Web3 startup lost 1 million yuan to team technology, internal fraud becomes a risk that cannot be ignored

Authors: Niu Xiaojing, Liu Honglin

 *The cases involved in this article are real events. Some details have been kept confidential based on feedback from the parties involved. The views in this article are based on public information and industry experience and are for reference only.

A few days ago, a shocking thing happened to a Web3 team——

The founder of the team had over 1 million crypto assets stolen by a core member who had worked with him for two years and knew the code. This member was initially introduced to the Web3 industry by the founder himself, who taught him how to get into the industry from scratch. Later, because he was familiar with technical details and system structure, he was given certain permissions. In the end, he quickly completed the transfer and ran away by copying the privately backed-up mnemonics. It is said that he is close to the border and is preparing to leave.

This is not the first time such an incident has occurred, but this time it not only reminds us of the "risk control level", but also gives us a deep sense of powerlessness and alertness to human nature:

I thought I could defend myself against hackers, but I didn't expect that I would be defeated by human hearts in the end.

Internal fraud: a seriously underestimated “high risk”

As a Web3 lawyer, I saw in this case a long-ignored but extremely destructive hidden danger in the industry:

Insider fraud.

This term may not be often mentioned in the context of Web3 startups, but in traditional companies, it has long been a high-frequency problem that is extremely difficult to detect and prevent. It is difficult to find clues in advance, and it is often difficult to collect enough evidence for law enforcement agencies to file a case.

When the victim is an on-chain asset, the problem becomes even more serious:

Crypto assets cannot be frozen or recovered like traditional assets. Once transferred, the difficulty of tracing and recovering them increases almost exponentially.

The “Trust Paradox” of Web3 Entrepreneurs

Traditional enterprises rely on systems, processes, and authorization, while Web3 emphasizes trust, collaboration, and rapid iteration.

But it is precisely this culture that has caused many Web3 teams to lay hidden dangers in the early stages:

• The technical system was built by core members themselves;

• Wallet permissions, transaction scripts, and asset transfer paths are all in the hands of a very small number of people;

• Most teams are small and elite, with one person holding multiple positions and authority concentrated;

• Lack of basic compliance framework and risk control system.

So a very high-risk scene appeared:

A team member may have the authority to write strategies, execute transactions, and even directly operate wallets.

Such a structure is equivalent to handing the "self-destruct button" into the hands of human nature.

Even if that is someone “you have known for many years and personally brought into the team,” you cannot rule out the possibility that he or she may waver in the face of a conflict of interest.

Especially in the current unstable economic environment and the context of increasing external pressure, you have no idea whether a person is facing an urgent family or personal crisis.

“He has good skills and is not a bad person”

I was deeply impressed by what the founder of the stolen assets said after the incident:

"I never thought it was him. I brought him into this industry. We've known each other for two years. We've worked on projects together for more than a year. We've been together day and night, and we've never had a quarrel. He's not a greedy person."

This sentence is too true and too dangerous.

Just because someone “doesn’t look like they would do such a thing” doesn’t mean they won’t take action at the critical point.

Human nature is not linear. Money, anxiety, fear, family pressure, sudden impulses... any variable may become the straw that breaks the camel's back.

Later, the team found out that the perpetrator had a long-term bad personal credit record and had multiple overdue records. It is said that he stole the funds to make up for the money he lost in the contract account. But what is more alarming is that the real theft actually happened before he lost the money.

This also shows that sometimes what leads to evil is not just greed or impulse, but a person reaching a "critical point" between accumulated pressure, debt, fear and information opacity - you just don't know when he will take that step.

When your system does not have any "firewall against human nature", you are not managing risk, but gambling on luck.

Internal fraud is not a "case problem" but a "system problem"

When many teams encounter internal theft, their first reaction is to blame the other party for being "bad", but the real question is:

• Why can he do it?

• Why is there no early warning mechanism?

• Why couldn’t anyone notice the unusual changes during the entire process?

This is not a moral flaw of an individual, but a structural error in the system that assumes that "everyone is trustworthy."

Especially in the crypto industry, the consequences of single point permissions are extremely serious:

• Once the on-chain assets are transferred out, it is almost impossible to recover them;

• Mnemonic = ownership, whoever holds it is the owner of the asset;

• Some malicious operations can be completed in minutes or even fully automated through scripts.

If someone in your system can bypass all mechanisms to complete the transfer, then the system is always on the verge of exploding at any time.

Four practical suggestions for Web3 teams

Based on the cases we have encountered in the past and the experience we have accumulated in team compliance, we would like to offer the following suggestions, which we hope every team will seriously consider and implement as soon as possible:

1. Wallet permissions must be multi-signed and dispersed, and private keys are never left alone

• Use mature multi-signature wallet hosting solutions such as Gnosis Safe / Fireblocks;

• At least 3/5 multi-signature structure, with signatories covering multiple roles such as founders, risk control, and finance;

• It is strictly forbidden for any individual to master the complete mnemonic, or to export the key privately or back it up locally.

2. Policy and execution systems must be isolated from each other

• Strategists cannot directly operate real trading systems;

• All strategies must pass audit, backtesting and third-party review before going online;

• All transactions must have a complete log to be traceable and retrievable.

3. Asset transfer must have a process, approval, and record keeping

• Establish a basic approval system (even if it is Notion + Excel + WeChat approval process);

• Set approval levels based on the amount, and large transfers require double signatures and record of purpose;

• Reconcile funds regularly, even if it is a manual check.

4. The purpose of establishing a system is not to prevent “villains”, but to prevent “good people” from making fewer mistakes.

• It is too late to fix the system after something happens;

• Authority boundaries are not constraints, but protection;

• "Preventing bad guys" is also about "preventing good guys from making mistakes in the heat of the moment."

“Human nature cannot be put to the test”

Someone said: "Whether a person is good or not depends on how he behaves when he has money and freedom."

But I agree more with:

Human nature cannot be tested; the system is the best firewall.

Not everyone will betray you, but you cannot gamble the safety of the entire system on one person's conscience.

Truly mature management is not about delegating power out of trust, but about understanding and respecting human nature, leaving no one with the opportunity to take action.

Attorney Mankiw's Summary

Web3 is a fast-paced, highly volatile industry. We discuss market opportunities, narrative logic, and market fluctuations, but in fact, what really pushes many teams to collapse is often not the market itself, but the collapse of internal trust.

You can lose to the market, but don't lose to your system first.

I suggest you check these three things:

1. Is there any member who has “single point control” of funds?

2. Is there a transaction logic that is decided by one person, without even leaving any trace?

3. Are private keys and mnemonics stored in an unsafe manner in a physical environment?

If you need, we can assist you:

• Make a "Web3 Internal Asset Risk Control Self-Inspection Checklist";

• Drafting practical documents such as "Crypto Asset Operation Management System" and "Authority Control Rules";

• Or just help you sort out where the "biggest single point risk" is in the current system;

Human nature cannot be tested; the system is the best firewall.

Only by moving steadily can you go far.