Four Patterns That Separate Exchanges Re-Architecting Customer Support From Those Closing Public Channels Permanently After the 2025 Cycle

Where customer support is being rebuilt across crypto exchanges, payment processors, iGaming, fintech and DeFi operators in the U.S., UK and EU in response to industrialized impersonation, AI-enabled fraud, and converging regulatory expectations under SEC, NYDFS, DORA, NIS 2, AMLA, UK FCA and German BSI/BaFin frameworks.

The 2025 support-surface inflection

The customer support function in crypto, fintech and iGaming has become the highest-leverage attack surface in the sector. The shift is documented across primary sources and observable in real-time operational decisions across the industry. On May 15, 2025 Coinbase filed a Form 8-K with the U.S. Securities and Exchange Commission disclosing that overseas third-party customer support contractors had been bribed by external actors to extract personal data on 69,461 customers (per Coinbase’s subsequent filing with the Maine Attorney General). Suspicious activity had been first detected by Coinbase in January 2025; the formal extortion email was received on May 11, 2025, demanding a $20 million ransom which Coinbase refused, instead offering a $20 million reward for information leading to the attackers. Coinbase CEO Brian Armstrong publicly stated that the attackers had been offering bribes of approximately $250,000 to support staff in exchange for customer records. Coinbase estimated remediation costs between $180 million and $400 million. In December 2025, a former Coinbase customer service representative was arrested in Hyderabad, India; in the same month, Brooklyn District Attorney prosecutors indicted 23-year-old Ronald Spektor for defrauding approximately 100 Coinbase users of $16 million through impersonation of Coinbase customer service — the downstream effect of the May breach materialized as a wave of customer-targeting fraud.

The threat data context is unambiguous. Chainalysis’s 2026 Crypto Crime Report (published January 13, 2026 at chainalysis.com/blog/crypto-scams-2026/) found that impersonation scams — fraudsters posing as legitimate organizations and authority figures, including customer support agents at major crypto exchanges — grew more than 1,400 percent year-over-year in 2025. The average scam payment grew 253 percent year-over-year from $782 in 2024 to $2,764 in 2025. AI-enabled scams proved 4.5 times more profitable than traditional methods: $3.2 million average per AI-enabled operation versus $719,000 for non-AI; 76 percent of AI-enabled scams fell into the highest-value loss category. Chainalysis identified phishing-as-a-service infrastructure including the E-ZPass campaign attributed to the Chinese-speaking “Darcula” / “Smishing Triad” network, distributing SMS messages impersonating toll collection agencies and similar trusted entities across at least eight U.S. states. The DPRK-linked threat actor universe, accounting for 76 percent of all crypto service compromises in 2025 per Chainalysis, stole $2.02 billion in cryptocurrency in 2025 (a 51 percent increase over 2024) bringing the all-time DPRK total to $6.75 billion.

Other primary research extends the picture. Scam Sniffer reported via its January 16, 2025 X thread that Telegram-based malware scams surged 2,000 percent between November 2024 and January 2025 — attackers shifting from website-based phishing to infiltrating legitimate crypto communities on Telegram with fake verification bots, fake trading groups and fake airdrop groups, distributing malware that captured private keys and seed phrases directly from victim devices. Scam Sniffer reported phishing-only losses of approximately $500 million in 2024. The FBI’s 2025 IC3 Annual Report, published at ic3.gov on April 7, 2026, recorded 1,008,597 total complaints in 2025 with $20.877 billion in total losses (a 26 percent year-over-year increase). Cryptocurrency-specific: 181,565 complaints with more than $11 billion in losses (a 22 percent year-over-year increase). AI-related, tracked as a standalone descriptor for the first time in IC3’s 25-year history: 22,364 complaints and $893 million in losses. Crypto investment scams alone accounted for $7.2 billion in losses (25 percent loss increase, 48 percent complaint volume increase year-over-year). The IC3 Recovery Asset Team froze $679 million across 3,900 incidents in 2025 with a 58 percent success rate on Financial Fraud Kill Chain operations. The Verizon 2025 Data Breach Investigations Report documented that third-party involvement in breaches doubled to 30 percent globally.

Several major operators have responded by exiting customer support as a public-facing function. The Morpho protocol shut down its Discord community after sustained impersonation pressure; co-founder Merlin Egalite publicly framed the decision as a recognition that the cost of operating a public support channel had exceeded the benefit. Other DeFi protocols and several exchanges have followed similar paths — closing X DMs, restricting Discord access to verified users only, withdrawing email-based support, channeling all customer interaction through controlled in-product flows. The operators that continue operating public-facing customer support in 2026 are doing it under structurally different architectures than the 2024 model.

The convergent regulatory framework

The decision to re-architect customer support is not driven solely by the threat data. It is driven by what regulators across U.S., UK and EU jurisdictions are now actively asking, and what their early enforcement signal shows them to be willing to penalize.

In the United States, the SEC’s cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents on Form 8-K within four business days. Coinbase’s May 15, 2025 filing is the operational reference. The New York Department of Financial Services 23 NYCRR Part 500 Second Amendment, finalized November 1, 2023 and fully phased on November 1, 2025, requires Section 500.11 third-party service provider security policies and procedures, Section 500.17(a) 72-hour notification of cybersecurity incidents (24-hour for ransomware/extortion payments), and Section 500.17(b) annual certification signed jointly by CEO and CISO due April 15 of each year. The first fully phased annual certification, covering calendar year 2025, is due April 15, 2026. NYDFS’s recent enforcement actions — Gemini Trust $37 million in 2024 specifically referencing Section 500.11 third-party failures, Block, Inc. $40 million in 2025 for third-party and business continuity controls — made the standard visible.

In the European Union, the Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025. Articles 28 through 44 specifically address ICT third-party risk management, including the concept of critical ICT third-party service providers subject to direct supervisory oversight. Article 18 requires major ICT-related incident classification; Article 19 requires major ICT-related incident reporting within timelines specified by ESA technical standards (initial notification within 24 hours, intermediate report within 72 hours, final report within one month). The NIS 2 Directive 2022/2555 entered national transposition with Article 20 holding senior managers personally liable for infringements, Article 21 specifically addressing supply chain security, and Article 23 requiring early warning, intermediate and final incident reports. The General Data Protection Regulation Article 33 has long required personal-data breach notification to the supervisory authority within 72 hours. The new Anti-Money Laundering Authority (AMLA), operational since July 2025, supervises high-risk cross-border financial entities under a single rulebook. The Central Bank of Ireland’s November 2025 fine of €21.5 million against Coinbase Europe — for AML and CFT transaction monitoring breaches spanning 2021 to 2025 — is the EU enforcement signal.

In the United Kingdom, the FCA Principle 11 requires firms to deal with the regulator openly and cooperatively. SS2/21 sets operational resilience expectations extending to outsourced services. The FCA Cyber Resilience Questionnaire and SYSC 13 governance requirements apply to authorized firms. The Bank of England, the Prudential Regulation Authority and the NCSC publish parallel guidance for critical sectors. The new UK “failure to prevent fraud” offense expands corporate accountability and is expected to produce its first high-profile prosecutions in 2026.

In Germany, BaFin’s BAIT framework regulates ICT risk management for supervised entities; the BSI (Federal Office for Information Security) operates the IT-Sicherheitsgesetz and KRITIS framework with mandatory incident reporting for critical infrastructure including financial services. The 2024 ISA-BSI German Handbook on Cyber-Risk Oversight extended NACD-ISA principles into the German regulatory framework. In Italy the ADM, in the Netherlands the AFM and DNB, in France the AMF and ACPR, in Ireland the CBI, and across the eurozone AMLA convergence is replacing the previous patchwork.

The pattern across jurisdictions is consistent. Customer support is now treated as part of the operational and ICT third-party risk surface, not a separate operational function. The questions regulators ask after an incident converge: who had access to the relevant data, under what controls, with what documented training, with what monitoring, with what dual-control safeguards on privileged actions, with what audit trail, with what incident-response playbook tested in advance. The operators rebuilding customer support architecture are answering these questions architecturally.

Four patterns that separate operators rebuilding from operators retreating

The four patterns below describe how customer support is being re-architected across operators that continue to maintain public-facing engagement in 2026. Each is testable against an operation this quarter; each maps to documented regulatory expectation in at least one of the SEC, NYDFS Part 500, DORA, NIS 2, AMLA, FCA, BaFin or BSI frameworks; and each has a documented Strengthens vs. Erodes contrast based on the operational signal of the 2025 cycle.

1. Identity verification of the support agent surface itself

Strengthens operation: the customer support workspace itself operates under verified-identity controls. Agent access is gated by hardware-key multi-factor authentication aligned to NYDFS Section 500.12 (effective in its final phase November 1, 2025) and DORA equivalent ICT access requirements. Agent identity is bound to device identity and to session monitoring. Privileged actions — account recovery, KYC document access, transaction reversal, internal communications about specific customer accounts — require dual control with documented approver. Behavioral anomaly detection runs at the workspace layer: agents accessing customer records outside their assigned queue, accessing high-value accounts they have no ticket assignment for, exporting data in volumes inconsistent with their workload — each triggers automated review. The Coinbase May 2025 disclosure described an attack architecture in which $250,000 bribes were the operational primitive; the architectural response is to ensure that a bribed individual agent cannot extract material data without triggering the control surface.

Erodes operation: password-based agent authentication, broad-default access scopes, single-control approval on privileged actions, no behavioral anomaly detection at the workspace layer, audit logs treated as a compliance artifact rather than an active monitoring surface. The operator may have a sound external posture and still be compromised through the support workspace itself. Section 500.11 third-party expectations are not satisfied by contract language; they are satisfied by demonstrable workspace control.

2. Channel availability multichannel — verification and dual-control escalate by risk tier

Strengthens operation: customers remain free to initiate from the channel they prefer — chat, email, X, Discord, Telegram or phone — and the operator preserves broad availability for routine interactions (balance inquiries, payment-method updates, fee questions, simple disputes, educational content). Verification and dual-control escalate only when the requested action enters higher-risk territory. Account-recovery actions, large or unusual transactions, KYC re-screening triggers, sanctions or PEP-screening hits, and any action that moves funds or changes credentials are completed inside the in-product authenticated session, not on the public channel where the customer started. Public Discord, X and Telegram remain open for community and education, with explicit user-facing notice that the operator never DMs to ask for credentials, never asks for transfers, never offers compensation through these channels. Email is used only for documented categories with auto-categorization and tamper-evident headers. The operator measures both availability for the customer (channel coverage, response time on routine interactions) and control on the risk-bound actions (verification completion rate, dual-control completion rate, anomaly detection on channel-to-action escalations). This is the Consumer Duty posture the FCA reads positively and the discipline that NYDFS Part 500, DORA and AMLA expect on the actions that carry weight.

Erodes operation: multichannel availability is treated as the entire customer experience, with no calibration of verification intensity to the risk of the requested action. Account credentials changed via X DM without identity re-verification. Large transfers approved over Telegram without dual-control. Sensitive account actions completed in any inbound channel the customer happened to use. The operator absorbs the cost of impersonation losses on its own users while measuring support performance on response-time metrics that ignore the threat surface. Morpho’s Discord closure and the broader pattern of similar decisions through 2025 and 2026 are not failures of community management. They are the operational consequence of operators that did not calibrate control intensity to action risk, faced the resulting fraud losses, and concluded the public channel was unrecoverable. The correction is not to close the channel; the correction is to keep the channel available for what it can safely carry and to route the risk-bound actions to where they belong.

3. Third-party support vendor relationships under documented ICT third-party risk management

Strengthens operation: relationships with outsourced support vendors are managed under documented ICT third-party risk management aligned to NYDFS Section 500.11, DORA Articles 28 through 44, and NIS 2 Article 21. Contractual security requirements are testable and tested. Vendor access to customer data is segmented by need-to-know with workspace controls applied identically to vendor and in-house agents. Vendor staff turnover triggers access revocation in hours, not days. Vendor incident reporting obligations align to the operator’s own SEC, NYDFS, DORA, NIS 2, GDPR and FCA timelines (4 business days material disclosure, 72-hour cybersecurity incident notification, 72-hour personal data breach notification, 24-hour ransomware notification). Vendor performance is monitored with the same security telemetry as in-house operations. The operator can produce, on demand to any regulator, documentation of what the vendor was authorized to do, what they actually did, what alerted, what was investigated, what was concluded.

Erodes operation: outsourced support managed under traditional BPO commercial terms with security as a contractual annex rather than an operational integration. Vendor security reviews conducted at onboarding and renewed annually rather than continuously. Vendor data access broader than ticket-driven need. Vendor incident reporting on vendor’s own clock rather than operator’s regulatory clock. The Coinbase May 2025 disclosure framing — “overseas third-party customer support contractors had been bribed” — is the architectural failure mode regulators are now scrutinizing. The Verizon 2025 DBIR finding that third-party involvement doubled to 30 percent of breaches confirms this is industry-wide.

4. Customer education built into the product flow, not external to it

Strengthens operation: user-facing communications about scam vectors are integrated into the in-product experience at the moment of decision. Withdrawal flow shows explicit warnings calibrated to the current threat landscape. Account-recovery flow uses provable channel verification rather than reliance on user vigilance. Communications from the operator are cryptographically verifiable (signed messages, in-product notification, never email or SMS for sensitive actions). New-user onboarding includes a structured threat-model briefing matched to the current Chainalysis and FBI IC3 categories — specifically including impersonation customer support attempts, recovery scams, AI-enabled romance-to-investment patterns, deepfake-based authority impersonation. The 22,364 AI-related complaints and $893 million in AI losses logged for the first time in the FBI 2025 IC3 report are an explicit and rising surface; the educational response is product-integrated, not blog-post-relegated.

Erodes operation: scam education delivered through help-center articles and corporate blogs the user never reads. Generic warnings about “never share your seed phrase” in environments where the modern attack is not a seed-phrase request but a sophisticated impersonation flow that builds trust over weeks before the request. The 1,400 percent surge in impersonation scams documented in Chainalysis 2026 corresponds to attack patterns specifically designed to defeat the user-education model that operators built in the 2020-2023 era. Operators still relying on that model are absorbing the cost in customer losses, in support ticket volume, in regulator inquiries, and in peer-network reputation.

The four read as a system

The four patterns describe a coordinated re-architecture of customer support as an operational function fully integrated into the operator’s ICT third-party risk surface, the operator’s regulatory disclosure obligations, and the operator’s threat-informed customer protection model. The exchanges and operators that have rebuilt under this discipline through 2025 and 2026 are operating with materially reduced exposure to the surface the 2025 cycle exposed. The operators that have not are either continuing to absorb losses or making the alternative architectural decision — closing public-facing customer support entirely, as Morpho did with its Discord. Both choices are defensible. The middle ground — maintaining the 2024 architecture against the 2026 threat environment — is not.

Closing

The Coinbase third-party breach disclosed in May 2025 was not an isolated incident. It is the operational reference case for an industry pattern — industrialized impersonation, AI-enabled scaling, third-party support vendor compromise, downstream customer-targeting fraud that materializes weeks or months after the original compromise. The Chainalysis 2026 +1,400 percent impersonation YoY, the Scam Sniffer 2,000 percent Telegram malware surge, the FBI IC3 $11 billion crypto losses with $893 million AI-related, and the Verizon 2025 DBIR 30 percent third-party involvement, taken together, describe the operational threat environment any operator with a public-facing customer support function is operating in this quarter. The regulatory expectation across the U.S., UK, EU and German frameworks is converging on the same answer: customer support is part of the ICT third-party risk surface, and it must be architected as such. The four patterns above are where the architecture either holds or fails.

If you are re-architecting customer support against this environment and want to walk through where your operation holds and where it breaks, the Toeshee team is available for a 30-minute conversation. Request: operations@toeshee.io

We power user trust in Web3, one interaction at a time.

Crypto-native. Compliance-built.

ABOUT TOESHEE

Toeshee is the Web3-dedicated division of The Center Source Group, delivering crypto-native customer support infrastructure for exchanges, crypto payment processors, iGaming, fintech and DeFi operators in regulated jurisdictions across the U.S., UK and EU. We work behind the curtain — integrating into client operations under environmental and identity-assurance controls applied to the support workspace itself, executing customer experience, trust-and-safety, technical support, risk-operations and security-compliance functions to the disciplines our clients are themselves accountable for under their applicable supervisory frameworks.

References available on request. This analysis draws on Coinbase’s SEC Form 8-K filing of May 15, 2025; Coinbase’s Maine Attorney General data breach notification disclosing 69,461 affected customers; public statements by Coinbase CEO Brian Armstrong on the $20 million ransom demand and $250,000 bribe offers; Brooklyn District Attorney announcements of the December 2025 indictment of Ronald Spektor for $16 million impersonation fraud; the Chainalysis 2026 Crypto Crime Report published January 13, 2026 (chainalysis.com/blog/crypto-scams-2026/ and chainalysis.com/blog/2026-crypto-crime-report-introduction/); Scam Sniffer’s January 16, 2025 thread on the 2,000% Telegram malware surge; the FBI Internet Crime Complaint Center 2025 Annual Report published April 7, 2026 (ic3.gov); the Verizon 2025 Data Breach Investigations Report; the Morpho Discord closure announcement and public statements by co-founder Merlin Egalite; SEC cybersecurity disclosure rules effective 2023 reporting cycle; 23 NYCRR Part 500 Second Amendment (finalized November 1, 2023; full phase-in November 1, 2025; first fully phased annual certification due April 15, 2026) and NYDFS enforcement actions against Gemini Trust ($37 million, 2024) and Block, Inc. ($40 million, 2025); the EU Digital Operational Resilience Act (DORA, fully applicable January 17, 2025; Articles 18, 19, 28 to 44); NIS 2 Directive 2022/2555 (Articles 20, 21, 23); EU AMLR 2024/1624 and AMLA operationalization July 2025; the Central Bank of Ireland November 2025 €21.5 million enforcement action against Coinbase Europe; GDPR Article 33; UK FCA Principle 11, SS2/21 and SYSC 13; BaFin BAIT and BSI KRITIS / IT-Sicherheitsgesetz frameworks; and the 2024 ISA-BSI German Handbook on Cyber-Risk Oversight. All metrics cited trace to documented primary sources.

Prepared by Patricia Torres Cabarcas  —  Senior Growth & Positioning Consultant