Mankiw Research | Web3 Entrepreneurship, Team Technology Stealing 1 Million, Internal Fraud Becomes an Unignorable Risk

*The cases discussed in this article are real events. Some details have been kept confidential based on feedback from those involved. The opinions in this text are based on public information and industry experience, for reference only.

A few days ago, a shocking incident occurred in a Web3 team—

A core member, who had worked alongside the founder for two years and understood coding, stole over 1 million in cryptocurrency assets. This member was initially brought into the Web3 industry by the founder and was taught the ropes from scratch. Later, due to familiarity with technical details and system structure, he was granted certain permissions. Ultimately, he quickly completed the transfer and fled by copying the privately backed-up mnemonic phrase, and it is said he was close to the border, preparing to leave the country.

Such incidents have not happened for the first time, but this time it brings us not only reminders of 'risk control' but also a profound sense of helplessness and alertness to human nature:

I thought I could defend against hackers, but in the end, I still fell victim to human nature.

Internal fraud: a severely underestimated 'high-frequency risk'

As a Web3 lawyer, I have seen in this case a long-neglected yet highly destructive hidden danger in the industry:

Internal personnel fraud.

This term may not be frequently mentioned in the Web3 entrepreneurial context, but in traditional enterprises, it is a high-frequency issue that is extremely difficult to discover and prevent. It is hard to catch signs beforehand, and it is often difficult to gather enough evidence for law enforcement to take action.

When the victim is on-chain assets, the problem is even more severe:

Cryptocurrency assets cannot be frozen or recovered like traditional assets; once transferred, the difficulty of tracing and recovering increases exponentially.

The 'Trust Paradox' of Web3 Entrepreneurs

Traditional enterprises rely on systems, processes, and authorizations, while Web3 emphasizes trust, collaboration, and rapid iteration.

Yet it is precisely this culture that sows hidden dangers for many Web3 teams from the outset:

• The technical system was built by core members themselves;

• Wallet permissions, trading scripts, and asset transfer paths are all controlled by a very small number of people;

• Teams are often 'small and refined', with one person holding multiple roles and concentrated permissions;

• Lack of a basic compliance framework and risk control system.

This led to a highly risky scenario:

A team member may simultaneously have the permissions to write strategies, execute trades, and even directly operate wallets.

Such a structure essentially hands the 'self-destruct button' to human nature.

Even if it is 'someone you have known for many years and personally brought into the team', you cannot rule out the possibility of wavering in the face of conflicts of interest.

Especially in the current unstable economic environment, with increasing external pressures, you never know if a person is under urgent family or personal crises.

'He has good skills and is not a bad person.'

A statement made by the founder of the stolen assets after the incident left a deep impression on me:

'I never thought it would be him. He was someone I brought into this industry myself; I've known him for two years. We've worked on projects together for more than a year, seeing each other daily, and we've never had a disagreement. He's not a greedy person.'

This statement is too real and too dangerous.

'People who seem unlikely to do such things' do not equal those who won't take action at the tipping point.

Human nature is not linear. Money, anxiety, fear, family pressure, sudden impulses... any of these variables can become the straw that breaks the camel's back.

Later, the team found that this individual had a long-term poor personal credit history and multiple overdue records. It is said that he stole this sum of money to make up for previous losses in the contract account. What is more alarming is that the actual theft occurred before he lost money.

This also indicates that sometimes the factors leading to wrongdoing are not just greed or impulse, but a person reaching a 'critical point' under accumulated pressure, debt, fear, and lack of transparency—only you don’t know when they will cross that line.

When your system does not have any 'human firewall' set up, you are not managing risk; you are gambling on luck.

Internal fraud is not an 'individual case issue', but a 'system issue'.

Many teams, after experiencing internal theft, first react by blaming the other party for being 'too bad', but what should really be questioned is:

• Why was he able to do that?

• Why is there no early warning mechanism?

• Why was no one able to detect the anomalies throughout the process?

This is not a moral flaw of a certain person, but a systemic error that assumes 'everyone is trustworthy.'

Especially in the crypto industry, the consequences of single-point permissions are extremely severe:

• Once on-chain assets are transferred out, they are almost impossible to recover;

• Mnemonic phrases = ownership; whoever holds them is the owner of the asset;

• Some malicious operations can be completed in minutes, even executed fully automatically through scripts.

If a single person in your system can bypass all mechanisms to complete a transfer, then the system is always on the brink of explosion.

Four practical suggestions for Web3 teams

Based on various past cases I have encountered, along with the experience we've accumulated in team compliance reviews, the following suggestions are made. I hope every team can seriously consider and implement them as soon as possible:

1. Wallet permissions must be multi-signature and decentralized; private keys should never be singular.

• Use mature multi-signature wallet custody solutions like Gnosis Safe / Fireblocks;

• At least a 3/5 multi-signature structure, with signers including founders, risk control, finance, and other roles;

• Strictly prohibit any individual from holding complete mnemonic phrases or privately exporting and backing up keys locally.

2. The strategy and execution systems must have permission isolation.

• Strategy personnel should not directly operate real trading systems;

• All strategies must be audited, backtested, and reviewed by a third party before being launched;

• All trading activities must have complete logs to ensure traceability and retrievability.

3. Asset transfers must have processes, approvals, and documentation.

• Establish a basic approval system (even if it's Notion + Excel + WeChat approval process);

• Set approval levels based on amounts; large transfers require dual signatures and record purposes;

• Regularly reconcile funds; even if it is manual checking, it should be consistently enforced.

4. Establishing a system is not to prevent 'bad people', but to minimize mistakes made by 'good people'.

• It is too late to establish systems after something goes wrong;

• Permission boundaries are not constraints but protections;

• 'Preventing bad people' also means 'preventing good people from making mistakes out of impulse.'

'Human nature should not be tested.'

Someone said: 'A person's character can be judged by how they act when they have money and freedom.'

But I agree more with:

Human nature should not be tested; the system is the best firewall.

Not everyone will betray you, but you cannot gamble the security of the entire system on one person's conscience.

Genuine mature management is not about delegating power out of trust, but about understanding and respecting human nature, leaving no opportunity for anyone to take action.

Summary by Lawyer Mankiw

Web3 is a fast-paced, high-volatility industry. We discuss market opportunities, narratives, and monitor market fluctuations, but in reality, what often pushes many teams to collapse is not the market itself, but the collapse of internal trust.

You can lose to the market, but do not lose to your own system first.

It is recommended to self-check these three things:

1. Is there any member who can 'single-handedly control' the funds?

2. Is there a trading logic that is decided by one person, even without leaving a trace?

3. Are private keys and mnemonic phrases stored in an insecure manner in a physical environment?

If you need, we can assist you:

• Create a (Web3 Internal Asset Risk Control Self-Check List);

• Draft operational documents such as (Cryptocurrency Asset Operation Management System) (permission control rules);

• Or simply accompany you in identifying where the 'biggest single point risks' in the current system are;

Human nature should not be tested; the system is the best firewall.

Steady progress leads to lasting success.

/ END.

Authors of this article: Niu Xiaojing, Liu Honglin