Authored by Marc Nasr Corporate Finance & Strategy Officer
Part 1: The Investor Actor Classification
Cryptocurrency theft exceeded $3.4 billion in 2025 (1), with state-sponsored actors increasingly deploying AI-enabled social engineering to impersonate venture capital firms. North Korean groups alone accounted for at least $2.02 billion of that total – a 51% year-on-year increase achieved through fewer, higher-impact operations.
This article presents the Polity Web3 Investor Actor Classification – an ISO-aligned framework that enables founding teams to systematically assess counterparty risk along two independent dimensions – identity assurance and behavioural intent – and concludes with a four-step Founder Due Diligence Protocol.
Subsequent instalments examine the threat landscape with evidence from recent campaigns (Part 2) and set out operational controls for treasury, identity, and incident response (Part 3).
The framework represents the first structured counterparty risk model for decentralised capital markets – a governance primitive that any Web3 protocol can adopt.
For a founder, receiving a message from a Tier-1 firm like a16z crypto, Paradigm, or Dragonfly feels like the ultimate validation. For a cybercriminal, that aspiration is the perfect hook.
The key insight is not simply that these threats exist – it is that the traditional signals of investor legitimacy are no longer reliable.
The counterfeit VC is no longer a clumsy phisher with a misspelt email; today’s attackers deploy AI-generated deepfakes, fully functioning corporate façades, and “ClickFix” malware capable of draining a treasury in minutes.
A governance framework for evaluating counterparties is now as essential as a cap table – and security posture itself has become a signal of investment readiness.
The pressure to secure funding – especially during competitive cycles – forces founders to move quickly. Scammers exploit this urgency by impersonating well-known VC firms to gain access to internal data, treasury wallets, or personal devices.
The Chainalysis 2026 Crypto Crime Report (2) estimates that impersonation-related fraud grew approximately fourteen-fold year-on-year in 2025, with AI-enabled scams proving 4.5 times more profitable than traditional methods.
The cost extends well beyond the financial. The FBI’s 2024 Internet Crime Report (3) recorded $16.6 billion in total cyber-fraud losses, with cryptocurrency among the most frequently reported transaction types and social engineering as the dominant attack vector.
When a project’s treasury is drained or its code repository compromised, the trust painstakingly built with the community evaporates overnight.
In Web3, where self-sovereignty over assets and data is a core value, a security failure is frequently viewed as a failure of leadership.
This is why today’s top-tier investors perform rigorous security due diligence on founders before writing a cheque. If your internal operational security is weak, you are not merely a target – you are a liability to their entire portfolio.
The first step towards defending against these threats is a systematic method for evaluating the investors themselves.
To help founders navigate counterparty risk systematically, Polity has developed the Web3 Investor Actor Classification. This framework allows teams to categorise potential partners along two independent axes – identity assurance and behavioural intent – and assign appropriate risk mitigation controls.
Identity assurance is a property of the observer’s verification process (verified, unverified, or fabricated), whereas behavioural intent is an inferred property of the actor (constructive, opportunistic, or malicious).
This distinction matters: a fully verified counterparty may still harbour malicious intent, and an unverified actor may prove entirely constructive once identity checks are complete. Three supporting indicators – time horizon, transparency, and compliance maturity – inform the behavioural-intent assessment and are reflected in the observable-indicator profiles for each actor class.
Because actors may transition between intent categories over time, classifications are treated as dynamic and subject to periodic re-evaluation (see Escalation Protocol below).
The following matrix maps investor risk across two dimensions. Behavioural intent ranges from constructive to malicious; identity assurance ranges from fully verified to fabricated. Two principles govern the matrix.
First, reduced identity assurance escalates the risk classification: an opportunistic actor who is verified warrants A-2 treatment, whereas the same behavioural profile from an unverified actor warrants A-3 (Extractive/Activist Investor).
The logic is that unverified identity compounds the underlying risk, because extractive behaviour is harder to constrain when the counterparty cannot be held accountable.
Second, a fabricated identity is inherently adversarial; constructive or merely opportunistic intent is incompatible with identity fabrication, so those cells are empty by design.
Each class corresponds to a distinct risk profile with specific observable indicators and recommended controls.
Any counterparty assessed at A-3 or above triggers a formal review. An A-3 classification requires Risk Officer sign-off before the engagement proceeds. An A-4 or A-5 classification triggers escalation to the Risk Committee, and an A-5 requires immediate exclusion and a formal incident record.
Approval authority cascades in order of seniority: Risk Committee (highest), then Risk Officer, then Treasury Officer; each level may approve within its delegated threshold, escalating upward where authority is exceeded.
Every classification must be reviewed at least every six months or upon any of the following re-evaluation triggers: (i) a material change in ownership or LP structure; (ii) a governance proposal inconsistent with stated intent; (iii) a missed compliance disclosure; (iv) an unsolicited request for privileged data or system access; (v) a shift in investment horizon (e.g., early liquidity demands); or (vi) an adverse finding from on-chain forensics or external intelligence.
Reclassification is bidirectional: a counterparty that demonstrates sustained constructive behaviour, completes outstanding verification, or resolves prior compliance gaps may be reclassified downward (e.g., A-3 to A-2, or A-2 to A-1), provided the reclassification is documented and approved at the appropriate authority level.
All classification decisions, trigger events, and reclassification rationale must be documented in an Investor Classification Record (ICR), creating a full audit trail of how each counterparty’s risk profile has evolved over time.
To ensure that classification decisions are operationally visible across the organisation, teams should also record the assigned actor class in internal systems such as CRM platforms, deal pipelines, and investor databases. Tagging counterparties with their current classification at the point of entry ensures that every team member engaging with a given counterparty has immediate access to the latest risk assessment, reducing the likelihood of inconsistent treatment or inadvertent exposure.
The flowchart below summarises the escalation path for organisations of all sizes, including smaller or flatter teams where formal committee structures may not yet be in place.
Figure 1: Escalation Protocol – Decision Flowchart. Smaller organisations without a formal Compliance Committee should assign the equivalent authority to the most senior governance role available.
The classification is aligned with international standards for risk management, organisational governance, compliance, anti-bribery, and information security (ISO 31000, 37000, 37001, 37301, and 27001 respectively). A detailed mapping of each actor class to specific standard clauses is available in the Appendix.
Before sharing sensitive data or joining a call, run the following pre-engagement verification protocol. These steps apply regardless of the contact channel – email, LinkedIn, Telegram, Discord, or X – and founders should be especially cautious with messaging platforms where account compromise and impersonation are common.
The output of each step feeds directly into the Identity Assurance axis of the Risk Matrix above. Behavioural Intent – the second axis – is assessed through ongoing observation: post-verification conduct, governance participation patterns, and alignment between stated objectives and actual behaviour inform the intent classification over time.
Once all four steps are complete, the team has sufficient information to assign an initial actor class and apply the corresponding controls, subject to re-evaluation per the Escalation Protocol.
Step 1 – DNS and Registry Verification. Copy the email domain and run a WHOIS lookup using a reputable service such as ICANN Lookup (lookup.icann.org) or DomainTools.
If the domain was registered within the last twelve months, treat it as a strong indicator of fraud; domains less than six months old should be treated with particular suspicion. A hidden or privacy-shielded WHOIS record on a domain claiming to represent an established fund is itself a red flag.
Cross-check the registrant details against the firm’s publicly listed corporate information. If the initial contact arrived via a messaging platform (Telegram, Discord, X) without an associated corporate email, request one; refusal to provide a verifiable corporate domain, or use of a generic email provider for fund communications, warrants elevated scrutiny.
Step 2 – Back-Channel Verification. Independently locate the person on the firm’s official website. Reach out via their published email or contact another partner directly.
If the firm has no record of the conversation, the counterparty’s identity is fabricated: classify as A-5 Fraudulent Impersonator, disengage immediately, and document the interaction.
If the person exists but was not the one who initiated contact, treat the approach as a compromised-account scenario, escalate to A-4, and alert the real firm that their executive’s identity may have been compromised – in both cases, document every detail of the interaction for the ICR.
Step 3 – Portfolio Cross-Reference. Request a reference introduction to one of the VC’s existing portfolio founders.
A legitimate investor will facilitate this readily; a scammer will cite confidentiality restrictions to avoid independent verification. Crucially, verify the portfolio company independently – contact them through their own public channels, not solely via the introduction the counterparty provides.
Step 4 – Institutional Verification. For larger rounds, confirm the fund’s LP registry filings, regulatory registrations, fund administrator identity, and capital-call history. These checks are standard in institutional finance and any legitimate counterparty will expect them.
Next week: Part 2 maps the current threat landscape – the anatomy of modern VC impersonation campaigns, the social-engineering tactics that sustain them, and a detailed case study of the UNC1069 intrusion.
About Polity
The Web3 Investor Actor Classification presented in this series is the first of several governance primitives being developed as part of the Polity governance model. Polity builds infrastructure for regulated digital finance. Its governance frameworks are designed to bridge decentralised systems and institutional-grade compliance requirements, with a focus on GDPR, eIDAS 2.0, DORA, and MiCA alignment across European and international markets.
Disclaimer: This article is published for informational and educational purposes only. It does not constitute investment advice, legal advice, or an endorsement of any product, service, or security practice. Polity does not provide investment advice, custody services, or regulated crypto-asset activities. Readers should conduct their own due diligence and consult qualified professionals before making any decisions based on the content of this publication. All third-party sources are cited for reference; their inclusion does not imply endorsement by or affiliation with Polity.
(1) Chainalysis (2025). ‘2025 Crypto Theft Reaches $3.4 Billion.’ 2026 Crypto Crime Report Preview. Available at: https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/ (Accessed: 9 March 2026).
(2) Chainalysis (2026). ‘2026 Crypto Crime Report: Scams.’ Chainalysis Blog. Available at: https://www.chainalysis.com/blog/crypto-scams-2026/ (Accessed: 9 March 2026).
(3) Federal Bureau of Investigation (2025). 2024 Internet Crime Report. Internet Crime Complaint Center (IC3). Available at: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf (Accessed: 9 March 2026).
The table below maps each actor class to specific ISO standard clauses referenced in the Polity Web3 Investor Actor Classification. All classes are subject to periodic re-evaluation and bidirectional reclassification per the Escalation Protocol.