Most crypto security conversations centre on smart contract audits, key management architecture, and network-level controls. These matter. But the largest individual loss events on record were not caused by a broken cryptographic primitive or an unpatched node. They were caused by people: employees deceived into installing malware, contractors with fabricated identities inserted into engineering teams, and former staff whose residual system knowledge was weaponised months after their departure.
Personnel security is the discipline that addresses this category of risk. It covers the full lifecycle of a person's relationship with your organisation: how you verify them before they join, what controls you apply the moment they are onboarded, how you detect behavioural indicators of insider threat during their tenure, and how completely you eliminate their access and residual risk when they leave. For Web3 firms managing treasury assets, signing keys, or smart contract deployment authority, personnel security is not an HR formality. It is a core risk control.
This guide sets out a practical framework for crypto employee security vetting and insider threat prevention, drawing on confirmed breach cases and the specific threat model that distinguishes crypto and Web3 firms from conventional financial institutions.
The Insider Threat Landscape in Web3 (2026)
The term "insider threat" encompasses a wider range of actors than most security teams plan for. The most commonly discussed variant is the malicious employee: a current staff member who abuses legitimate access for financial gain, ideology, or coercion. Less discussed, but operationally critical, are the infiltrator (an adversary who obtains employment specifically to gain access), the negligent insider (a staff member whose poor security practices create exploitable vulnerabilities), and the former employee whose residual access or knowledge is exploited after departure.
Each of these types has materialised in the Web3 sector with documented, significant losses. The Coinbase data breach disclosed in May 2025 was carried out by contractors with legitimate authorised access who were bribed by external threat actors to exfiltrate customer data. The access was not technically anomalous; it was the abuse of normal, permitted activity. North Korean state-sponsored operatives have systematically obtained employment at blockchain firms using fabricated identities, then used that access to deploy malicious code or steal credentials. And the $625 million Ronin Network breach began with the compromise of a former Sky Mavis employee, demonstrating that the insider threat does not terminate with a resignation letter.
The financial stakes specific to crypto make this threat category more acute than in conventional enterprise environments. A payroll administrator at a traditional bank cannot unilaterally move $100 million. A single compromised signer on a multi-sig wallet, or a developer with deployment authority over a live smart contract, can. The asymmetry between the value at risk and the number of people required to move it is unlike almost any other industry. Personnel security controls must reflect that asymmetry.
State-sponsored threats add a further dimension. North Korea's Lazarus Group and affiliated units have been confirmed by the US, Japan, and South Korea as having stolen over $659 million in cryptocurrency during 2024 alone, with insider infiltration via fake IT workers identified as an active, ongoing campaign. This is not a theoretical risk. It is an operational one that requires a specific response, covered in detail later in this article.
Pre-Employment Vetting for Crypto Roles: What to Check
Standard commercial background checks are not sufficient for crypto roles with access to keys, treasury, or smart contract deployment. A check that verifies a name against a criminal record database confirms only that the name provided is clean. It does not verify that the name is real, that the employment history is accurate, or that the individual is who they claim to be. For Web3 firms, the verification process needs to be layered and role-proportionate.
Identity Verification
Every candidate should provide government-issued photographic identification, verified against their physical or video-verified appearance using a liveness detection process. Document verification tools that authenticate the characteristics of passports, driving licences, and national identity cards against known-good specimens are the minimum standard. For remote hires, a synchronous video verification session with a named interviewer and documented chain of custody is required. Anonymous or pseudonymous hiring is incompatible with personnel security for any role involving privileged access.
Employment History Verification
Candidates should provide a full employment history with dates, role titles, and direct manager contact details. Every listed role should be verified by contacting the employer directly, not through contact details provided by the candidate. Verbal reference checks with named former managers, not just HR departments, provide qualitatively richer information about conduct, access levels, and departure circumstances. Gaps in employment history require explanation and, where possible, corroborating documentation.
Criminal Record and Financial Integrity Checks
Criminal record checks must cover all jurisdictions in which the candidate has resided, not just their current country. For roles with access to treasury or financial systems, a financial integrity check, including credit history review, is appropriate. Financial stress is one of the most reliably documented precursors to insider threat activity. A candidate carrying significant undisclosed debt and placed in a role with unilateral authority over a crypto treasury presents a concentration of risk that a standard criminal record check will not surface.
Global Sanctions and PEP Screening
All candidates should be screened against international sanctions lists, including OFAC, HM Treasury's consolidated list, and the EU consolidated list, as well as politically exposed persons databases. This is particularly relevant for firms with international hiring pipelines and for contractor roles filled through remote freelance platforms.
Proportionality by Role
Not every role requires the same depth of vetting. A useful framework is to classify roles by the potential impact of a compromise. Tier 1 roles (signing key access, treasury authority, smart contract deployment, or privileged infrastructure access) warrant the most intensive vetting. Tier 2 roles (access to internal systems but not directly to keys or funds) warrant standard enhanced vetting. Tier 3 roles (no privileged access) warrant baseline screening. The vetting standard applied to each tier should be documented and consistently enforced, including for contractors, freelancers, and third-party developers with production access.
Crypto-Specific Background Checks: On-Chain History and Identity Verification
Conventional vetting methodologies were not designed with the crypto threat model in mind. Crypto-specific background checks add a layer of due diligence that is unique to the sector and that no general-purpose screening firm will apply unless specifically instructed.
On-Chain Wallet History Review
For any candidate applying for a role with treasury, DeFi, or blockchain development responsibilities, ask them to disclose wallet addresses associated with their professional and personal on-chain activity. Review these addresses for associations with sanctioned entities, mixer usage, involvement in known exploit or rug pull transactions, or patterns consistent with front-running or market manipulation. On-chain history is immutable and publicly auditable: it provides a form of verifiable professional track record that no CV can match. A developer who has interacted with known exploit contracts, or whose wallets received funds routed through Tornado Cash post-OFAC sanctions, has a pattern of on-chain behaviour that warrants serious scrutiny.
This check has a secondary benefit: it begins to establish a baseline of the candidate's known wallets, which can then be monitored continuously post-hire for anomalous activity.
GitHub and Code Repository Review
For developer roles, a thorough review of publicly available code contributions provides insight into capability, coding patterns, and professional history. It can also surface indicators of fabricated identity: North Korean IT workers operating under false identities have been identified in part through inconsistencies between claimed experience and the actual sophistication and age of their public code repositories. A GitHub profile created three months before an application but purporting to represent five years of experience is a material red flag.
Open-Source Intelligence and Social Media Review
A structured open-source intelligence review covers publicly available social media, professional profiles, published writing, forum posts, and community presence. The goal is to corroborate the narrative the candidate has presented: do their publicly available statements and affiliations match the identity and history they have provided? Inconsistencies, sudden account creation dates, or an absence of any verifiable public presence prior to a recent period should be treated as verification failures requiring further investigation.
Identity Consistency Across Platforms
One of the most effective fraud indicators is inconsistency across platforms: a LinkedIn profile, GitHub account, and personal website that do not share consistent biographical detail, that reference different educational institutions for the same period, or that show different physical appearance across video interactions. Structured cross-platform identity corroboration is not standard practice in most HR processes, but for crypto roles it is a material control against infiltration.
Onboarding Access Controls: Least Privilege from Day One
Vetting determines whether a person should be trusted with access. Onboarding controls determine precisely what access they receive, and on what terms. The principle of least privilege is well-understood in theory but poorly implemented in practice at many Web3 firms, particularly those that have grown rapidly and informally.
Effective identity and access management requires that every new hire receives only the permissions required to perform their defined role, granted through a formal access provisioning process with documented approval. No access should be inherited from a previous team member's profile, shared via generic credentials, or granted informally through a Slack message asking someone to add them to a system.
Access Provisioning Checklist
At the point of onboarding, the following should be formally provisioned and documented: single sign-on account creation with multi-factor authentication enrolled before first use; role-based access permissions within internal systems tied to the employee's specific function; hardware security key issuance for any privileged access; and explicit exclusion from any signing authority, key custody, or smart contract deployment access until a defined probationary period has elapsed and a formal access review has taken place.
The probationary period for privileged access deserves emphasis. A new hire should not have unilateral authority over treasury assets or deployment pipelines during an initial period. This is not a reflection of mistrust; it is a structural control that limits the damage a compromised or malicious new hire can cause during the window when monitoring baselines are still being established.
Privileged Access Controls
For roles that ultimately do require privileged access, a dedicated privileged access management framework should govern how that access is granted, used, and audited. Privileged sessions should be logged, time-limited, and require explicit authorisation. No individual should have standing privileged access to production systems: all privileged operations should require a just-in-time access request and dual authorisation where the potential impact is material.
Multi-sig wallet arrangements should be structured so that no single new hire, regardless of seniority, holds a quorum. New signers should be added only after a defined tenure and only through a formal governance process that includes a quorum of existing signers.
Security Briefing and Acceptable Use Policy
Every new hire should complete a structured security induction before accessing any systems. This covers: the firm's acceptable use policy, device security requirements, phishing and social engineering awareness specific to the crypto threat model, reporting obligations for suspected security incidents, and the firm's key handling and custody procedures. Completion should be signed off and retained. A security awareness programme that is integrated into onboarding rather than treated as an annual checkbox exercise produces materially different outcomes.
Ongoing Monitoring: Detecting Insider Threat Indicators
Personnel security does not end at the point of hire. The threat model evolves: a hire who passed vetting may become a risk over time due to financial distress, ideological radicalisation, external coercion, or a change in loyalty. An infiltrator who passed fabricated identity checks may reveal themselves through behavioural anomalies once inside the organisation. Ongoing monitoring is the mechanism for detecting both.
Technical Indicators
Technical monitoring focuses on system and access logs. Indicators worth tracking include: access to systems outside normal working hours or from unusual geographic locations; bulk downloads of code repositories, customer data, or documentation; access to systems beyond the employee's defined role scope; repeated failed access attempts to restricted areas; unusual wallet transaction activity for employees with on-chain visibility into treasury operations; and attempts to disable or circumvent logging and monitoring tools.
These indicators should generate automated alerts reviewed by a security function, not simply logged and forgotten. The value of technical monitoring is in the response, not the collection. Many firms that suffer insider incidents have logs that would have surfaced the threat weeks earlier had anyone been reviewing them.
Behavioural Indicators
Behavioural monitoring is more sensitive but no less important. Indicators that warrant a discreet security review include: sudden and unexplained changes in financial lifestyle; expressed dissatisfaction or grievance following a disciplinary action, redundancy announcement, or compensation dispute; unusual interest in systems or data outside the employee's normal remit; unexplained contacts with competitors or external parties about internal systems; and deteriorating performance paired with significant personal stress indicators.
None of these indicators is individually determinative. They are inputs to a risk assessment process, not grounds for immediate action. The appropriate response to a pattern of indicators is a discreet review, potentially including a welfare conversation, access audit, and escalation to HR and legal counsel depending on findings.
Continuous Re-Vetting
For Tier 1 roles, annual re-vetting is appropriate. This includes a refresh of sanctions screening, a review of on-chain activity associated with disclosed wallets, and a structured line-manager assessment of any behavioural changes. In jurisdictions where permitted, periodic financial integrity checks for employees with treasury authority provide an additional control against the financial stress precursor to insider activity.
Pairing technical and behavioural monitoring with a confidential reporting mechanism, through which colleagues can raise concerns without fear of reprisal, adds a human intelligence layer that automated systems cannot replicate. A colleague who notices that a team member is behaving unusually and has a clear, trusted channel through which to raise that concern is a highly effective early-warning system.
The broader framework for this is a structured security awareness training culture where staff understand that reporting anomalous behaviour is expected and valued, not disloyal.
Offboarding Procedures: Eliminating Residual Access Risk
Offboarding is the most consistently underperformed element of personnel security in the Web3 sector. Firms that have invested in rigorous pre-employment vetting frequently apply almost no systematic control to the departure process, leaving residual access, shared credentials, and institutional knowledge as unmanaged risks.
The Axie Infinity Ronin breach is the defining case study. The compromised individual was no longer employed by Sky Mavis at the time of the attack. The Lazarus Group had made contact months before the breach, obtained information and credential access through a social engineering operation targeting the former employee, and used that residual access to compromise the bridge. The formal employment relationship had ended. The security exposure had not.
"The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes. This employee no longer works at Sky Mavis." The Ronin Network post-mortem confirmed that Lazarus Group compromised a former employee through a fraudulent job offer on LinkedIn, using that residual foothold to execute the largest single crypto theft on record at the time. Insider threats do not end when an employee's contract does.
A comprehensive employee offboarding security process addresses both technical access revocation and the residual risk of knowledge and relationship that persists after departure.
Technical Access Revocation Checklist
On the day of departure, the following must be completed before the individual leaves the building or the working session ends (for remote employees):
- Disable all SSO and directory accounts immediately
- Revoke all API keys, access tokens, and application-specific credentials
- Remove hardware security key registrations from all systems
- Remove the individual from all multi-sig wallet quorums and rotate thresholds if required
- Rotate any shared secrets, passwords, or seed phrase backups the employee had access to
- Revoke VPN certificates and remote access credentials
- Disable cloud infrastructure access (AWS, GCP, Azure roles and policies)
- Remove from all internal communication platforms (Slack, Discord, Telegram)
- Retrieve all company-issued hardware and verify device wipe
- Revoke signing authority and notify any external counterparties of the change
Each step should be documented with a timestamp and the name of the person who completed it. The offboarding checklist should be stored in a system that does not require the departing employee's account to access.
Knowledge Risk Mitigation
Technical access revocation addresses known credentials. It does not address what the individual knows: the architecture of internal systems, the location of backup seed phrases, the identity of key personnel, the security weaknesses they observed during their tenure, or the relationships they formed with counterparties who still trust them. Knowledge risk is managed through a combination of controls: post-departure non-disclosure obligations with clear remedies, key rotation that invalidates the operational value of knowledge about previous credentials, and architecture reviews that identify and remediate any single points of failure that the departing employee was aware of.
For very senior departures or roles with exceptional access, a structured security debrief with legal counsel present is appropriate. This documents what systems and credentials the individual accessed, confirms their obligations under their confidentiality agreement, and creates a formal record of the departure terms.
Post-Departure Monitoring
Following a departure, particularly for involuntary terminations or departures involving disputes, a period of enhanced monitoring of the systems and assets the individual previously accessed is appropriate. This is not permanent surveillance; it is a time-limited heightened alert state during the period when residual access attempts, credential reuse, or social engineering of remaining staff is most likely.
The North Korean IT Worker Threat: Operational Response
The systematic deployment of North Korean operatives as fake remote IT workers represents one of the most specific and well-documented state-sponsored threats to the Web3 sector. In January 2025, the United States, Japan, and South Korea issued a joint advisory confirming that North Korean IT workers had been actively infiltrating blockchain and cryptocurrency firms, with attributed losses exceeding $659 million in 2024 alone. The FBI has issued wanted notices and a $5 million reward for information related to identified operatives.
The operational model is consistent across reported cases. Operatives construct detailed false identities: fabricated names, stolen or synthetic identity documents, convincing GitHub contribution histories, and professional LinkedIn profiles that appear to represent years of legitimate software development experience. They apply for remote developer, security researcher, or IT contractor roles, often through intermediary recruitment platforms that do not conduct robust identity verification. Once hired, they use their access to exfiltrate code, steal credentials, insert malicious logic into production repositories, or gather intelligence for subsequent targeted attacks against the firm.
In more aggressive variants, confirmed from 2024 onwards, operatives who are identified or at risk of discovery have threatened to release stolen proprietary code, leak sensitive employee data, or publish internal vulnerability information unless paid to remain silent. The insider access converts directly into an extortion capability.
Detection Indicators
The following indicators, individually or in combination, should trigger a thorough identity verification review of any candidate or contractor:
- Reluctance or refusal to participate in a synchronous video call with camera enabled
- Request to use third-party devices or virtual machines not under the firm's control
- GitHub or portfolio account created recently relative to claimed years of experience
- Inconsistencies between the timezone of claimed location and actual working hours observed post-hire
- Multiple applications from different apparent identities sharing email infrastructure, IP ranges, or coding style
- Resistance to using firm-issued devices or firm-managed developer environments
- Requests to redirect payment to third-party accounts or cryptocurrency addresses rather than a personal bank account
- Identity documents from jurisdictions with known high rates of document fraud combined with an inability to answer basic cultural or geographic questions about that location
Structural Mitigations
The most effective structural mitigations against this threat are:
Firm-issued and managed devices only. All contractors and employees with production access must work on devices provisioned and managed by the firm, with endpoint detection and response tooling active. This removes the attacker's ability to operate from a malware-pre-loaded personal environment and provides visibility into activity on the device.
Synchronous identity verification with a dedicated security interviewer. Identity verification must include a live video session conducted by a person with specific responsibility for verifying that the face presented matches the identity documents submitted and that the individual can answer biographical questions consistent with their claimed identity.
No unilateral production access for remote contractors without a probationary review. Remote contractors should operate in sandboxed or reviewed environments during an initial period, with code review gates before any contribution reaches production. This limits the damage a successfully infiltrated contractor can cause before detection.
Payment to verified bank accounts in the name of the individual. Requiring payment to a personal bank account in the name of the verified individual, rather than a cryptocurrency wallet or third-party account, forces the operative to either expose their financial identity or decline the engagement.
Cross-checking against threat intelligence feeds. Specialist threat intelligence services maintain indicators of compromise associated with the North Korean IT worker campaign, including known email address patterns, IP ranges associated with proxy infrastructure, and wallet address clusters linked to known operatives. Subscribing to and acting on this intelligence is a direct control.
What to Do If You Suspect an Infiltrator
Do not immediately confront or dismiss the individual. Premature confrontation allows the operative to destroy evidence, exfiltrate remaining data, or activate dormant malicious code. Instead: preserve all access logs and communications, engage a specialist incident response firm with North Korea threat expertise, revoke access through a plausible cover reason if time-critical, and notify relevant law enforcement. In the United Kingdom, this is the National Crime Agency and the National Cyber Security Centre. In the United States, this is the FBI and CISA.
Frequently Asked Questions
What background checks should a crypto firm run before hiring?
At minimum: verified identity check against government-issued documents, employment history verification with direct manager references, global sanctions and PEP screening, criminal record check across all jurisdictions of residence, and an on-chain wallet history review. For roles touching keys or treasury, add a financial integrity check and a dedicated social media open-source intelligence review.
How do North Korean IT workers infiltrate crypto firms?
North Korean operatives use fabricated identities backed by convincing GitHub profiles, forged credentials, and stolen or borrowed personal documentation. They apply as remote freelancers or contractors, often through intermediary recruitment platforms. Once hired, they exfiltrate code, private keys, and credentials, or insert malicious logic into production systems. A joint US-Japan-South Korea advisory confirmed in January 2025 that this tactic has been used across dozens of blockchain firms, with attributed losses exceeding $659 million in 2024 alone.
What is the minimum vetting standard for a crypto developer role?
Identity verification with liveness detection, employment history confirmation with verbal references, global sanctions screening, criminal record check, and an on-chain history review of any wallet addresses the candidate discloses. For privileged roles with access to signing keys or smart contract deployment, a full counter-intelligence-style background review is appropriate, including open-source intelligence and cross-platform identity corroboration.
How should a crypto firm handle access revocation when an employee leaves?
Immediately on departure: disable all SSO accounts, revoke API keys, remove hardware wallet authorisations, rotate any shared credentials or mnemonics the departing employee had access to, and remove them from multi-sig quorums. Conduct an exit interview covering what systems and credentials they accessed. Follow a documented offboarding checklist and retain an audit log. The Axie Infinity Ronin breach demonstrated that residual knowledge of system architecture is itself a risk, even after formal access has been removed.
What ongoing monitoring is appropriate for crypto employees post-hire?
Log all privileged access events and review anomalies weekly. Monitor for unexpected large wallet transactions by employees in financial roles. Conduct annual re-vetting for staff in sensitive roles. Use behavioural analytics to flag unusual access patterns, bulk data downloads, or after-hours activity. Pair technical monitoring with a confidential reporting line so colleagues can raise concerns about behavioural changes that may indicate coercion or financial distress.