Crypto Fraud Prevention: Operational Controls to Protect Your Organisation

The Uncomfortable Truth About Crypto Fraud

The conversation about security in Web3 defaults, almost reflexively, to smart contract vulnerabilities. Reentrancy attacks, oracle manipulation, bridge exploits: these are the incidents that generate headlines and post-mortems. They are real risks and they deserve serious attention. But they are not the primary source of loss in this industry.

The uncomfortable truth is that a substantial proportion of significant crypto losses have involved insiders, operational failures, or fraud enabled by inadequate internal controls. The assets were lost not because an attacker found a flaw in the code, but because a person with legitimate access misused it, or because the organisation had no controls in place to detect or prevent the misuse. Gerald Cotten at QuadrigaCX managed customer funds through wallets only he controlled, with no independent oversight of his access or the firm's reserves. FTX ran billions in client funds through a related entity with no meaningful separation between the exchange's treasury and Alameda Research's trading operations. The Multichain CEO's arrest in 2023 prompted speculation that the protocol's subsequent $130 million drain was directly linked to insider control of the bridge's private keys.

In each case, the failure was not technical. It was organisational. The controls that would exist as a matter of course in a regulated financial institution: dual authorisation, independent reconciliation, segregation of client assets, oversight of privileged access: these controls were or circumvented.

This guide addresses crypto fraud prevention as an operational discipline. It is written for CISOs, security directors, founders, and compliance officers who understand that technology alone cannot substitute for sound governance, process design, and a culture that takes internal risk seriously.

Defining the Fraud Landscape: External and Internal Vectors

Crypto fraud does not describe a single threat category. It encompasses a spectrum of methods, actors, and motivations that require different control responses.

External Fraud

External fraud originates outside the organisation. The perpetrator has no legitimate access to systems or funds and must obtain access through deception or technical exploitation. Common external fraud vectors include:

• Phishing and spear-phishing: Targeted campaigns against employees with access to wallets, signing keys, or internal systems. Attackers research their targets extensively, mimicking trusted contacts, vendors, or senior leadership.
• Business email compromise (BEC): Fraudulent payment instructions delivered via compromised or spoofed email accounts. In crypto firms, BEC attacks frequently target treasury operations, payroll, and vendor payments.
• Fake invoice fraud: Fraudulent invoices submitted by external parties, sometimes following reconnaissance of the organisation's vendor relationships and invoice formats.
• SIM-swapping: Attacks on mobile phone accounts to intercept SMS-based authentication codes, enabling account takeover for individuals who hold significant assets or privileged access.
• Social engineering of customer support: Manipulation of support teams into resetting account access or bypassing verification procedures.

Internal Fraud

Internal fraud involves employees, contractors, or other insiders who abuse legitimate access for personal gain. The crypto environment presents conditions that make internal fraud particularly attractive and particularly damaging:

• Asset transfers are irreversible once confirmed on-chain.
• Many firms operate with minimal financial oversight, particularly in the early stages.
• Technical complexity creates information asymmetry: non-technical leadership may not understand what access engineers actually have.
• Token compensation and access to treasury functions often concentrate significant financial power in individual employees.
• Industry norms around flat hierarchies and autonomy can create cultures where oversight is perceived as distrust rather than good governance.

The line between external and internal fraud is often blurred. Insider-assisted fraud, where an internal actor deliberately or negligently facilitates an external attack, represents a hybrid category that pure technical controls rarely address. Social engineering campaigns specifically target employees to become unwitting or willing participants.

The Fraud Triangle Applied to Crypto Firms

The fraud triangle, first articulated by criminologist Donald Cressey, identifies three conditions that must be present for employee fraud to occur: pressure, opportunity, and rationalisation. Understanding how each condition manifests in crypto organisations is essential to designing effective preventive controls.

Pressure

Pressure refers to the personal motivation that drives an individual toward fraud, typically financial. In Web3 firms, pressure sources are abundant:

• Token compensation that has declined sharply in value, creating a gap between expected and realised earnings.
• Exposure to personal crypto investments that have underperformed, creating financial stress.
• Lifestyle inflation among individuals who joined during bull-market conditions and now face different circumstances.
• Equity or token disputes: employees who feel they were inadequately compensated relative to the value they created.
• Terminations and redundancies in a downturn, where employees with retained access have both a motive and a window of opportunity before access is revoked.

Opportunity

Opportunity is the condition that fraud controls directly address. An individual with strong motivation to commit fraud will not do so if the opportunity does not exist, or if the perceived risk of detection is high. Opportunity is created by:

• Single points of control over transactions, wallets, or signing keys.
• Absence of independent reconciliation of treasury balances.
• Poor or non-existent offboarding procedures that leave access in place after an employee departs.
• Insufficient logging and monitoring of privileged actions.
• Culture that discourages challenge of senior figures with financial access.

Rationalisation

Rationalisation is the narrative the perpetrator constructs to justify the act. Crypto firms, with their often informal cultures and complex token structures, can inadvertently provide fertile ground: "The firm owes me more tokens than I received." "This is just borrowing until my position recovers." "Everyone here is enriching themselves off this treasury." Organisations that create transparent governance, fair compensation structures, and a culture of accountability reduce the psychological foundations for rationalisation.

"The most effective fraud controls are not surveillance systems. They are organisational structures that reduce opportunity to the point where the vast majority of employees never face a realistic option to commit fraud undetected."

Dual Controls: The Non-Negotiable Foundation

Dual controls is the principle that no single individual should be able to both initiate and authorise a transaction. It is the most fundamental fraud-prevention control in any financial operation, and it is systematically absent from a large proportion of crypto firms.

Why Dual Controls Matter in Crypto

In a traditional bank, a payment above a certain threshold requires two members of staff to process. One inputs the transaction; another approves it. The system logs both actions against authenticated identities. Neither can complete the cycle alone.

In a crypto firm without dual controls, a single engineer or finance employee with wallet access can construct and broadcast a transaction without any other person being involved, aware, or able to intervene. The confirmation is irreversible. The asset is gone. Logs may capture the action after the fact, but there is no recovery.

Implementing Dual Controls Operationally

Implementing dual controls in a crypto environment requires both technical and policy components:

Technical implementation: Multi-signature wallet configurations are the primary technical mechanism. A 2-of-3 configuration, for example, requires any two of three designated signatories to authorise a transaction. The wallet will not broadcast without the required threshold of signatures. This is not optional for any treasury or operational wallet holding material value.

Policy implementation: The multi-sig configuration only enforces dual controls if the policy prohibits any individual from holding more than one required key. An organisation where the same person controls two of the three keys in a 2-of-3 configuration has the appearance of dual controls without the substance. The policy must state explicitly: one individual, one key, no exceptions. Key holders must be documented, and the list must be reviewed whenever personnel change.

Workflow implementation: Transaction requests should follow a defined workflow. The requesting party submits the transaction through an approved channel with documented business justification. A separate authorising party reviews the request, verifies the justification, confirms the destination address through an independent source, and only then provides their signature. Verbal confirmation should accompany any unusual or large transaction.

Threshold-based escalation: Different transaction sizes should require different levels of authorisation. A tiered approval structure, for example transactions above £10,000 requiring two signatories and transactions above £100,000 requiring three, proportions the control burden to the risk level.

Separation of Duties in the Finance and Technical Functions

Dual controls address the authorisation of individual transactions. Separation of duties addresses a broader structural risk: the concentration of the entire financial function in the hands of a single team or individual.

In a traditional financial institution, the following functions are structurally separated: the front office that executes transactions, the back office that settles and records them, risk management that monitors positions, and internal audit that reviews all of the above. Each provides an independent check on the others.

In a small crypto firm, these functions are frequently collapsed into a single person or a tightly connected team. The same engineer who builds the transaction infrastructure also holds the signing keys. The founder who directs treasury strategy also has unilateral access to the treasury wallets. Finance and operations share credentials. These are not hypothetical risks: they are the structural conditions present in the firms where the most significant internal fraud has occurred.

Structuring Separation in a Small Team

Meaningful separation of duties does not require a large headcount. The critical distinctions are:

• Technical access vs. financial authorisation: The engineering team that maintains wallet infrastructure should not hold signing keys for treasury wallets. Technical access should be scoped to the minimum required to maintain the infrastructure; financial authorisation should reside with a separate function.
• Transaction initiation vs. transaction approval: The person who requests a payment cannot be the person who approves it. In a very small team, this may require a board member or external advisory role to serve as an independent approver for transactions above a certain threshold.
• Record-keeping vs. asset custody: The person responsible for maintaining the firm's financial records should not also be the sole custodian of the private keys. Independent reconciliation, comparing on-chain balances to recorded balances, should be performed by someone without the ability to alter either set of records.
• Payment execution vs. payment authorisation: Where external vendors are paid, the person who adds a vendor to the approved payments list should not be the same person who processes payments to that vendor.

For very early-stage firms where structural separation is genuinely not possible due to team size, compensating controls become critical: comprehensive audit logs, regular board-level review of all transactions, and external audit of treasury balances at least quarterly.

Transaction Monitoring and Anomaly Detection

Transaction monitoring serves two purposes in a fraud-prevention programme: deterrence (employees who know their transactions are monitored are less likely to attempt fraud) and detection (identifying anomalous patterns that warrant investigation).

What to Monitor

Effective transaction monitoring for internal fraud focuses on the following signals:

• Velocity anomalies: A sudden increase in transaction frequency from a particular wallet or initiated by a particular employee. Normal treasury operations follow predictable rhythms; deviations require explanation.
• Value anomalies: Transactions that are just below approval thresholds (structuring), or transactions that are significantly larger than historical norms without documented business justification.
• Destination address anomalies: Transactions to addresses that have not previously received funds from the organisation, or to addresses that do not match the documented payee list. On-chain analytics tools can screen destinations against known fraud, sanctions, and mixer addresses.
• Time-of-day anomalies: Transactions initiated outside normal working hours, particularly if they occur without the usual workflow documentation.
• Failed or reversed approvals: Transactions that were initiated but did not receive the required co-signatures can indicate attempts to circumvent controls.
• Privileged access events: Changes to wallet configurations, addition or removal of signatories, or modification of approval thresholds should generate immediate alerts to senior leadership regardless of who makes the change.

Setting Thresholds

Alert thresholds must be calibrated to the organisation's normal operational patterns. A threshold that fires on every routine vendor payment generates alert fatigue and makes real signals invisible. A threshold set too high may miss the incremental drain that characterises many insider fraud cases. Thresholds should be reviewed quarterly and adjusted to reflect changes in operational scale.

Automated monitoring tools, including on-chain analytics platforms such as Chainalysis or Elliptic for blockchain-layer monitoring, should be complemented by manual review procedures. A member of the finance or compliance function should review all flagged transactions within a defined SLA, document their findings, and escalate to leadership any transaction that cannot be satisfactorily explained by reference to business records.

Social Engineering as a Fraud Vector

Business email compromise targeting crypto firms has become one of the most productive fraud vectors for criminal groups. The attack is low-cost, scalable, and exploits the fast-moving, high-trust communication culture common in Web3 organisations.

How BEC Attacks Target Crypto Firms

A typical BEC attack targeting a crypto firm follows this pattern: the attacker researches the organisation's structure, identifies individuals in treasury, finance, or operations roles, and obtains the email address of a senior figure (often the CEO or CFO). They then either compromise that email account directly, or register a domain that visually resembles the genuine domain (e.g., replacing an "l" with a "1"). A fraudulent email is sent to a treasury team member, directing an urgent payment to a new wallet address. The urgency, the apparent authority of the sender, and the normalcy of the requested action combine to bypass scepticism.

Variants include fake vendor invoice fraud (instructions to update bank or wallet details for an existing vendor) and CEO fraud (a senior figure requests an urgent transfer to complete a confidential transaction).

Operational Defences Against BEC

Technical controls address the email delivery vector but do not address the human element. Both are required:

Technical controls: DMARC policy set to reject for all company domains prevents domain spoofing. DKIM and SPF records reduce impersonation risk. Email security platforms with display-name spoofing detection add a further layer. All email accounts, particularly those of individuals with financial authority, must be protected by phishing-resistant multi-factor authentication (hardware security keys or passkeys rather than SMS-based codes).

Operational controls: A written policy stating that no payment instruction received by email alone will be acted upon without out-of-band verification via a pre-registered telephone number. The policy must be absolute and must explicitly cover urgent or confidential requests. A callback procedure must be followed for any change to payment details, regardless of the seniority of the apparent requestor. Security awareness training specific to BEC scenarios, including simulated phishing exercises that test realistic crypto-firm scenarios, must be conducted at least twice per year.

Process controls: Any change to a wallet address or payment destination for an existing vendor requires verification through a second independent channel, documentation in the vendor management system, and approval by a person with no connection to the original change request. New payees should not be added to the approved list and paid in the same workflow step.

Pre-Employment Screening: The Control Most Often Skipped

In the rush of hiring during bull markets, or under the cultural assumption that "we know who we're hiring through the network", pre-employment screening is frequently treated as an optional formality in Web3 firms. This is a serious oversight. Employees with access to treasury wallets, private keys, or financial systems represent a significant fraud risk surface, and background checks are the baseline control for managing that surface before access is granted.

What Screening Should Cover

For any role with access to wallet infrastructure, signing keys, treasury operations, or financial systems, screening should include:

• Identity verification: Confirmation that the individual is who they claim to be, using government-issued documentation. This sounds obvious; it is not universally done.
• Criminal record checks: Specifically covering fraud, theft, financial crime, and dishonesty offences. Where the role involves regulated activity, checks must meet the relevant regulatory standard for that jurisdiction.
• Financial due diligence: Where legally permissible, adverse credit history and County Court Judgements can indicate financial pressure. Individuals under acute financial stress represent an elevated risk for fraud motivated by personal financial need. This check must comply with applicable data protection and employment law.
• Previous employment verification: Direct contact with former employers, not limited to dates of employment. Where a candidate has left a previous role "by mutual agreement" or is unable to provide a direct manager reference, that warrants further investigation.
• Directorship and sanctions screening: Checks against company registers and sanctions lists for any undisclosed affiliations or restricted parties connections.
• Social media and open-source intelligence: A structured review of public-facing information for indicators of extreme financial pressure, undisclosed affiliations, or stated grievances against current or former employers.

Screening as a Continuous Process

Pre-employment screening provides a point-in-time assessment. The risk profile of an employee with privileged access can change over time. Firms should consider periodic re-screening for roles with ongoing access to high-value systems, and should establish a process for employees to voluntarily disclose material changes to their financial circumstances. This is not an unusual requirement: it is standard practice in regulated financial services roles.

Whistleblower Mechanisms and Anonymous Reporting

The single most effective tool for detecting internal fraud is a functioning whistleblower policy with anonymous reporting channels. Studies of fraud detection across industries consistently show that tip-offs from employees, customers, or vendors account for a higher proportion of fraud discoveries than any single automated control.

This makes intuitive sense: people notice when colleagues are behaving unusually, when explanations do not add up, or when procedures are being bypassed. The barrier is not observation, it is reporting. Employees will not report unless they believe they can do so safely, that their report will be acted upon, and that they will not face retaliation.

Building an Effective Whistleblower Channel

An effective mechanism requires:

• Genuine anonymity: An email address managed by HR does not provide anonymity. A third-party managed platform (such as EthicsPoint or a comparable service) that strips metadata and provides a two-way communication channel without revealing identity is the appropriate solution.
• Visible leadership commitment: The programme must be visibly endorsed by the board and senior leadership, not merely referenced in a policy document. Regular communication about the programme's existence and purpose is necessary.
• Defined investigation procedure: Every report must be reviewed within a defined timeframe. There must be a designated individual responsible for triaging reports, escalating serious matters, and providing feedback to reporters (anonymously, through the platform) on the status of their report.
• Non-retaliation enforcement: Retaliation against a whistleblower must be treated as a disciplinary matter of the highest severity. The policy must be clear on this and must be enforced consistently.

Regulatory Dimensions: AML, KYC, and DORA

Fraud prevention is not only a governance obligation, it is increasingly a regulatory one. Crypto firms operating in regulated jurisdictions face specific requirements that make internal fraud controls a compliance matter.

KYC and AML operational controls function as fraud prevention mechanisms as well as regulatory compliance requirements. Transaction monitoring systems designed to detect suspicious activity and the financing of criminal enterprise will also detect unusual internal activity patterns. The controls are complementary, and investment in one serves both purposes.

Under the EU's Markets in Crypto-Assets regulation (MiCA), crypto asset service providers must maintain governance arrangements that include robust internal control mechanisms, sound administrative and accounting procedures, and appropriate risk management. Firms applying for or operating under MiCA authorisation must be able to demonstrate that internal fraud risks are addressed within their governance framework.

DORA compliance requirements for financial entities operating in the EU extend to ICT risk management, which includes risks arising from insider threats and inadequate access controls. The ICT risk management framework required by DORA must address the full range of risks to the integrity of financial operations, of which internal fraud is a component.

For firms operating under the UK's cryptoasset registration regime administered by the Financial Conduct Authority, the FCA's guidance on financial crime controls makes clear that CASPs are expected to have documented policies covering employee fraud risk, including appropriate segregation of duties and transaction monitoring.

Case Studies in Operational Fraud

Three cases illustrate the breadth and severity of operational fraud in crypto. Each has produced losses measured in hundreds of millions of dollars or more. Each was primarily an organisational failure, not a technical one.

QuadrigaCX: The Single Point of Control

QuadrigaCX was a Canadian cryptocurrency exchange that collapsed in 2019 following the death of its founder and CEO, Gerald Cotten. Cotten held exclusive control over the cold wallets containing most of the exchange's customer funds. No other individual had access to the keys. Following his death, approximately CAD $190 million in customer funds became inaccessible.

Subsequent investigation by the Ontario Securities Commission found that the situation was more sinister than a simple key management failure: Cotten had been using customer funds to trade on other platforms, had created fictitious accounts to simulate trading volume, and had been operating the exchange as a personal trading vehicle for years. The absence of any dual control or independent oversight of his access to customer funds meant that none of this was detectable until the exchange collapsed.

The control failure was fundamental: a single individual with unilateral, unmonitored access to all customer assets and no independent oversight of any kind. This is not a corner case, it is the default structure of many small crypto firms today.

Multichain 2023: Centralised Key Control and Executive Access

Multichain, a cross-chain bridge protocol, suffered a series of abnormal fund outflows in July 2023, totalling approximately $130 million. The outflows followed the arrest of the protocol's CEO by Chinese authorities, alongside the apparent detention of other team members with access to the protocol's multi-party computation keys.

The incident illustrated that the technical infrastructure of a decentralised protocol can be fatally dependent on centralised human control. The protocol's operational security posture, specifically, the concentration of key management in a small number of individuals who could be simultaneously incapacitated, made the entire protocol vulnerable to exactly the scenario that occurred. Geographic distribution of key holders, succession procedures for key management, and documented operational protocols for key custody are the controls that would have limited the impact.

FTX: Operational Fraud at Scale

The collapse of FTX in November 2022 was the largest operational fraud in the history of the crypto industry. At its core, FTX customer funds were transferred to Alameda Research, a related trading firm, without customer consent and in clear violation of the terms under which those funds were held. No meaningful separation existed between the two entities at the operational level: the same individuals controlled both, the same systems processed both, and the financial reporting for both was fabricated.

The absence of controls was total: no independent custody of customer assets, no separation of duties between the exchange and the affiliated trading firm, no independent board oversight, no external audit of the actual on-chain balances, and no whistleblower mechanism that functioned to surface the practices to anyone with the authority to stop them. FTX's failure is the extreme case, but the individual control failures it exemplifies are present in varying degrees across the industry.

Frequently Asked Questions

What is the most common form of fraud in crypto firms?

Internal fraud and insider-enabled theft account for a disproportionate share of crypto losses compared to purely external attacks. Employees or contractors with privileged access can initiate unauthorised transactions, manipulate records, or collude with external parties. The irreversibility of on-chain transfers makes detection-after-the-fact largely academic; the only effective defence is prevention through dual controls and separation of duties.

How should dual controls be implemented for crypto transactions?

Dual controls require that the person who initiates a transaction cannot also be the person who approves it. In practice, this means separating the initiation role (typically finance or treasury) from the authorisation role (a senior signatory or a dedicated approvals function). For on-chain transactions, multi-signature wallet configurations enforce this technically, but the organisational policy must define who holds each key and prohibit any individual from holding more than one key in a required quorum.

What should pre-employment screening cover for roles with access to crypto funds?

Pre-employment screening for roles with access to wallets, signing keys, or treasury systems should include: identity verification and right-to-work checks, criminal record checks covering financial crime and fraud, credit history and adverse financial history checks where legally permissible, previous employment verification with specific reference to any departures under investigation, and social media screening for indicators of extreme financial pressure or undisclosed affiliations. For senior roles, enhanced due diligence including directorship history should be standard.

How do crypto firms defend against business email compromise?

Business email compromise defences must combine technical and operational controls. Technically: DMARC, DKIM, and SPF records on all company domains; email filtering with impersonation detection; and mandatory multi-factor authentication on all email accounts. Operationally: a strict policy that payment instructions received by email alone are never acted upon without out-of-band verbal confirmation; callback procedures to pre-registered numbers rather than numbers provided in the email; and mandatory security awareness training covering BEC scenarios specific to crypto firms.

Are there regulatory requirements for internal fraud controls in crypto firms?

Yes. For firms operating under DORA, internal fraud controls are part of the ICT risk management framework and operational resilience requirements. MiCA-regulated entities must maintain robust governance and internal control frameworks as a condition of authorisation. AML and CFT regulations across most jurisdictions require crypto asset service providers to implement controls specifically designed to detect and prevent transactions that may be linked to fraud, including internal procedures and employee due diligence. The FCA's guidance for UK-registered cryptoasset businesses similarly addresses financial crime controls as a core supervisory expectation.