By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Cyber SecuritySource: Chainalysis

TL;DR: Darknet markets, OTC desks, and scam activity are reshaping the web3 crime landscape, according to Chainalysis, with original research and case studies on enforcement and compliance implications. The governance challenge is not just tracing illicit flows, but keeping identity, access, and control assumptions aligned as crypto ecosystems scale.


At a glance

What this is: Chainalysis is presenting a 2020 crypto crime report focused on darknet markets, OTC laundering, scams, and the broader growth of web3 activity.

Why it matters: It matters because crypto crime depends on trust, access, and transfer controls, which gives IAM, fraud, and compliance teams a useful lens for spotting governance gaps around wallets, exchanges, and transaction monitoring.

👉 Read Chainalysis's 2020 Crypto Crime report on web3 trends and laundering paths


Context

Cryptocurrency crime is a governance problem as much as a financial one, because illicit activity often moves through the same platforms, wallets, exchanges, and OTC channels that legitimate users rely on. For identity and access teams, the practical question is how much trust is being extended, where controls stop, and how quickly suspicious activity can be tied back to a real actor or account.

This report focuses on web3 crime trends through the lens of market structure, laundering paths, and scam behaviour. That is relevant to practitioners working across fraud, KYC, AML, and platform access because the same ecosystems that enable rapid transfer also make attribution, offboarding, and account assurance harder than in conventional systems.


Key questions

Q: How should organisations reduce crypto scam losses before transfers happen?

A: Organisations should place stronger verification before authorisation, not after loss. That means step-up checks for high-value transfers, destination changes, and first-time counterparties, plus behavioural monitoring for urgency, impersonation, and unusual payment timing. Fraud controls work best when they are linked to account assurance and beneficiary validation.

Q: Why do OTC desks and exchanges increase AML complexity?

A: OTC desks and exchanges can aggregate, fragment, and re-route value in ways that make provenance harder to assess. That does not make them inherently risky, but it does mean compliance teams need richer ownership evidence, transaction context, and alert correlation to distinguish legitimate activity from laundering patterns.

Q: What do security teams get wrong about wallet security?

A: Many teams treat wallet protection as a narrow technical issue, when it is really a privileged access problem. High-power wallets hold signing authority, governance power, and transfer capability, so they need ownership, review, and offboarding controls similar to other privileged accounts.

Q: Who is accountable when crypto crime passes through enterprise-controlled channels?

A: Accountability usually sits with the organisation that owns the exchange account, wallet, or platform control, even if the criminal actor is external. If a firm extends trust through weak onboarding, poor monitoring, or unclear approvals, the resulting control failure becomes a governance issue as well as a crime response issue.


Technical breakdown

How crypto crime moves through exchange and OTC paths

Illicit crypto activity often uses a chain of conversion, layering, and cash-out steps rather than a single theft event. OTC desks can absorb volume that would otherwise look suspicious on public venues, while exchanges may see inbound funds that have already been fragmented across many addresses. The technical challenge is not only blockchain tracing, but linking on-chain movement to real-world identity, account control, and beneficiary relationships. That makes transaction monitoring, wallet risk scoring, and beneficiary due diligence part of the same control surface.

Practical implication: align blockchain analytics with KYC, AML, and account ownership evidence so suspicious flows can be tied to controllable identities.

DeFi, lending, and staking add new trust boundaries

DeFi introduces protocols where users interact directly with smart contracts, but the risk does not disappear when intermediaries are removed. Instead, trust shifts into code quality, wallet security, governance keys, oracle integrity, and the operator’s ability to distinguish legitimate from malicious participation. Lending and staking add reward incentives that can be exploited through manipulation, wash activity, or compromised credentials at the wallet layer. For identity practitioners, that means the control problem expands beyond human onboarding to the assurance of wallet provenance and privileged protocol actions.

Practical implication: treat high-value wallets and admin keys as privileged identities and review their lifecycle controls with the same rigor as enterprise PAM.

Scams scale when social trust outpaces verification

Crypto scams succeed when attackers can create urgency, impersonation, or false investment credibility faster than victims can verify. Because transactions are irreversible and many interactions happen through pseudonymous accounts, the environment rewards speed and deception. This is where identity verification, fraud analytics, and behavioural monitoring intersect. A strong anti-scam posture needs more than wallet blacklists. It needs evidence that the counterparty, session, and payment destination are what they claim to be before value moves.

Practical implication: strengthen step-up verification and fraud controls before transfer authorisation, especially where users are exposed to high-pressure social engineering.


Threat narrative

Attacker objective: The attacker wants to convert fraud or stolen assets into liquid value while reducing the chance of attribution, recovery, or account interdiction.

  1. Entry typically begins with social engineering, deceptive investment offers, or compromised platform access that gives the attacker a trusted communication channel or wallet path.
  2. Escalation occurs when the attacker uses exchange flows, OTC channels, or protocol trust to fragment funds, obscure provenance, or move value into harder-to-trace assets.
  3. Impact is realised when criminal proceeds are laundered, victims are defrauded at scale, or compromised infrastructure is used to sustain repeated theft and concealment.

NHI Mgmt Group analysis

Web3 crime is fundamentally an identity and trust problem, not just a blockchain tracing problem. Chainalysis is describing an ecosystem where money movement, account provenance, and counterparty assurance all matter at once. That means fraud teams, KYC owners, and IAM practitioners need to think about wallet ownership, delegation, and account binding as control points, not just as data points. Practitioners should treat identity proof and transaction risk as one joined governance model.

Crypto laundering pressure creates a verification trust gap. When value can move quickly through OTC desks, exchanges, and pseudonymous wallets, verification often lags behind transfer execution. The result is a governance gap where organisations know a transaction happened, but not whether the actor, purpose, or destination was adequately trusted. That gap should drive tighter account assurance and stronger beneficiary verification.

DeFi expands the privileged identity surface. Wallets that can stake, lend, govern, or administer protocol settings behave like privileged identities even when no human logs in through a traditional directory. This is where NHI thinking becomes useful, because the real control problem is lifecycle management for keys, signing authority, and policy escalation. Teams should classify high-power wallets and protocol keys as privileged assets with explicit ownership and review.

Scam economics favour speed over assurance, which makes pre-transfer controls more valuable than post-event recovery. The report’s focus on scams that netted criminals billions reinforces a hard truth: once value leaves under false pretences, recovery is uncertain. For security leaders, the right question is how to prevent trust failures before authorisation, not how to respond after the fact. Practitioners should use that lens to redesign approval and verification checkpoints.

Named concept: crypto control plane drift. As web3 ecosystems add exchanges, OTC desks, DeFi protocols, and consumer-facing wallets, the control plane becomes fragmented across teams that do not share the same view of identity, risk, or accountability. That drift weakens both fraud detection and compliance evidence. Practitioners should consolidate ownership for wallet assurance, transaction monitoring, and account governance.

What this signals

Crypto control plane drift: as more organisations touch wallets, exchanges, and DeFi workflows, accountability fragments unless identity ownership is explicit. The practical challenge is to stop treating wallet controls as isolated fintech concerns and start managing them as part of enterprise access governance.

For teams handling fraud, AML, or digital asset exposure, the next maturity step is correlation. Transaction analytics, customer verification, and privileged access oversight need to share the same escalation logic, or suspicious activity will remain visible in one system but unactionable in another.


For practitioners

  • Strengthen wallet ownership evidence Require explicit ownership and business justification for high-value wallets, protocol admin keys, and exchange accounts. Link those assets to named owners, approval workflows, and offboarding rules so they do not become unmanaged privileged identities.
  • Join KYC, AML, and access signals Correlate onboarding records, wallet reputation, and unusual transfer behaviour so investigators can test whether the actor behind a transaction matches the account profile and expected usage.
  • Apply step-up verification before value transfer Add extra verification when users move large amounts, change destination addresses, or interact with a new counterparty. This reduces scam success where social pressure is used to bypass judgment.
  • Review OTC and exchange risk assumptions Map where trust is being extended to OTC desks, exchange integrations, and third-party custodial paths. Use that map to identify which transfers need heightened monitoring or manual approval.

Key takeaways

  • Web3 crime is not only about tracing coins, it is about governing trust, identity, and privileged control across fragmented crypto workflows.
  • OTC desks, exchanges, and DeFi tools widen the attack surface when ownership, verification, and approval logic are inconsistent.
  • Practitioners should tighten pre-transfer verification, wallet governance, and cross-team correlation before scams and laundering paths scale further.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-1Identity proofing and access assurance matter where crypto actors and accounts must be trusted.
NIST SP 800-53 Rev 5AC-6Privilege management is relevant because wallets and admin accounts can act like privileged identities.
GDPRArt.32GDPR applies where identity verification and fraud controls process personal data.
CIS Controls v8CIS-5 , Account ManagementAccount governance is central when exchange, wallet, and admin accounts hold transfer authority.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationCredential theft and value removal align with the attack pattern described in crypto crime.

Map crypto fraud scenarios to credential access and exfiltration tactics for detection and response planning.


Key terms

  • Wallet Ownership Evidence: Wallet ownership evidence is the proof that a specific person or team is responsible for a crypto wallet or account. It combines technical control with business accountability, so transfers, approvals, and offboarding can be governed rather than merely observed.
  • Crypto Laundering Path: A crypto laundering path is the sequence of transfers, services, and conversions used to hide the origin of illicit funds. It often includes fragmentation, mixing, OTC movement, and exchange cash-out steps that complicate attribution and recovery.
  • Privileged Wallet: A privileged wallet is a digital asset account with elevated authority, such as signing, governance, staking, or large transfer rights. These wallets need lifecycle control because misuse or compromise can directly change assets, permissions, or protocol settings.
  • Verification Trust Gap: A verification trust gap appears when an organisation can see a transaction or account action but cannot confidently prove who initiated it or whether the counterparty was legitimate. In crypto environments, that gap weakens fraud prevention and AML response at the same time.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Original research on darknet market evolution and how it affects law enforcement and compliance workflows.
  • Case studies on OTC desks and laundering patterns that show how illicit funds move between services.
  • Discussion of crypto scams that netted criminals billions, including how fraud patterns evolve with market structure.
  • Additional coverage of the web3 infrastructure layer, DeFi lending, staking, and metaverse activity.

👉 The full Chainalysis report adds case studies on darknet markets, OTC desks, scams, and web3 growth patterns.

Deepen your knowledge

NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is designed for practitioners who need stronger governance across identity, privilege, and lifecycle control.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org