation as part of the identity control plane, not as afterthoughts.

Fraud-as-a-service makes repetition the signal. When the same social engineering patterns, wallet paths, and laundering behaviours recur, teams should look for clustered abuse rather than isolated incidents. That is where case management, telemetry retention, and cross-team correlation become the practical differentiators, especially when paired with broader control baselines such as the NIST Cybersecurity Framework 2.0.

Identity telemetry should be tuned to intervention, not just detection. The presence of a suspicious pattern is only useful if it changes a decision before money leaves the platform. Teams that can measure interruption rate, investigator turnaround, and escalation quality will learn faster than teams reporting only alert counts.

For practitioners

• Map scam detection to identity lifecycle checkpoints Identify where onboarding, authentication, transfer approval, and account recovery create the highest fraud exposure, then place controls and review points around those transitions.
• Add context-aware warnings before high-risk transfers Trigger plain-language prompts when the user is about to move funds to a new wallet, a first-time counterparty, or an unusually high-value destination.
• Tighten investigator handoffs and evidence logging Document who can escalate a case, what telemetry is preserved, and when law-enforcement referrals are made so response actions remain traceable.
• Measure fraud controls by interruption rate, not awareness volume Track how often warnings, reviews, and manual interventions stop a suspicious transfer before completion instead of relying on training completion metrics.

Key takeaways

• Crypto fraud now depends on trust manipulation across the user journey, which makes identity and behaviour controls part of the defence model.
• Investigation is only effective when analytics, human review, and external coordination are tied into a traceable response chain.
• Platforms should measure fraud controls by how often they stop suspicious transfers, not by how many awareness messages were delivered.

Key terms

• Pig Butchering: A long-con fraud pattern where the attacker builds trust over time before persuading the victim to transfer money or assets. The scam often combines social engineering, impersonation, and urgency. In crypto settings, the impact is amplified because transfers are fast, irreversible, and difficult to unwind once completed.
• Fraud-as-a-Service: A criminal operating model where scams are packaged, shared, and resold like a service. It lowers the barrier to entry for attackers by reusing scripts, infrastructure, and laundering methods. For defenders, it means isolated incidents are often symptoms of a repeatable abuse ecosystem rather than one-off fraud.
• Identity Trust Signal: Any signal that helps a platform judge whether a user, account, or action is genuine enough to proceed safely. These signals can include behavioural history, device context, transaction patterns, and verification status. Strong programmes use them together, not as single-point proof.
• Contextual Intervention: A control pattern that intervenes when risk is present in the moment of action rather than during a separate training or review cycle. It uses the user’s current behaviour, the transaction context, and the asset at risk to decide whether to warn, delay, or escalate. That timing makes it far more effective than generic awareness alone.

Deepen your knowledge

Crypto fraud response and identity trust controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme already deals with user risk, transfer controls, or investigation handoffs, it is worth exploring.

This post draws on content published by SumSub: an episode on how Coinbase investigates scams, protects privacy, and partners with law enforcement. Read the original.