By NHI Mgmt Group Editorial TeamPublished 2026-05-07Domain: Cyber SecuritySource: Chainalysis

TL;DR: Unusual company connections around the payment infrastructure emerged in FutureNet’s Ponzi structure, which relied on standard victim recruitment and cryptocurrency payment flows, according to Chainalysis. The case shows how fraud operations can hide behind legitimate-looking rails, making transaction tracing and entity attribution essential for investigators.


At a glance

What this is: This is an analysis of the FutureNet Ponzi scheme and the unusual company links Chainalysis says supported its cryptocurrency payment infrastructure.

Why it matters: It matters because fraud teams, financial crime investigators, and identity governance practitioners need to understand how payment rails, entity relationships, and trust signals can be abused to scale deception.

👉 Read Chainalysis' analysis of the FutureNet Ponzi scheme and payment infrastructure


Context

Cryptocurrency-enabled fraud often looks ordinary at the surface: victims are promised returns, then pressured to recruit others while payments move through apparently normal channels. The governance gap is not just financial loss, but weak visibility into who is behind the payment infrastructure and how trust is being manufactured across entities.

For identity and fraud teams, the important intersection is not only transaction tracing, but the identity of the entities and accounts facilitating the scheme. When a scam depends on third-party companies to move value, investigators need to treat those counterparties as part of the control surface, not just the payment flow.


Key questions

Q: How should fraud teams investigate crypto scams that use multiple companies?

A: Fraud teams should build a single case file that links wallets, domains, payment processors, and company records. The point is to identify the operational chain behind the scam, not just the victim transactions. That approach helps distinguish isolated activity from an organised fraud infrastructure and supports stronger attribution decisions.

Q: Why do Ponzi schemes often use referral incentives?

A: Referral incentives turn victims into a distribution channel, which lowers acquisition costs and expands reach without traditional advertising. They also create social proof, because new participants see apparent momentum created by existing victims. That makes the scam harder to challenge early and increases the volume of funds entering the scheme.

Q: What breaks when investigators focus only on transaction tracing?

A: They miss the enabling infrastructure that makes the fraud durable. Wallet tracing shows movement, but it does not fully explain who controls the websites, payment relationships, or administrative accounts behind the operation. Without OSINT and entity resolution, investigators can identify the flow while leaving the operational network intact.

Q: Who is accountable when a scam uses associated companies to move funds?

A: Accountability sits with the operators, facilitators, and any counterparties that knowingly enable the scheme. From a governance perspective, firms that provide payment, hosting, or administrative support should expect scrutiny over onboarding, due diligence, and ongoing monitoring. The right control question is whether the relationship was validated before it was trusted.


Technical breakdown

How blockchain analysis exposes hidden payment relationships

Blockchain analysis links wallet activity, transaction timing, and reuse patterns to infer how funds move across an operation. In fraud cases, investigators often combine on-chain evidence with open source intelligence to connect wallets to entities, websites, or service providers that were not obvious from the transaction record alone. The key analytical value is correlation, not certainty: a single wallet rarely proves control, but repeated routing behaviour, funding patterns, and reuse of infrastructure can strengthen attribution. This matters because scam operators depend on making legitimate rails look ordinary enough to avoid scrutiny.

Practical implication: investigators should correlate wallet data with OSINT, not rely on transaction history alone.

Why company relationships matter in crypto fraud investigations

Fraud schemes often depend on a broader ecosystem of exchanges, payment processors, shell entities, and service providers that obscure operational control. If those relationships are not mapped, the investigation stays focused on victims and wallet addresses while the enabling infrastructure remains opaque. For identity practitioners, this is a trust and governance problem as much as an anti-fraud problem: counterparties, accounts, and administrative relationships can become the hidden control layer behind the scheme. That is why entity resolution is central to modern crypto investigations.

Practical implication: map counterparties and administrators as part of every fraud review, not just the wallets involved.

Why recruitment-driven Ponzi models amplify the attack surface

Ponzi schemes using referral incentives turn victims into distribution channels, which expands reach without needing a traditional malware campaign or credential theft. The fraud surface grows through social trust, not technical compromise. That changes the control model: detection depends on behavioural patterns, payment clustering, and entity linkage rather than endpoint telemetry or authentication logs. In practice, this means financial crime teams and trust-and-safety functions need signals from transactions, websites, and messaging channels working together.

Practical implication: pair transaction monitoring with behavioural and communication-pattern analysis to catch recruitment-based fraud earlier.


Threat narrative

Attacker objective: The objective is to collect victim funds at scale while obscuring the infrastructure and counterparties that enable the fraud.

  1. Entry begins with a cryptocurrency investment pitch that persuades victims to fund the scheme and recruit others into the network.
  2. Escalation occurs as the operation uses associated companies and payment infrastructure to move value in ways that make the fraud harder to attribute.
  3. Impact is sustained victim loss, wider distribution through referral recruitment, and reduced transparency around the entities behind the scam.

NHI Mgmt Group analysis

Company identity is part of the attack surface in crypto fraud. Chainalysis’ framing suggests the central question is not only where funds move, but which entities are operationally enabling the movement. That pushes investigations beyond wallet attribution into counterparty governance, administrative ownership, and service-provider relationships. For investigators, the lesson is to treat entity identity as evidence, not background.

Trust laundering is the right concept for schemes that use legitimate-looking companies to normalise fraudulent payment activity. Fraud operators do not need to break authentication when they can borrow legitimacy from adjacent infrastructure. Once payment rails, websites, and business relationships appear routine, victims and even investigators can be slowed by the surrounding normality. Practitioners should look for the trust boundary, not just the transaction path.

Blockchain analysis and OSINT are complementary controls, not competing methods. On-chain tracing identifies movement patterns, while open source intelligence helps bind those patterns to real-world entities and behaviours. That combination is especially valuable in cross-border fraud cases where legal ownership, operational control, and payment facilitation are intentionally separated. For financial crime teams, the practical conclusion is to fuse evidence streams before drawing attribution conclusions.

Fraud governance needs an identity lens when companies facilitate payments. If a scheme uses associated companies to support transfers, the governance failure is not merely financial opacity, but inadequate validation of counterparties and their control relationships. That is where identity verification, due diligence, and account governance intersect with anti-fraud work. Practitioners should expand review beyond customer identity to the identity of the infrastructure providers around the flow.

Future crypto fraud investigations will be judged by entity resolution quality, not just tracing speed. The organisations that can connect wallets, domains, employees, and counterparties into a single evidence graph will move faster and produce stronger cases. Speed matters, but precision matters more when the goal is to show how the scheme was operationalised. Investigators should build for linkage quality, not just alert volume.

What this signals

Crypto fraud programs should expect more cases where the real issue is not just stolen value, but the identity of the entities that make the flow possible. That shifts the operating model toward entity resolution, counterparties, and trust boundary analysis rather than isolated wallet investigation.

Entity resolution debt: when organisations cannot consistently link wallets, domains, administrators, and companies into one case graph, they will keep missing the operational structure behind scams. For teams investigating crypto fraud, the next control improvement is not more alerts, but better linkage across evidence sources.


For practitioners

  • Map counterparties behind payment flows Build an evidence model that records exchanges, processors, hosters, and shell entities connected to suspicious wallet activity. The goal is to identify who can move funds, who administers the infrastructure, and where trust is being borrowed from legitimate services.
  • Correlate blockchain data with OSINT Pair wallet tracing with domain records, website content, messaging channels, and company registration data. Use the combined view to test whether multiple entities are acting as a single operational fraud layer.
  • Review referral mechanics as a risk signal Flag investment schemes that reward recruiting others, because referral incentives often indicate a pyramid-style distribution model. Escalate cases where payments, messaging, and onboarding behaviour all reinforce the same recruitment loop.
  • Strengthen counterparty due diligence Require explicit validation of service providers and administrators involved in payment processing, especially where entity ownership is unclear. In fraud programs, the identity of the enabling company can be as important as the identity of the customer.

Key takeaways

  • FutureNet illustrates a fraud pattern where payment infrastructure and entity relationships matter as much as the victim-facing scam narrative.
  • Blockchain analysis becomes materially stronger when it is combined with OSINT, company records, and counterparty mapping.
  • Fraud teams should prioritise entity resolution and trust-boundary review before they treat crypto cases as simple transaction problems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.AM-1Entity and asset mapping is central to tracing crypto fraud infrastructure.
NIST SP 800-53 Rev 5AU-6Audit review supports evidence correlation across blockchain and OSINT sources.
CIS Controls v8CIS-3 , Data ProtectionData collection and correlation are needed to preserve fraud evidence integrity.
GDPRArt.32Where personal data is processed in investigations, secure handling of evidence matters.

Protect and retain fraud evidence datasets so wallet, domain, and entity links remain usable in investigations.


Key terms

  • Blockchain Analysis: Blockchain analysis is the process of tracing cryptocurrency transactions to identify patterns, link related wallets, and support investigative conclusions. It combines ledger data with contextual evidence so analysts can infer behaviour, relationships, and possible control of funds across a scheme.
  • Entity Resolution: Entity resolution is the practice of determining which records, wallets, domains, accounts, or organisations belong to the same real-world actor. In fraud investigations, it reduces blind spots by connecting technical evidence to operational identities and support structures.
  • Referral Fraud: Referral fraud is a scam pattern that uses incentives for recruiting new participants to grow the scheme quickly. The model relies on social trust and distribution loops, which makes it harder to distinguish from legitimate network effects until losses become visible.

What's in the full report

Chainalysis' full crypto crime intelligence brief covers the operational detail this post intentionally leaves for the source:

  • Wallet clustering, transaction tracing, and the blockchain evidence that supported the attribution.
  • The open source intelligence signals used to connect FutureNet activity to associated companies.
  • The investigative logic behind the claim that the payment infrastructure was part of the scam's operating model.
  • Additional context on what the findings may mean for broader cryptocurrency ecosystem risk.

👉 The full Chainalysis brief covers the blockchain evidence, OSINT findings, and company connections in more detail.

Deepen your knowledge

NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course. Explore nhimg.org for resources that connect identity governance to the broader security disciplines your programme depends on.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org