By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: RiskifiedPublished November 12, 2025

TL;DR: Stablecoin transactions were found to be twice as risky as other payment types across Riskified’s global network, while account takeovers, credential stuffing, SIM swapping, and phishing remain the main upstream attack paths. Stable value increases fraudsters’ ROI and reduces recovery time, making identity behaviour and transaction controls the decisive defence, according to Riskified.


At a glance

What this is: Stablecoins lower payment volatility but increase fraud appeal by combining predictable value, liquidity, and weak recovery paths.

Why it matters: This matters to IAM, fraud, and identity teams because the highest-risk control failures sit upstream in identity verification, account takeover prevention, and behavioural monitoring rather than in the payment rail itself.

By the numbers:

👉 Read Riskified's analysis of stablecoin fraud risk and account takeover exposure


Context

Stablecoins are a fraud problem as much as a payments innovation problem. The article’s core claim is that lowering price volatility makes crypto easier to use, but it also makes stolen value easier to monetise and harder to unwind. In practice, that shifts the control burden toward identity assurance, behavioural detection, and account protection rather than payment mechanics alone.

For IAM and fraud teams, the relevant question is not whether stablecoins will gain adoption, but whether the surrounding identity controls can absorb the speed of that adoption. Account takeover, credential stuffing, phishing, SIM swapping, and mule activity are all identity-linked paths, which means the stablecoin risk surface intersects directly with customer authentication, step-up verification, and fraud telemetry.


Key questions

Q: What breaks when stablecoin fraud controls rely only on transaction monitoring?

A: Transaction monitoring alone fails when the attacker has already taken over a legitimate account. By the time a transfer looks suspicious, the damage may be irreversible because stablecoins move quickly and can be off-ramped through multiple wallets. Effective defence has to start earlier with authentication, recovery, and behavioural risk detection.

Q: Why do stablecoins increase the value of account takeover for fraudsters?

A: Stablecoins combine predictable value with fast monetisation, so a compromised account can be drained and converted before a victim or platform can react. That makes account takeover a higher-return attack than it is in many other payment contexts. The attacker is buying speed, liquidity, and reduced traceability.

Q: How should fintech teams measure whether identity controls are working for stablecoin risk?

A: Look for declining successful login abuse, reduced recovery-channel compromise, fewer suspicious first-time transactions, and lower mule-linked off-ramp activity. If fraud losses are falling but account takeover attempts are still rising, the controls may be detecting only after compromise rather than preventing it.

Q: Who is accountable when stablecoin fraud escapes into cross-border off-ramps?

A: Accountability is shared across fraud, IAM, compliance, and operations because the failure usually spans identity proofing, authentication, transaction review, and beneficiary monitoring. Frameworks such as KYC and AML obligations, combined with internal access and monitoring controls, should define who owns each stage of the response.


Technical breakdown

Why stablecoin liquidity changes fraud economics

Stablecoins reduce the price volatility that made many people treat crypto as a speculative asset, but they preserve the properties criminals care about: portability, fast settlement, and a near-instant conversion path. That changes fraud economics. A stolen asset that keeps its value and can be moved quickly is more attractive than one whose value may fall before it can be laundered. The result is a shorter attacker decision cycle and a narrower recovery window for defenders. The control problem is therefore not just transaction screening, but limiting the time between account compromise, asset movement, and off-ramp completion.

Practical implication: Treat stablecoin flows as a time-sensitive identity and fraud problem, not only a payments risk.

Account takeover as the upstream control failure

The article identifies account takeover as the most damaging upstream risk because once an attacker controls a wallet or exchange account, draining funds becomes operationally simple. The common entry paths are credential stuffing, SIM swapping, and phishing, which are all identity compromise patterns rather than payment flaws. This matters because the weak point is often authentication resilience, session control, and recovery workflows. If MFA enrollment, account recovery, or step-up checks can be bypassed, the fraud loss often happens before any transaction rule has a chance to fire.

Practical implication: Harden authentication, recovery, and session controls before relying on downstream transaction rules.

KYC and AML gaps widen off-ramp exposure

Stablecoin laundering depends on moving funds through wallets and exchanges until the original source is obscured. Weak or inconsistent KYC and AML standards across jurisdictions make that easier, especially when synthetic identities or mule networks are used to fragment ownership and movement patterns. The control challenge is not only identifying a suspicious transaction, but linking identities, devices, behaviours, and beneficiary relationships across channels and geographies. That is where fraud operations, identity verification, and compliance telemetry need to converge.

Practical implication: Correlate identity verification with behavioural signals and off-ramp monitoring to reduce laundering success.


Threat narrative

Attacker objective: The attacker wants to convert a legitimate stablecoin balance into untraceable value before the victim or platform can recover control.

  1. Entry occurs through credential stuffing, SIM swapping, or phishing that compromises a legitimate wallet or exchange account.
  2. Escalation follows when the attacker passes or bypasses account recovery and two-factor checks, then gains control of the balance.
  3. Impact occurs when funds are drained, converted, or routed through mule networks and off-ramps before investigators can trace them.

NHI Mgmt Group analysis

Stablecoin fraud is an identity assurance problem disguised as a payments story. The article correctly shows that value stability increases criminal ROI, but the more important governance point is that the primary compromise path is still identity-led. Credential stuffing, phishing, SIM swapping, and account recovery abuse all sit upstream of the transaction. For practitioners, that means stablecoin controls must start with identity verification, not end with payment screening.

Account takeover risk becomes more severe when the asset can be monetised instantly. In traditional card fraud, the attacker often needs a chain of conversion steps before cash-out. Stablecoins shorten that chain and remove much of the friction that normally buys defenders time. The practical conclusion is that session risk, device intelligence, and step-up authentication need to be tuned for asset mobility, not just login success.

Stablecoin platforms inherit a KYC and AML trust problem across jurisdictions. The article’s off-ramp discussion shows that fragmented standards create blind spots that synthetic identities and mule networks can exploit. This is where identity verification, fraud operations, and compliance need a shared view of the same actor. Practitioners should treat inconsistent onboarding and weak beneficiary visibility as the same governance failure, not separate issues.

Identity behaviour has become a core fraud signal for digital asset ecosystems. A wallet balance is no longer enough to assess risk because the decisive question is whether the account holder, device, and behaviour pattern match the expected customer. That pushes identity telemetry into the centre of fraud governance, especially where high-velocity settlement compresses intervention time. Teams should build controls around behaviour drift, not just static account attributes.

What this signals

Stablecoin growth will force fraud programmes to become more identity-centric, because the main losses will emerge from account takeover, recovery abuse, and mule-enabled off-ramping rather than from the asset itself. That makes behavioural telemetry, step-up authentication, and beneficiary intelligence essential control layers for any platform handling fast-settling digital value.

Recovery-path exposure: the weakest point is often not the initial password challenge but the account reset journey, where attackers can exploit SIM swaps, phishing, or weak proofing. Platforms should map that journey against identity assurance controls and align it with guidance from NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls.


For practitioners

  • Strengthen account recovery controls Require recovery-step verification that is independent of the original login channel, and deny high-risk recovery paths such as SIM-based resets without additional proofing and device history.
  • Add behavioural risk scoring to wallet access Combine device reputation, geo-velocity, session anomalies, and prior fraud exposure so that suspicious logins trigger step-up checks before stablecoin transfer approval.
  • Set policy limits for stablecoin purchases and transfers Use transaction thresholds, beneficiary cooldowns, and velocity rules to slow cash-out attempts while preserving normal customer activity.
  • Link identity verification to off-ramp monitoring Correlate KYC results, wallet history, mule indicators, and cross-border movement patterns so suspicious beneficiaries can be blocked before funds leave the platform.

Key takeaways

  • Stablecoins reduce value volatility, but they increase the attractiveness of fraud because criminals can move predictable value quickly.
  • The biggest losses start upstream in account takeover, where credential stuffing, phishing, and SIM swapping bypass the controls that should protect wallet access.
  • Fraud teams need identity behaviour, recovery hardening, and off-ramp monitoring to shorten the attacker’s monetisation window.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-1Identity proofing and access assurance are central to stablecoin account protection.
NIST SP 800-53 Rev 5IA-2Authentication controls are the primary barrier against account takeover.
GDPRArt.32Identity and fraud data used for KYC and monitoring must be protected appropriately.

Map wallet and recovery flows to PR.AA-1 and raise assurance before high-value transfers.


Key terms

  • Account Takeover: Account takeover is the unauthorised seizure of a legitimate user account after an attacker defeats or bypasses authentication. In digital asset environments, it is especially dangerous because access can be converted into immediate value movement, often before the victim or platform can intervene.
  • Off-Ramp: An off-ramp is the point where digital assets are converted back into fiat currency or moved into a form that is easier to spend or launder. Weak visibility at the off-ramp makes fraud recovery difficult because the asset can leave the controlled environment very quickly.
  • KYC And AML: Know Your Customer and Anti-Money Laundering controls are the identity and transaction checks used to verify who is using a financial service and whether the activity looks illicit. In stablecoin programmes, these controls need to work together because identity fraud and cash-out laundering are closely linked.
  • Behavioural Risk Scoring: Behavioural risk scoring is the practice of evaluating a user's actions, device signals, and session patterns to decide whether activity matches expected behaviour. It is more useful than static account checks alone when fraudsters use stolen credentials or synthetic identities to blend in.

What's in the full article

Riskified's full analysis covers the operational detail this post intentionally leaves for the source:

  • How stablecoin transaction risk was measured across Riskified’s merchant network and what the twice-as-risky finding means operationally
  • The specific account takeover patterns seen in stablecoin abuse, including credential stuffing, SIM swapping, and phishing
  • Policy ideas for purchase thresholds, velocity checks, and fraud triage in stablecoin programmes
  • Why cross-vertical fraud coverage matters when bad actors move quickly between payment types

👉 Riskified's full article covers the stablecoin threat model, ATO paths, and off-ramp risk in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It helps security and identity practitioners connect identity controls to the wider risks their programmes already manage.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org