What Banks Get Wrong About Identity: Threat Models Wallet Providers Must Avoid

Hook: Why your identity stack may be the weakest link in custody

Banks say their identity defenses are strong — but industry research from PYMNTS and Trulioo in January 2026 shows firms routinely overestimate how well they stop bots, agents, and synthetic accounts. If banks get this wrong at scale, crypto custodians and wallet providers should assume attackers already have a playbook to exploit similar gaps. For technology teams building custody systems, the result is clear: identity assumptions are a material risk to asset safety, compliance, and user trust.

Executive summary — the bottom line for custodians and wallet teams

Key takeaways pulled from PYMNTS/Trulioo and translated for custody operators:

• Identity defenses are single-point failures: Overreliance on KG/IDV checks at onboarding fails against bot and agent networks.
• Bots and human-agent hybrids are the new normal: Automated account creation, coordinated mule networks, and synthetic identity attacks bypass “good enough” KYC flows.
• Continuous identity and device assurance is required: One-time KYC or device checks are insufficient for custody; continuous, layered controls are essential.
• Actionable change is possible: Implement risk engines, device attestation, MPC/HSM custody, and robust logging to close the gaps banks miss.

Why the PYMNTS/Trulioo findings matter to crypto custody in 2026

In 2026 the attack surface is broader and tools are cheaper. Since late 2024 and through 2025, adversaries adopted LLM-powered automation and commodity human-in-the-loop marketplaces to create convincing synthetic identities and defeat liveness checks. PYMNTS/Trulioo quantify the financial scale for banks — roughly a $34B annual overestimation in identity effectiveness — but the structural lessons are what matter for custodians:

• Identity systems are probabilistic, not binary. Mistaking high-pass rates for low-risk increases exposure.
• Attackers target the weakest link: onboarding, API rate limits, device attestation, and customer support flows.
• Compliance controls (KYC) must be calibrated to custody-specific risks (high-value, irreversible transfers, cross-chain activity).

Concrete threat models custodians must add to their threat registry

Below are threat models distilled from the PYMNTS/Trulioo research and focused on custody risks. Treat each as actionable: assign ownership, detection metrics, and incident playbooks.

1. Automated account creation and sybil farming (Bots)

Adversary capability: large-scale headless browser farms and LLM-driven agents create accounts, pass low-bar IDV, and collude to game token distribution or marketplaces.

Impact: asset dilution, credential stuffing, KYC failure cascades, supply-chain attacks on airdrops and whitelist mechanisms.

2. Human-agent assisted synthetic identity attacks

Adversary capability: mix of fake documents generated by deepfakes, synthetic PII stitched from breached data, and task-rented humans to pass liveness checks.

Impact: unauthorized wallet control, regulatory AML red flags missed, and creation of mule chains to launder assets.

3. Device attestation evasion and session hijack

Adversary capability: device farm spoofing, compromised devices, stolen session tokens, or altered user agents to pretend to be a legitimate device.

Impact: remote signing of transactions, seed export requests, and bypassed multi-factor flows if device-bound context is not enforced.

4. Customer support and social engineering abuse

Adversary capability: use of voice deepfakes, social engineering, and support-channel automation to reset access or request key recovery operations.

Impact: direct fund theft or privileged operation misuse through support escalations.

5. API abuse, credential stuffing, and third-party integration compromise

Adversary capability: stolen API keys, compromised dApp integrations, or abused OAuth flows to pull out custody-sensitive operations.

Impact: wormable compromise across integrated services, mass-transaction signing, and cross-chain loss propagation.

Mitigations: layered controls custodians must implement now

Banks over-rely on identity gates; custodians must build a layered, continuous defense tailored to custody's higher risk profile. Below are prioritized mitigations with technical specifics for engineering teams.

1. Adaptive IDV and KYC with real-time risk scoring

• Move from a pass/fail KYC model to an adaptive flow: escalate checks based on risk signals rather than a one-time verdict.
• Integrate signals: device attestation, geolocation consistency, behavioral biometrics, velocity, and relationship graphs.
• Implement a risk engine that outputs continuous risk scores (0–1000). Use threshold policies to gate sensitive operations like high-value withdrawals or cross-chain transfers.

2. Upgrade device and key attestation

• Enforce WebAuthn / FIDO2 for account access and sensitive confirmations. Require platform or roaming authenticators tied to key material.
• Use mobile attestation (Android SafetyNet / Play Integrity alternatives and Apple DeviceCheck) plus cryptographic attestation for hardware-backed keys.
• Bind session tokens to attested device contexts and refresh on suspicious changes (IP jumps, user agent drift).

3. Harden custody with MPC, HSMs, and threshold signing

• Prefer multi-party computation (MPC) or threshold signatures rather than single-device seed exports. They reduce single-point-of-failure from KYC bypass.
• Use cloud HSMs or dedicated enclave services (AWS Nitro Enclaves, Google Confidential VMs) for signing critical operations and key material custody.
• Design recovery workflows that require multi-channel, multi-party attestation (e.g., device + operator + regulatory proof) to reduce social engineering risk.

4. Continuous behavioral and transaction monitoring

• Monitor for anomalous transaction patterns: unusual gas fees, rapid cross-chain swaps, or sudden change in counterparty addresses.
• Ingest on-chain signals: address reputation, clustering analytics, and known-mixers lists (updated continuously).
• Automate interim controls: time-locks, spend caps, and challenge-responses when suspicious activity is detected.

5. Strengthen anti-bot and anti-agent systems

• Deploy bot-detection that includes ML models trained on device telemetry, timing patterns, and challenge success rates — not just CAPTCHAs.
• Block or flag headless browsers and automated flows at the API gateway. Use progressive challenges and friction for high-risk flows.
• Implement fraud telemetry sharing with exchanges and marketplaces to identify cross-platform bot networks.

6. Secure support channels and recovery paths

• Require cryptographic proof of control before performing custodial operations via support. Replace knowledge-based steps with device-based or verifiable credentials.
• Use multi-factor verification across out-of-band channels and log all escalation actions for audit and dispute resolution.
• Maintain a human review queue for high-value recovery requests and apply strict SLA-backed decision gates.

Detection & response playbook — implementable steps

1. Define assets and attack surfaces: keys, signers, API keys, support tooling, and auth sessions.
2. Map adversary profiles: automated bot farms, human-agent mule groups, supply-chain attackers.
3. Instrument telemetry: collect device attestation results, WebAuthn assertions, session IPs, gas patterns, and on-chain address clusters.
4. Create playbooks: automated containment (freeze), manual investigation checklist, and escalation matrix to legal/compliance.
5. Run purple-team exercises simulating the top three threat models every quarter and tune thresholds based on false-positive/negative analysis.

Developer guidance: building identity-resilient flows

Practical engineering patterns teams can implement in 30–90 days.

• Implement short-lived, device-bound access tokens with attestation claims included in the token payload. Reject tokens when attestation refresh fails.
• Use a risk-based challenge API: submit device+behavior telemetry, receive an enforcement decision (allow, require WebAuthn, escalate to KYC).
• Provide a non-destructive transaction staging mechanism: transactions over a threshold are staged, signed, and held for a defined cooldown pending additional attestation.
• Design SDKs for dApps to forward risk signals and preserve attestation claims — stop treating custody as a black box.

Operational controls and compliance (standards & auditing)

Regulators and auditors now expect continuous control evidence. In 2026, that means immutable logs, verifiable attestation records, and demonstrable risk-driven policies.

• Keep WORM logs of KYC decisions, attestation records, signed transactions, and human review notes.
• Adopt verifiable credentials and DIDs for presenting custody-related attestations in audit scenarios.
• Align policies to NIST identity guidance and to the latest FATF/VASP recommendations (watch for regional updates in late 2025 / early 2026 that expand identity expectations for VASPs).

Real-world examples (short case scenarios)

Case 1 — Airdrop sybil attack prevented

Problem: A marketplace suffered a token drain from automated account farms claiming airdrops.

Mitigation: Implemented device attestation gating, adaptive KYC for higher-value claims, and a reputation blacklist shared across partners. Within two weeks, sybil claims dropped 87% and manual review resources were reallocated.

Case 2 — Synthetic identity steals private keys via support channel

Problem: A wallet provider allowed recovery through SMS + email verification. Deepfake audio and fresh synthetic IDs led to successful social-engineering takeovers.

Mitigation: Swapped KBV/SMS with WebAuthn + verifiable credential checks. Support escalations now require multi-party approval and signed attestation from the device. No successful takeovers in the next 12 months.

Advanced strategies and future predictions for 2026+

Expect the adversary-defender arms race to continue. Key predictions you should plan for:

• Agent networks will go multi-modal: voice deepfakes + LLM chat + browser automation will form persistent, believable personas. Defenders must fuse multi-channel telemetry.
• Verifiable credentials will become table stakes: DIDs and W3C VCs will be required for robust proofs of identity and consent across custody flows.
• Regulatory convergence on continuous identity: expect FATF-style updates and regional rules that require continuous monitoring for high-value custodians.
• Zero-trust for identity: identity and device claims will be continuously validated using cryptographic proofs rather than static IDs.

Checklist: What to prioritize this quarter

• Deploy device attestation and enforce WebAuthn for all critical actions.
• Build a risk engine that ties KYC, device, and transaction signals into live policies.
• Migrate sensitive signing to MPC/HSM-backed flows and eliminate seed export options.
• Harden support workflows; remove knowledge-based recovery paths and require multi-party verification.
• Run quarterly adversary simulations focusing on bot/agent and synthetic identity scenarios.

"Good enough verification is not good enough where keys are irreversible and value is immediate." — Operational takeaway from PYMNTS/Trulioo for custody teams in 2026

Actionable next steps for engineering and risk teams

Start with a 30-day sprint: instrument attestation telemetry, deploy short-lived device-bound tokens, and set conservative thresholds for staged withdrawals. In 90 days, integrate an adaptive IDV provider, implement preliminary MPC signing, and run targeted purple-team tests simulating advanced agent attacks.

Closing: why identity is the new perimeter for custodians

PYMNTS and Trulioo exposed a systemic overconfidence in identity defenses across finance. For crypto custodians and wallet providers, that overconfidence translates directly to risk: irreversible asset loss, regulatory exposure, and brand damage. The solution is not a single vendor or a bigger CAPTCHA — it's a layered, continuously validated identity architecture that combines cryptographic attestation, adaptive IDV, hardened signing, and operational rigor.

Call to action

If you manage custody, start your threat-modeling sprint this week. Download our practical threat-model checklist and implementation playbooks or contact our security team to run a purple-team simulation tailored to your product. Don't wait for a breach to learn how banks got it wrong — fix identity before attackers exploit it.

Related Reading

• How to Build a Vertical-Series Pitch Deck for AI-Powered Platforms
• What Gardeners Should Know About Platform Partnerships: Negotiation Points From Media Executives
• Boundary Fashion: When Street Style and Cricket Merch Collide
• E-Scooters and Dog Walks: Safety, Leash Laws, and Alternatives for Urban Families
• What Beauty Brands Should Know About Platform Shifts: From Bluesky Badges to Paywall-Free Communities