The Grinex disclosure landed Wednesday morning. By Wednesday afternoon, the same five-step chain that explained Bybit’s $1.5B February loss explained Grinex’s $13M April loss. By Thursday, three other 2025 incidents fit the same template. The pattern isn’t a Grinex problem. It’s a sector problem with a Grinex example.

Here’s the chain, compressed:

  • Step 1. A real, KYC-verified user signs into the exchange. The user is who they say they are.
  • Step 2. The credentials, session, or device get compromised — phishing, malware, social engineering. The user is no longer who’s at the keyboard.
  • Step 3. The attacker initiates a withdrawal. The exchange checks: is the session valid? Yes. Is the API key authorized? Yes. Did the user complete KYC? Yes.
  • Step 4. The withdrawal completes. Funds leave the platform.
  • Step 5. The post-mortem says the attack was “sophisticated.” What it actually was: a user authentication system asked the wrong question at the wrong time.

The wrong question, at the wrong time.

Every authentication check in steps 3–4 is asking did this person sign up here? None of them are asking is this person here, right now, at the keyboard, intending to send $50K? The first question was answered six months ago. The second question, at the moment money moves, is the one that matters — and almost no exchange asks it.

The withdrawal moment is the most expensive moment in fintech. Every other dollar in the company exists to make that moment safe. Almost no architecture asks anything at that moment.

This is not a wallet-security problem. It’s not a hot/cold storage problem. It’s not a multi-sig problem. Those defenses all matter, and Grinex (per the disclosure) had them. The defenses were not bypassed at the wallet layer. They were never invoked, because at the moment the withdrawal started, the system had no reason to think the user was anyone other than the user.

What re-verification looks like.

Re-verification is the missing layer. At the moment a withdrawal exceeds threshold (or a wire goes out, or a high-value trade is initiated), the platform stops, opens the camera, asks the user to look at it, runs a face match against the embedding stored at enrollment, runs liveness + anti-spoof scoring, and returns a signed JWT — pass or fail. The whole step adds 292 milliseconds to the median flow. The whole step changes the answer to is this person here? from inferred to verified.

# What it looks like in code — drop-in
client = Client(api_key="lorica-prod-...")
result = client.verify(user_id, action="withdrawal")
if result.match and result.liveness_score > 0.9:
    proceed_with_withdrawal(result.jwt)
else:
    queue_for_review(result.jwt)

The JWT is the auditable artifact. Insurance carriers can verify the decision was made, what scored what, and when — without ever seeing the user’s face. That auditability is the part that matters to underwriters, who are increasingly the ones writing the check.

$3.4 billion stolen from crypto in 2025 — Chainalysis

Why exchanges aren’t shipping this.

Three reasons, in order of frequency:

1. They think it’s a UX problem. “Users won’t tolerate biometric every withdrawal.” In practice, users tolerate biometric for any flow above a threshold — they tolerate it on Apple Pay, they tolerate it on banking apps, they tolerate it on Cash App. The threshold is the design lever.

2. They think regulators don’t require it. Correct: MiCA recommends, NYDFS recommends, neither requires. The forcing function isn’t regulators — it’s insurance underwriters. Evertas, Marsh, and Lloyd’s syndicates are pricing crypto coverage based on whether re-verification exists. That’s the actual lever.

3. They think building it themselves is straightforward. 16 layers — 9 enforcing checks plus 7 anti-spoof scorers covering PRNU, DCT, temporal coherence, injection detection — is six months of in-house work and an ongoing R&D burden. The math doesn’t work compared to integrating an API in a single sitting.

SOURCES — Chainalysis 2025 Crypto Crime Report (Feb 2026). Grinex public post-mortem (Apr 16, 2026). Bybit incident disclosure (Feb 2025). Coinbase 8-K filing (Jan 2025). Kraken security blog: Mar 31 2026 (social engineering, $18.2M) and Apr 13 2026 (insider extortion, no funds moved) — these are separate events.