How 76.5% Of Fraudulent Crypto Transactions Are Carried Out By KYC-Verified Accounts

By Alex Zeltcer, Co-Founder & CEO of nSure.ai

Anti-money laundering (AML) measures, such as Know Your Customer (KYC), that crypto operators are also required to follow have been a boon for fraudsters who know where the loopholes are in this legislation. The fact is, however, that over 75% of all fraudulent activity comes from KYC-verified accounts. That statistic should serve as a clear warning to any organization still relying on it as the sole way to verify transactions.

Three decades ago, in the early 90s, organized criminal organizations, drug cartels, and various illegal actors needed ways to enter their illegally-obtained cash into federal fiat-currency financial systems legally. The simplest way was to open various accounts under multiple names and have one designated operator orchestrate the full operation. To make this significantly more difficult, the US government introduced Know Your Customer (KYC) regulations– a failsafe to ensure that the person a banker was speaking with was who they claimed to be. In practice, new banking customers had to present various documents, set forth by their local regulatory body, to open an account in their own name. In addition, it made it difficult for fraudsters using forged documentation to go from bank to bank physically. 

Then, in parallel to the growth of the dark web, came digital banking—this new way to transfer funds allowed black markets to operate freely and anonymously around the globe.

KYC manipulation flourishes underground

Cryptocurrency organizations, including their marketplaces and trading platforms, are designated as Money Service Businesses (MSB) by the US government. FinCEN defines MSBs as any person in a list of money services, including “currency dealer or exchanger,” with an activity threshold of greater than $1,000 per person per day. KYC, along with Customer Due Diligence (CDD), help MSBs prevent financial crimes.

Despite the safeguards, identity verification does not work as well in the digital era.  Manipulation of it takes place primarily in two ways:

1. Through fraudsters scouting for targets in small networks of users in the dark web who are seeking “quick cash” and 

2. Through the purchase of an actual KYC-verified account list on the dark web, that likely also includes individuals unaware that their account (perhaps through social engineering) has been hijacked.

Potentially, any account, once it earns KYC verification, can easily sell the account credentials to buyers around the world. Based on various factors, one of these accounts can be worth between $50 to $150. 

The fraudster then leverages the legitimacy of the KYC verification to make another transaction. With each transaction, it achieves more legitimacy, and of course, more profit for the fraudster until the fraud is discovered and shut down. For the account holder who was manipulated and was unaware of the takeover, there is a surprising discovery of credit card charges which, of course, will be disputed and charged back. Similarly, the “crypto mules'' will pretend they were unaware of a takeover and do the same. In either scenario, the result is the issuing FIAT bank will withdraw the funds from the merchant, who in this case is the cryptocurrency exchange, and will pay back the account holders (i.e., both the legitimate and illegitimate ones). Below are some examples of how these accounts get solicited on the dark web.

How KYC-verified accounts create fraud

In a globally connected world, where decentralized tokens allow for rapid international financial transactions, criminals and fraudsters have recognized ample opportunity to sell illegal goods to a global audience. 

These fraudsters play off two key factors:

1. The ease of opening accounts and wallets online, instead of physically traveling to bank branches, makes this illegal act scaleable.

2. Not only do they never need to meet a banking representative face to face, but they also don’t need to be in the same country. It is cost-effective, and they can spoof an IP address as an alibi. If they are ever questioned, they can say it wasn’t them, and their information was stolen. While their account may be automatically closed, their name remains clean.

Harsh realities

76.5% of payment fraud in crypto is carried out by KYC-verified accounts. 

This harsh reality requires these cryptocurrency marketplaces not only to regulate transactions and ensure their platform operates appropriately for users and regulators, but also forces them to become risk analysts. Without being able to fully trust any account, friction is added to all users, potentially pushing account holders to another crypto platform, should they be forced to jump through too many hurdles. This is very costly to any business. Our own data shows a 25% abandon rate when there is friction from KYC requirements. A more formal study of 1,000 consumers, identifies a risk to as many as 96% of customers when friction or bad service is at play. 

Ultimately, KYC is a regulation, so financial institutions need to comply– but that doesn’t mean it’s sufficient protection. As noted earlier, KYC should never be the sole measure of defense against fraud. 

This double blow of losing tokens to fraudsters and losing customers due to friction is forcing crypto organizations to bear the brunt of a deeply unbalanced ecosystem through lost sales and painful credit card chargebacks. 

The FTX fallout has subjected the crypto industry to significant trust challenges. As fraudsters continue to exploit the nature of their digital advantages, the protections from them cause friction while the crimes by them inflict loss. How can they fight back to ensure the much-needed trust from customers they desperately seek?

Recovering Customer Trust

The trust cryptocurrency organizations put in KYC-verified accounts can quickly backfire if they don't have other security solutions surrounding them. Whenever a business is declining, for example, 20% of its total traffic because of fraud concerns, it's a red flag that revenue will be lost. Unless the right mechanisms are in place to quickly call out what is actual fraud in that group, they'll miss out on optimizing for the actual fraud -- which is likely only 2% (not 20%) of that traffic.

No business, much less one that is in a challenging industry with a large spotlight on trust, wants to get hit with high chargeback costs or worse, shut out of 18% of revenue. The good news is that, whether KYC-verified or not, digital AI-powered behavioral analytics not only prevents fraud but also ensures results that deliver incremental revenue to the business. Recent leaps in machine learning technology allow organizations of all sizes to access AI-driven systems that identify scalable fraud in real-time and make it very difficult for fraudsters to return. By creating a space that is unwelcome for fraudsters and one that confidently approves real customers, companies can not only avoid chargebacks but also boost approval rates to as high as 95%. More customers mean more revenue, and less fraud means more trust.