Identity for Crypto & Web3
- KYC and AML at onboarding
- Wallet and key recovery without central custody
- Fraud and sanctions screening
- Bridging on-chain and off-chain identity
The job identity does in crypto and Web3
Crypto sits between two identity worlds. Regulated exchanges and on-ramps must do rigorous KYC and AML like any financial institution, while the on-chain world is pseudonymous and self-custodial by design. The hard problems are verifying real people at onboarding, screening for fraud and sanctions, and handling wallet and key recovery without recreating the custodial single point of failure that crypto exists to avoid.
The regulatory and compliance floor
The FATF Travel Rule requires identifying parties to certain transfers, KYC and AML obligations apply to exchanges and custodians, and the EU's MiCA framework formalizes requirements for crypto-asset service providers. GDPR governs the personal data collected during verification. Compliance pressure has risen sharply as the sector matures.
The threat landscape here
Crypto is uniquely high-stakes: account takeover and session/token theft lead to irreversible theft, SIM-swap attacks target exchange accounts, and phishing and approval-draining scams are constant. Sanctions evasion and synthetic identities at onboarding are major compliance risks.
What good looks like
- Strong KYC and identity verification at onboarding, with sanctions and AML screening.
- Phishing-resistant authentication and passkeys for exchange accounts, never SMS OTP alone.
- Thoughtful wallet and key recovery (social recovery, MPC) that avoids a custodial single point of failure.
- Emerging verifiable credentials and reusable KYC to reduce repeated proofing.
Vendors and fit
Global KYC and AML fit Sumsub and Persona; reusable and on-chain identity fits Civic; account authentication fits Auth0 and peers in CIAM.
Common pitfalls
- Relying on SMS OTP for exchange accounts, the exact vector SIM-swap attacks defeat.
- Weak onboarding controls that let synthetic identities and sanctioned actors through.
- Recovery designs that quietly reintroduce custodial risk.
Where it is heading
Reusable verifiable credentials promise lower-friction, privacy-preserving KYC across the ecosystem, while regulation under MiCA and the Travel Rule pushes exchanges toward bank-grade identity controls.