Why this argument starts here
People ask why we’re building biometric step-up verification for crypto instead of banking, healthcare, or enterprise SaaS. The honest answer is not that crypto is the biggest market or the easiest sell. The answer is that crypto is the only financial system where a single unauthorized transaction is permanent, irreversible, and unrecoverable. That one property changes every calculation about where verification needs to happen and how strong it needs to be.
This week delivered three case studies that make the argument better than we ever could.
A bank can claw back a wire. A credit-card processor can reverse a charge. A crypto withdrawal is signed, broadcast, and final. There is no “verify twice” because there is no “second time” — the second time, the funds are already gone.
Case 1: Your coworker is a North Korean operative
On April 9, ZachXBT published data exfiltrated from an internal North Korean payment server. The dataset — 390 accounts, complete chat logs, and crypto transaction records — revealed an operation generating approximately $1 million per month. The mechanics are startlingly simple:
// DPRK IT worker infiltration — operational pattern
// (reconstructed from ZachXBT disclosure + Chainalysis data)
//
// PHASE 1: Identity fabrication
// - Real stolen identity (often from LinkedIn data breach)
// - AI-generated headshot (passes automated screening)
// - Fabricated resume with verifiable-looking references
// - VPN endpoint in target country for IP geolocation
// - VOIP number with local area code
//
// PHASE 2: Hiring pipeline
// - Apply to crypto companies (exchanges, custodians, web3)
// - Pass automated resume screening
// - Pass video interview (coached, scripted, sometimes
// using real-time face swap to match stolen identity)
// - Pass background check (the stolen identity is clean)
// - Get hired. Receive employee credentials.
//
// PHASE 3: Access escalation
// - First 2-4 weeks: normal work, build trust
// - Weeks 4-8: request access to internal systems
// - Gradually map wallet infrastructure, signing flows,
// and security controls
//
// PHASE 4: Exfiltration
// - Move funds using legitimate employee access
// - OR: install backdoor for external team to exploit later
// - OR: exfiltrate signing keys for future use
//
// The identity check that could have caught this:
// Every high-risk action requires biometric verification
// against the enrolled face. The operative's real face
// doesn't match the stolen identity they enrolled with.
// Session 1: enrollment (fake face from video interview).
// Session 47: withdrawal attempt → biometric fires →
// the face doesn't match because they've been using
// a different laptop, different lighting, different angle,
// and the deepfake consistency degrades over time.
//
// Or simpler: the operative tries to move funds at 3AM
// Pyongyang time. The biometric fires. Nobody's at the
// laptop. Transaction blocked.The Chainalysis 2025 year-end report confirmed this pattern at scale: North Korean hackers stole $2.02 billion in cryptocurrency in 2025 — a 51% year-over-year increase — and IT worker infiltration was a principal attack vector. DPRK-attributed attacks accounted for 76% of all service compromises that year. The cumulative total through 2025: $3.4B.
- $3.4B — Total crypto stolen by North Korea, cumulative through 2025.
- 76% — Of all service compromises in 2025 attributed to DPRK.
- $1M/mo — Revenue from the IT worker operation ZachXBT exposed.
- 390 — Fake accounts in the exfiltrated DPRK payment server.
The standard defense is better hiring practices. More thorough background checks. Reference verification. Multi-round interviews. These are all reasonable measures. They are also all identity checks that happen once, at the point of hiring, and are never repeated.
That’s the same architectural flaw as onboarding KYC. Verify the person at the door. Never re-verify them at the vault. A North Korean operative who passes the hiring pipeline — or who subverts it with a combination of stolen identity data and real-time deepfake technology — has unrestricted access to internal systems from that point forward. Their fabricated identity was checked once. Their real identity is checked never.
Case 2: The attackers who don’t stop
On April 9, Bybit disclosed that the same group responsible for their $1.4 billion hack in February 2026 — the largest cryptocurrency theft ever recorded — attempted a second attack. The technique was different this time: the attackers tried to hide failed transfers inside successful ones to trick Bybit’s deposit reconciliation system. It’s a technique from the Mt. Gox era, updated for modern exchange architecture. Bybit’s risk control team caught it.
But zoom out. Consider what this tells you about the threat model:
// The Bybit attack timeline — what persistence looks like
// when your adversary is a nation-state
//
// February 2026:
// Attack vector: Supply chain compromise of Safe Wallet
// signing UI — signers saw one transaction, signed another.
// Result: $1.4 billion stolen in minutes.
// Laundered through: Tornado Cash, THORChain, cross-chain
// bridges, mixing services. Funds dispersed across hundreds
// of wallets within hours.
// Recovery: effectively zero.
// Attribution: DPRK (Lazarus Group), confirmed by multiple
// blockchain intelligence firms.
//
// April 2026 (7 weeks later):
// Attack vector: Deposit system manipulation — hiding failed
// transfers inside successful batches to create accounting
// discrepancies.
// Result: caught by risk control. No funds lost.
// What it proves: the attackers are not deterred by
// attribution, law enforcement attention, or the fact
// that blockchain analysts are tracking their wallets.
// They came back. Same target. Different technique.
//
// Why this matters architecturally:
// Perimeter defenses (firewalls, WAFs, network segmentation)
// need to be breached ONCE. The attacker only needs to
// succeed once to move funds. And they will keep trying
// indefinitely because the expected value is positive:
// $1.4B stolen vs. ~$0 in consequences for a state actor.
//
// The only control that matches this persistence:
// one that fires EVERY TIME a high-risk action executes.
// Not once at the perimeter. Every time at the vault.In traditional banking, a second attempt would face institutional shock absorbers. Banks can reverse wires. They have correspondent banking relationships for cross-border fund recovery. They carry insurance. They operate under a regulatory framework where law enforcement can compel asset returns through the judicial system. The February theft would have been partially recoverable.
In crypto, the $1.4 billion is gone. It was bridged across chains, swapped through decentralized exchanges, and dispersed through mixing services within hours. Blockchain analysts tracked it meticulously. Law enforcement documented every wallet hop. None of the money came back. And the attackers — operating from Pyongyang with the resources of a nuclear-armed government — took the proceeds, funded weapons programs, and came back to try again seven weeks later.
You cannot deter an adversary that faces no consequences. You can only stop them at the point of action, every time, with a control they cannot bypass remotely. That’s a biometric check.
Case 3: The SDK that watches everything
On April 10, Microsoft disclosed a vulnerability in the EngageLab SDK — a push notification library embedded in popular Android applications, including crypto wallets. The security flaw exposed millions of devices. Microsoft reported it a year ago. The delayed disclosure timeline means millions of Android crypto wallets were running vulnerable code during a period of record theft.
This is the attack surface most security models ignore. Exchanges build server-side protections: rate limiting, withdrawal delays, allowlisted addresses, anomaly detection. Wallet providers build client-side protections: biometric unlock, PIN codes, seed phrase encryption. But a compromised SDK sits between both — inside the application, below the UI, above the operating system. It can intercept, modify, or redirect transactions before the user or the server ever knows.
// How a compromised SDK intercepts a transaction
//
// Normal flow:
// User taps "Send 1 ETH to 0xABC..."
// → App constructs transaction: {to: 0xABC, value: 1 ETH}
// → User confirms on screen
// → App sends to wallet for signing
// → Signed tx broadcast to network
//
// Compromised SDK flow:
// User taps "Send 1 ETH to 0xABC..."
// → App constructs transaction: {to: 0xABC, value: 1 ETH}
// → SDK intercepts before display
// → SDK modifies: {to: 0xATTACKER, value: ALL_ETH}
// → But SDK shows user the ORIGINAL transaction on screen
// → User sees "Send 1 ETH to 0xABC..." and confirms
// → Modified tx sent to wallet for signing
// → User's entire balance sent to attacker
//
// The user did everything right. They checked the address.
// They confirmed the amount. They approved the transaction.
// The SDK changed it after confirmation, before signing.
//
// What stops this:
// A server-side biometric verification that receives the
// transaction parameters DIRECTLY — not through the SDK.
// The verification API hashes the actual transaction:
// action_hash = sha256(to: 0xABC, value: 1 ETH)
// The signed JWT contains that hash.
// If the SDK modified the tx, the hash won't match
// what the user verified. The server rejects it.
//
// The biometric check creates an authorization artifact
// that exists OUTSIDE the compromised device stack.The defense against a compromised device is the same defense against a compromised credential and a compromised insider: verify the human through a channel the compromised component cannot intercept, and bind that verification to the specific transaction parameters the human approved. A biometric JWT created server-side — capturing the face through the device camera (which the SDK cannot fake without injection attack detection catching it), transmitting it over an encrypted channel, and returning a signed token bound to the transaction hash — creates an authorization artifact that exists independently of everything the SDK touches.
Why not banks first?
Banks have fraud departments with hundreds of employees. They have Regulation E protections that shift liability from consumer to institution. They have FDIC insurance up to $250,000 per depositor. They have correspondent banking networks for cross-border fund recovery. They have the ability to reverse transactions for up to 60 days. They have decades of case law establishing recourse mechanisms. And they have the Federal Reserve’s payment system as a backstop.
Banks need better verification too. But when a bank fails to prevent fraud, there are institutional shock absorbers at every level. The customer’s loss is capped. The bank’s loss is insured. The regulatory response is structured. The legal framework enables recovery.
When a crypto exchange fails to prevent fraud, there is nothing. The user’s funds are on a blockchain address controlled by an attacker in Pyongyang. No insurance. No reversal. No correspondent bank to call. No regulator that can compel the attacker to return the funds. The only moment that mattered was the 400 milliseconds before the transaction confirmed. Everything after that is a forensic exercise in documenting how much was lost.
// The asymmetry that makes crypto different:
//
// Bank wire fraud:
// Detection window: up to 60 days (Reg E)
// Recovery mechanism: SWIFT recall, correspondent freeze
// Insurance: FDIC up to $250K, E&O beyond
// Liability: shifts to institution (Reg E)
// Law enforcement: subpoena power over receiving bank
// Typical recovery: 40-60% of funds
//
// Crypto theft:
// Detection window: seconds to minutes (mempool → confirm)
// Recovery mechanism: none (blockchain is immutable)
// Insurance: none (most exchanges uninsured)
// Liability: user bears full loss
// Law enforcement: no jurisdiction over mixer/DEX
// Typical recovery: <5% of funds (Chainalysis estimate)
//
// Same attack (compromised credentials).
// Same unauthorized transfer.
// Radically different outcomes.
//
// When recovery is impossible, prevention is everything.
// And prevention means verification at the moment of action.Three vectors, one gap
This week’s three events are different attacks by different actors using different techniques against different targets. But they all exploit the same structural absence:
An insider whose real face doesn’t match their fabricated enrollment gets caught the first time a biometric check fires on a sensitive operation. A returning attacker who compromises a signing interface gets stopped when the signer’s biometric doesn’t match the tampered transaction hash. A compromised SDK that modifies transactions gets detected when the server-side verification hash doesn’t match what the device submitted.
Three entry points. Three sophistication levels. Three threat actors — a state operative, a returning APT, and a supply chain vulnerability. All three break against the same defense: a physical human verification at the moment of action, bound to the specific transaction being authorized, through a channel the attacker doesn’t control.
81 days
MiCA’s CASP authorization deadline is July 1, 2026. Every crypto-asset service provider operating in the European Union must demonstrate operational security standards comparable to traditional financial institutions — or cease operations. Over 40 licenses have been issued. The transitional period is closing. The stragglers are running out of road.
MiCA’s requirements are not abstract. Transaction records must be retained for 5 years and must be sufficient for supervisory authorities to reconstruct events. The Travel Rule requires originator and beneficiary data exchange for every transfer. Governance standards demand fit-and-proper management with demonstrable security expertise and adequate internal controls.
The exchanges that will thrive under MiCA — and under the inevitable U.S. equivalent — are the ones building bank-grade security infrastructure now, before the deadline, before the next $1.4 billion headline, before the examiner arrives and asks for proof that a human authorized the transfer that drained the hot wallet.
This is why we built Lorica
Not because crypto is the easiest market. Because it’s the market where the cost of a missed verification is highest and most permanent. Where the adversaries are nation-states with $3.4B in cumulative theft and zero deterrence. Where the transactions are irreversible, the detection window is seconds, and the recovery rate approaches zero.
One API call. One signed JWT. One biometric verification at the moment that matters. Crypto exchanges are our first target market because they’re the ones who need it most, need it now, and can’t afford to learn this lesson the way Bybit learned it — at $1.4 billion a lesson.
Full documentation: loricaapi.com/docs | Live demo: loricaapi.com/demo