Social engineering, not smart contract exploits, is now the primary attack vector against crypto firms. Arsen offers a comprehensive solution for crypto companies to mitigate, anticipate and respond to such cases. We’ve built this checklist that gives CISOs, IT leads, and compliance officers at exchanges, custodians, and DeFi protocols a structured, actionable defense plan covering threat management, awareness training, AI & deepfake readiness, technical controls, and MiCA/NYDFS/SEC compliance mapping.
Social engineering scams are by far the number one threat to crypto enthusiasts and crypto holders and investors today.
Jeff Lunglhofer, CISO, Coinbase (Crypto News)
How to Use This Checklist
Each section maps to a control domain. Work through it as a gap analysis: check what you have, flag what's missing, and assign owners. The checklist is designed to be run quarterly: threat actors in this space iterate faster than annual review cycles allow.
Items marked 🟠 are high-severity gaps that should be addressed within 30 days. Items marked 🔵 are significant but can be tracked in a 90-day roadmap.
Cyber Management
Questions to Ask Yourself First
Before running the checklist, pressure-test your current posture with these:
- Are you allocating sufficient budget to continuously train employees and deploy tools specifically capable of spotting AI-assisted fraud, rather than relying on legacy anti-fraud tools?
- Do you rely solely on "click/no click" metrics, or are you measuring behavioral responses in conversation, such as the failure to verify a caller's identity?
- When using AI for simulations, do you have a legal framework to handle Personally Identifiable Information (PII) without exposing sensitive employee data to public LLMs?
Resources and Budget
🟠 Dedicated human-risk budget line exists, separate from technical security spend
🟠 Security awareness tools are capable of simulating AI-generated phishing and vishing, not just legacy template-based campaigns
🔵 Budget review cycle is quarterly, not annual. Threat actor tooling evolves faster than annual planning allows
🔵 Vendor contracts include AI simulation capabilities (multilingual, deepfake voice, persona-based)
Training Program
🟠 Training is continuous, not annual. Minimum monthly touchpoints per employee
🟠 Simulations cover the full attack surface: email phishing, vishing (voice), smishing (SMS), and Discord/Telegram impersonation
🟠 Scenarios are role-specific: treasury ops, support desk, developers, and executives each face different attack patterns
🔵 Training content is updated within 30 days of a major industry incident (e.g., a new nation-state campaign targeting crypto)
🔵 Behavioral outcomes are tracked (did the employee report? did they verify identity?), not just click rates
Compliance and Legal
🟠 PII handling framework exists for simulation data; employee names and emails are never fed raw into public generative AI models
🟠 Placeholder/merge-tag approach used when building AI-generated phishing templates (e.g., {{target.firstName}} populated locally, post-processing)
🔵 Legal has signed off on vishing simulation procedures, including call recording consent where required
🔵 Data residency requirements for simulation platforms are documented and auditable (relevant for MiCA, GDPR, NYDFS)
Threats Management
Hybrid and Cross-Channel Attacks
Scattered Spider specializes in helpdesk abuse, identity compromise, and high-confidence social engineering. Social engineering, SaaS compromise, digital-asset theft, and extortion will no longer appear as isolated incidents, but as coordinated services designed to scale impact.
Jason Lau, CISO, Crypto.com (Linkedin)
🟠 Simulation strategy tests cross-channel attack sequences, not phishing and vishing as isolated, unrelated events
🟠 "Stitched" attack scenarios are in your simulation library: e.g., a fake urgent email followed by a deepfake voicemail pressuring the employee to act
🟠 "Callback phishing" scenarios are tested: fake invoice by email directs victim to call a spoofed support number
🔵 Incident response playbooks cover multi-vector attacks, not just single-channel compromise
Vishing (Voice Phishing)
🟠 Employees are actively trained to identify voice-based threats: IT/helpdesk impersonation, executive impersonation, and vendor fraud
🟠 Vishing simulations are run at least quarterly: AI voice cloning has lowered the barrier to near-zero for attackers
🟠 Verification procedures for password resets, software approvals, and privileged access requests via phone are documented and tested
🔵 Helpdesk staff have a scripted identity-verification protocol that cannot be bypassed under urgency pressure
🔵 Out-of-band callback procedures are in place for any voice-initiated request involving access, transfers, or credentials
AI-Generated and Multilingual Attacks
🟠 Workforce is prepared for multilingual phishing. AI can now produce grammatically perfect lures in any language targeting your global team
🟠 Training explicitly teaches employees to distrust urgency and authority signals (not just "bad grammar") since AI-generated content looks clean
🔵 Simulation library includes multilingual attack scenarios relevant to your office locations (e.g., French, German, Japanese, Korean)
🔵Detection logic in email/collaboration tools is tuned for semantic impersonation, not just spoofed domains
Deepfakes and AI Voice Cloning
North Korea isn't scanning for vulnerable contracts anymore. They're scanning for vulnerable people… That's not hacking. That's running agents.
Alexander Urbelis, CISO, ENS Labs (CoinDesk, April 2026)
If your network and system architecture does not allow them to do certain things, they will not be able to do it… it doesn't matter that you can detect deepfakes.
Khaja Ahmed, CISO, Gemini (CoinDesk Webinar, December 2024)
🟠 Voice approval workflows for wire transfers, treasury actions, and admin changes have been audited against deepfake risk
🟠 Deepfake voicemail injection scenarios are in your simulation library
🟠 Employees are trained that a convincing voice or video call alone is never sufficient authorization for high-risk actions
🔵 Verification procedures for executive video calls (e.g., board or CFO requests) include a challenge/response step that cannot be replicated from a cloned voice alone
🔵 You have evaluated deepfake detection tooling and understand its current limitations; detection alone is insufficient without structural controls
How to Get Started: Practical Controls
Unify Your Social Engineering Playbook
The human element is the Achilles' heel for many organizations. The answer is a well-fortified security program that protects not just the technology, but the people and the process.
David Schwed, former CISO, Galaxy Digital (CoinDesk, April 2026)
🟠 Stop running phishing and vishing campaigns in silos. Merge them into a single social engineering program with unified reporting
🟠 Reporting mechanisms are consistent: employees use the same channel to flag a suspicious email and a suspicious call
🟠 Metrics are unified: one dashboard covering click rates, report rates, vishing compliance, and behavioral trend lines
Integrate Phishing and Vishing Simulations
🟠 Phishing and vishing are integrated into a single simulation strategy to close siloed training gaps
🟠 Reporting workflow is identical for email and voice suspicious activity. Employees aren't trained differently for each
🔵 Simulations generate cross-channel behavioral data that feeds into risk scoring per employee and per team
🔵 Red-team exercises periodically test full attack chains: email → voice → credential submission → escalation
3Design Smart and Scalable AI Simulation Scenarios
🟠 Your simulation platform uses Generative AI to personalize scenarios from unstructured data (LinkedIn profiles, job titles, recent company announcements, industry tools)
🟠 Prompt engineering is used to scale simulations across multiple languages without manually rewriting each scenario
🔵 Simulation scenarios reference real-world crypto attack patterns: fake VC outreach, exchange support impersonation, Discord/Telegram takeover attempts
🔵 Scenario library is refreshed within 30 days of a major crypto social engineering incident
Simulate "Stitched" Hybrid Attacks
🟠 Launch campaigns that chain attack vectors §e.g., "Urgent: IT Charter Update" email followed by a deepfake vishing call to pressure action)
🟠 Test callback phishing: fake invoice by email directs the target to call a spoofed number and verify payment
🔵 Simulate long-horizon attacks: relationship-building over weeks via fake LinkedIn/Discord personas before a payload is delivered
We need to stop calling these 'hacks' and start calling them what they are: intelligence operations. The people who showed up at conferences, who met contributors in person across multiple countries, who deposited a million dollars of their own money to build credibility: that's tradecraft.
Alexander Urbelis, CISO, ENS Labs (CoinDesk, April 2026)
Technical Controls
Authentication and Access
| Control | Priority | Notes |
|---|---|---|
| Passkeys or hardware security keys (FIDO2/WebAuthn) for all staff | 🟠 High | OTP-based MFA is bypassed by real-time phishing proxies |
| Phishing-resistant MFA enforced for treasury, admin, and DevOps | 🟠 High | Step-up auth for privileged actions |
| Out-of-band verification for any credential reset or access change | 🟠 High | Prevents helpdesk takeover via social engineering |
| Separate approval channels for treasury, vendor, and admin actions | 🟠 High | Dual-control for high-value transactions |
| Privileged access management (PAM) reviewed quarterly | 🔵 Medium | Limit blast radius of a successful social engineering attempt |
Detection and Monitoring
| Control | Priority | Notes |
|---|---|---|
| AI-based email filtering with impersonation detection | 🟠 High | Tuned for semantic impersonation, not just spoofed domains |
| Behavioral monitoring across email, Slack/Teams, and support chat | 🟠 High | Detect account takeover patterns and unusual request chains |
| Support desk monitoring for social engineering signals | 🟠 High | Coinbase's ML-based monitoring of support interactions is a benchmark |
| Login anomaly detection with real-time alerting | 🔵 Medium | Flag unusual login locations or session patterns post-credential submission |
Coinbase uses machine learning to monitor user activity and support chats for scam or takeover patterns.
Jeff Lunglhofer, CISO, Coinbase (Crypto News)
Incident Response
🟠 Incident playbooks exist for rapid account lockout and credential invalidation following a suspected social engineering event
🟠 Callback verification procedures are documented for any employee who suspects a deepfake call or impersonation attempt
🟠 Post-incident debrief process captures social engineering attempts even when no breach occurred; near-misses are training data
🔵 Tabletop exercises covering AI-phishing and deepfake voice fraud are run at least annually with executive participation
Sanitize Your AI Inputs
🟠 Never feed employee PII (names, emails, roles) directly into public generative AI models when building simulation templates
🟠 Use placeholder/merge-tag approach: {{target.firstName}}, {{target.company}}, populate locally during post-processing
🟠 "Human-in-the-Loop" QA layer implemented: automatically check AI-generated simulation emails for correct malicious link presence and formatting before sending
🔵 If a generated template fails QA, the AI regenerates automatically until it passes; no manual intervention required
🔵 AI simulation generation is logged and auditable for compliance purposes
Quality Assurance and Collaboration
Human-in-the-Loop QA
🟠 AI-generated simulation content is reviewed programmatically (not just manually) before deployment
🟠 QA checks confirm: malicious link is present and properly formatted, sender domain is correctly spoofed per scenario parameters, language and tone match the persona
🟠 Generation loop is automated: failed QA → regenerate → re-check → approve
Expand the Defense Perimeter
We need faster signaling on the nature of the attacks as they evolve… we can probably start anticipating the kinds of attacks and start coming up with mitigation strategies. It is something that has to happen across the industry.
Khaja Ahmed, CISO, Gemini · CoinDesk Webinar, December 2024
🟠 Collaborate with third-party technology providers to establish clear areas of responsibility regarding AI fraud liability
🔵 Participate in crypto industry threat-sharing groups (e.g., FS-ISAC, crypto-specific ISACs) to receive early signals on emerging attack patterns
🔵 Work with peer institutions to share intelligence on GenAI fraud patterns: a social engineering tactic that works against one exchange will be reused across the sector
Compliance Mapping
How Does This Checklist Map to Your Regulatory Obligations?
The adversaries themselves aren't fundamentally different between traditional finance and the crypto industry, but certain of the tactics they employ are distinct and the sophistication of attackers in the crypto space is notably higher.
Norah Beers, CISO, Grayscale (Help Net Security, September 2025)
| Checklist Domain | NYDFS Cybersecurity Rule | SEC Cybersecurity Rules | MiCA (EU) | DORA (EU) |
|---|---|---|---|---|
| Security awareness training program | ✅ Required | ✅ Recommended | ✅ Required | ✅ Required |
| Phishing/vishing simulation | ✅ Required | ✅ Recommended | ✅ Implied | ✅ Explicit (ICT testing) |
| Incident response playbooks | ✅ Required | ✅ Required (disclosure) | ✅ Required | ✅ Explicit |
| Third-party/vendor risk controls | ✅ Required | ✅ Required | ✅ Required | ✅ Explicit (TPPM) |
| PII/data handling in AI tools | ✅ Required | — | ✅ GDPR-linked | ✅ Required |
| MFA / phishing-resistant auth | ✅ Required | ✅ Required | ✅ Required | ✅ Required |
| Privileged access controls | ✅ Required | ✅ Required | ✅ Required | ✅ Required |
Key compliance notes:
- MiCA: Crypto-asset service providers (CASPs) must demonstrate operational resilience including cybersecurity governance. Human-risk controls are part of the expected ICT risk framework.
- DORA: Applies to EU financial entities including crypto firms under MiCA scope. Mandates advanced ICT testing including threat-led penetration testing (TLPT); which encompasses social engineering simulation.
- NYDFS Part 500: Applies to any entity with a New York BitLicense or money transmission license. Section 500.14 explicitly requires cybersecurity awareness training; §500.05 requires penetration testing.
- SEC: Requires disclosure of material cybersecurity incidents. Social engineering events that result in unauthorized access or data exposure now carry disclosure obligations.
KPIs to Track
Metrics your board should be able to answer on demand:
| KPI | Target | Measurement Frequency |
|---|---|---|
| Phishing simulation click rate | < 5% | Monthly |
| Phishing simulation report rate | > 70% | Monthly |
| Vishing simulation compliance rate (correct verification) | > 85% | Quarterly |
| Mean time to report a suspicious contact | < 15 minutes | Monthly |
| Training completion rate | > 95% | Monthly |
| High-risk employee retraining rate (post-failure) | 100% within 7 days | Per simulation |
| Incident response drill frequency | ≥ 2 per year | Annually |
| AI simulation scenario refresh cadence | ≤ 30 days post major incident | Per event |
See How Your Team Holds Up Against Social Engineering
Protect exchanges, DeFi platforms, and blockchain teams from social engineering attacks.
FAQ
Phishing-resistant MFA (FIDO2/passkeys) combined with mandatory out-of-band verification for any high-value action. No email, call, or chat message should be sufficient on its own to approve a treasury action, credential reset, or privileged access change. Authentication architecture is your last line of defense when training fails.
No. Traditional awareness training is necessary but not sufficient. As Gemini's CISO noted, even perfect deepfake detection doesn't protect you if your architecture allows the action to proceed. Training must be paired with procedural controls (dual approval, out-of-band verification) and technical controls (phishing-resistant auth, behavioral monitoring).
At minimum: phishing monthly, vishing quarterly, stitched/hybrid scenarios bi-annually. Given the pace of threat actor iteration in crypto (nation-state actors, Scattered Spider, and AI-enabled campaigns) any less frequent cadence leaves detection gaps. Simulation scenarios should be refreshed within 30 days of any major industry incident.
Use a placeholder/merge-tag architecture. Build templates with tokens like {{target.firstName}} and {{target.jobTitle}}, then populate them locally during post-processing, never passing real names or emails into a public model. Your simulation platform should enforce this by design. If it doesn't, that's a gap.
Support desk staff (helpdesk takeover is a primary Scattered Spider vector), treasury and finance operations (wire fraud, approval manipulation), DevOps and engineers (credential harvesting, supply-chain entry points), and C-suite (executive impersonation, deepfake CEO fraud). Each profile requires tailored simulation scenarios; not generic phishing templates.
Both, with different emphasis. CeFi exchanges face higher helpdesk and support desk risk. DeFi protocols face long-horizon intelligence operations targeting developers and contributors directly, often through fabricated professional identities built over months. DeFi teams should weight Section 2.4 (deepfakes) and Section 3.4 (stitched attacks) heavily.
Arsen's simulation platform is built for technical, high-autonomy teams. Scenarios cover crypto-specific attack vectors: fake VC outreach, exchange credential harvesting, Discord/Telegram impersonation, seed phrase phishing, and AI voice clone vishing. The platform uses AI to personalize scenarios at scale without exposing PII.
