Illicit Threats in Crypto Asset Staking: Choosing an Institutional Provider to Mitigate the Risks

October 25, 2023
Sign up for our newsletter:
Oops! Something went wrong while submitting the form.

Disclaimer: Twinstake does not provide staking services to retail customers. This briefing note is not intended as a promotion, offer, invitation or solicitation for the purchase or sale of any investment, nor is it intended to give rise to any other legal relations whatsoever and must not be relied upon for the purposes of any investment decision.  If you do not have the relevant professional experience in matters relating to crypto asset investments, you should not consider this briefing note to be directed at you.

This briefing note and the information in it is not directed at, or intended to be made available to, retail customers.  It is directed only at persons who are professional investors (for the purposes of the Alternative Investment Fund Managers Directive (2011/61/EU) (known as ‘AIFMD’); professional clients or eligible counterparties for the purposes of the Markets in Financial Instruments Directive (Directive 2004/39/EC) (known as ‘MiFID’); if you are in the UK, to “Investment Professionals” or “High Net Worth Companies” as defined in s.19 and s.49 respectively of the Financial Promotions Order, or as otherwise defined under applicable local regulations and at whom this briefing note and the information in it may lawfully be directed in any relevant jurisdiction. 


With over $100billion worth of assets staked across various protocols, and rewards anywhere from 2-20%, some institutions are using staking as a low-risk method of generating returns via a long strategy on their crypto assets.

However, staking is not without risks, for example: 

  • slashing or penalties from an architecture misstep; 
  • smart contract risk from decentralised staking options;
  • regulatory risk from commingled funds with stakers who have not undergone robust Know Your Customer (KYC) processes;
  • security concerns from liquid staking token design; and 
  • underlying market risks from the fluctuating value of assets held natively. 

These staking risks are well known and staking-as-a-service firms have a suite of solutions they can deploy to help mitigate against them. Insurance and multi-region design can cover slashing risk; audits and traditional security certifications showcase best practice; and, segregated provisioning with strong compliance checks to mitigate regulatory risks. 

The above risks can affect a legitimate and well intentioned staking provider and its staker client base. However, there are also risks from nefarious actors who may seek to stake illicit assets or leverage staking activities. 

This briefing note will explore some of the lesser discussed risks of how illicit actors could seek to use staking providers to launder their funds, steal crypto assets or taint legitimate staked funds. 

Staking pool use by illicit actors 

When exploring the ether (ETH) deposited into the ETH2.0 deposit contract `0x00000000219ab540356cbb839cbe05303d7705fa` - the method by which entities stake on Ethereum - it is clear that the majority of funds come from identifiable sources such as liquid staking providers, exchanges, and staking-as-a-service providers. 

Generally, to mitigate the risk of illicit actors using their service, a crypto company will require the user to provide KYC information/documentation and they will complete a range of Anti-Money Laundering (AML), Counter Terrorist Financing (CTF) and other on and off-chain risk analysis. 

However there are a number of staking providers on the market who offer permissionless staking services where any individual or entity is able to stake funds without providing KYC documentation, and without a mandatory minimum stake of 32ETH. This allows for friction-free staking and opens up participation to entities who may not have the minimum amount to be staked. Also, these providers  usually offer “liquid staking” where the user is given an equal amount of a liquid staking token (LST) to represent their staked amount. The LST can be used with DeFi services and exchanges on the open crypto markets to allow the ability to ‘use’ funds which are currently being staked to potentially generate additional yield. However, the permissionless nature of these pooled services and the ability for their LSTs to be traded in the open market means illicit actors are using them.

Exploring a case study; the diagram below illustrates that a permissionless staking provider has directly received funds from North Korea’s hacking group The Lazarus Group, and also funds from a number of scams, hacks and exploits.

This means that institutions who delegate or stake assets through permissionless staking providers, or who interact with liquid staking tokens, risk their funds being commingled with illicit actors - including sanctioned entities. Therefore, for institutions with zero risk tolerance to interactions with sanctioned actors, using these permissionless services could pose a real risk of sanctions breaches and taint both the institution’s and any of their customer’s funds with sanctions exposure. 

Institutions that want to be compliant with international financial sanctions and that are looking to mitigate the risk of commingling funds with illicit actors should instead use permissioned staking services. These services require users to go through robust KYC processes and funds are staked to a distinct validator and delegated to separate and identifiable staking accounts. This validator should exclusively accept delegations from parties that have undergone compliance checks and should not provide staking services to permissionless staking providers who may be exposed to this illicit risk. These compliance checks must focus on both the on-chain and off-chain activities of the entity, to create multiple lines of defence from bad actors and involve periodic rescreening based on the risk level of the customer and business. 

This is why Twinstake uses TRM Labs, a blockchain intelligence company, with  crypto compliance solutions to monitor, detect and investigate crypto fraud and financial crime. Twinstake screens all delegator addresses through the TRM software to ensure there are no on-chain red flags for illicit activity. This process is complemented by a robust off-chain due-diligence onboarding process for all institutions that Twinstake provides non-custodial staking services to. 

Rug pulls lists 262 staking providers across a broad range of countries, supported assets, custodial approaches and staked value. The vast majority of these providers are seeking to open up access to staking and provide a high quality service for the institutions or retail customers they seek to serve. However, as we have seen in other areas of the crypto industry, where there are significant funds to be made or crypto assets to be accessed, bad actors do emerge. 

There is a risk that illicit actors will create staking-as-a-service or pooled staking businesses which purport to be legitimate, but which have backdoors built into their smart contracts to syphon off funds or which result in creators draining funds from centralised custody. This is referred to as a rug pull.

In October 2020, Lyfcoin offered retail customers the opportunity to receive a 100% return if they ‘staked’ their assets with them for a five month lock-up period. This staking-as-a-service company claimed to have state of the art staking technology, transparent reporting and secure wallets. However, when the lock-up period came to an end, the company announced that an extension of 12-18 months was being put in place. Investors never got their funds back and it’s estimated citizens in the UK lost ~$2.5m from the staking scam. 

The risk of fraudulent staking-as-a-service providers underlines the need for both retail and institutional stakers to ensure sufficient due diligence of their chosen staking provider and to opt for those with a strong reputation and verifiable legitimacy. Selecting a provider who is non-custodial further mitigates this risk since the ownership of the assets remains with the user rather than being transferred to the staking provider. This further removes the risk of your staking provider being targeted as a honeypot due to notable funds. 

The need for a highly credible and institutionally trusted staking-as-a-service provider was why WebN, an incubation hub for fintech and Web3 innovators, and Nethermind, a renowned Ethereum execution client, came together to create Twinstake. Twinstake operates as a non-custodial staking provider to ensure funds can remain with a preferred custodian - mitigating transfer risk and moving away from alternative models where the principal is held by the staking provider. The Twinstake product was designed hand-in-hand with leading institutions to embed institutional requirements around security, compliance, operations and technology from the outset.

 Illicit actors using permissionless DPoS validators

In many protocols, such as Solana, Near, and Polkadot the validator account information is visible to all. This means that prospective delegators can review on-chain information such as total delegated, commission rate and participation information before deciding who to delegate their funds to. 

However, a bad actor could use this information to delegate their illicitly derived funds to a reputable validator with the aim of generating a return, attempting to taint the validator’s delegated funds or legitimising the source of their funds by comingling the illicit funds with a pool of legitimate funds. The latter would be similar to the concept of ‘dusting’. Dusting is when small amounts of a crypto asset are sent to an account to follow the flow of these funds onwards and with the aim of de-anonymising the user, or when a small amount of illicit linked crypto is sent to taint the entity’s account. The latter was the case when the Office of Foreign Assets Control (OFAC) sanctioned the cryptocurrency mixer Tornado Cash in August 2022 and in response, to this a user sent small amounts of ETH from Tornado Cash to identified crypto accounts such as Jimmy Fallon, Shaquille O'Neil, Logan Paul and Randi Zuckerberg with the aim of tainting them by association to a sanctioned crypto entity. 

To mitigate this risk, Twinstake uses segregated staked accounts per institution, by book or as specified by the institution's segmentation. In addition, we are developing industry-leading, innovative, permissioned delegation solutions across a number of chains. Please reach out to us to learn more about this work. To complement this, we undertake periodic rescreening of all delegated funds and have monitoring in place to detect all new delegations. 

Validator and withdrawal key compromise 

Another potential criminal typology which could impact institutions who are staking their assets is the risk of illicit actors obtaining the validator or withdrawal keys.

With the validator key there are a number of possible attacks an illicit actor could undertake. 

Firstly, they could cause a forced exit. This would be an attack which does not steal assets, but rather causes a nuisance to the institutions since the assets would need to be restaked after waiting for the required withdrawal and activation periods. This would therefore be akin to denial of service (DoS) style attack, which causes a disruption and potentially indirect monetary losses for a company.

With the validator key, the bad actor would also be able to purposefully cause the slashing of the validator, by signing blocks against the protocol rules. As above, this would not result in them gaining access to the funds, but would  mean the principal returned to the institution significantly decreased.

Finally, the bad actor could hold the validator keys to ransom against the staking provider. This could result in inactivity penalties during this period and damage the on-chain reputation of the staking provider, as well as the risk for the principal being slashed with any purposeful nefarious behaviour by the ransomer. 

If the bad actor were to also obtain the private key associated with the withdrawal credentials, then they may exit the validator in order to gain control over the principal.

Bad actors may use phishing, social engineering or other business compromise attacks to gain access to validator keys or withdrawal private key. These could result in the total loss of the principal, or days/weeks worth of missed rewards and transaction fees. This could be a substantial amount for institutional volumes of staked assets. 

This is why security and key management are of primary importance when considering the possible risks associated with staking and potential illicit activities. At Twinstake, we have implemented, and continuously review, our wallet, key security and credential management using a combination of tools and methodologies. These include “ice-cold” physical storage, the use of hardware security modules and secure offline “cold” hardware devices. We model internal and external threats to this bespoke confidential computing infrastructure and look to minimise the potential impacts of any possible breach. 

In summary, whilst there are clear financial benefits for institutions to enter the staking space there are also legitimate risks from illicit actors who are looking to profit from staking their crypto assets or disrupt institutionally focused staking activity. Therefore, for institutions looking to maximise their staking potential but mitigate the risks of staking provider rug pulls, sanctions risk from permissionless staking providers, validator and withdrawal key compromise and bad actors utilising Delegated Proof of Stake (DPoS) permissionless staking, it is imperative that you stake with a reputable and secure staking provider such as Twinstake. 

If you’re an institution and you would like to learn more about how you can avoid these risks by staking your assets in a secure, non-custodial, and regulatory compliant way then contact us at [email protected] or visit 

Keep reading