The uncomfortable truth in crypto security is that the single-largest loss vector isn’t attackers outside the building. It’s the people inside it. If you run a token-issuing company with more than twenty staff, you have an insider-threat programme whether you know it or not.
The three patterns
- Information leak – an employee copies customer lists, trade flows, or wallet topology to a personal drive before departure.
- Direct action – an employee (or a bribed employee) facilitates a physical intrusion, hands over access credentials, or steers an audit.
- Coerced employee – an employee is threatened from outside and complies with the external actor.
Practical mitigations
- Two-person control on all material wallet access – not just multi-sig keys but physical access to cold-storage vaults.
- Background checks that actually check. In the UAE this means running through the partner network, not just self-attested.
- Termination protocols that happen before the announcement, not after.
- A whistleblower channel that’s actually anonymous and actually monitored.
The family angle
Several 2025 insider incidents involved the family members of employees being approached externally. Any serious programme includes a family briefing for senior engineers and finance staff: what to do if approached, who to tell, and the promise that reporting will never be held against them.
Insider-threat programmes are uncomfortable to design and more uncomfortable to operate. That’s exactly why external advisors tend to run them better than internal teams.