adobe stock
Bank boards in 2026 are understandably preoccupied with the regulatory hurdles of stablecoin integration and AI-driven compliance, but as the GENIUS Act gains a foothold in the US, a quieter and more efficient revolution is occurring in the shadow economy. It’s time we stop looking at cryptocurrency theft as a series of discrete hacks and start recognizing it for what it really has become: a scalable model that mirrors the software-as-a-service platforms we use to run our banks. Unless defense architectures adapt to combat this “Shopify theft,” traditional surveillance friction will continue to trump criminal enterprises’ seamless user experience.
Processing details
The emergence of Drainer-as-a-Service (DaaS) represents the industrialization of cybercrime. I have seen firsthand the evolution of value exchange. Modern threat actors are no longer just lone hackers. They are now platform owners and the unit economics are becoming increasingly sophisticated. Just as Shopify democratized e-commerce by providing turnkey payment gateways and analytics capabilities to legitimate entrepreneurs, DaaS providers are now providing affiliates with sophisticated wallet evacuation scripts for some of their stolen assets. These platforms provide high-performance, low-friction tools that can be deployed to thousands of unique domains in minutes. This is more than just a security breach. This is a disruption of business models that allows low-skilled attackers to carry out high-value heists with the same efficiency that modern fintechs use to launch new wallet features.
Traditional banking compliance is currently ill-equipped to handle this level of speed and scale. Having provided products under different regulations in the US, Canada, Brazil, and the EU, I have a deep respect for how regulations differ across jurisdictions. But while these regulatory frameworks move at a human pace, DaaS platforms operate in real-time. By the time the suspicious wallet address was flagged and blacklisted, the DaaS franchisee had already moved assets through the decentralized mixer and spun up 10 new domains.
To combat this, the banking industry must move beyond reactive compliance and aim for architectural resilience. Rather than relying solely on static blacklists, fraud detection should be treated as a versioned and observable service within the architecture, leveraging machine learning to detect behavioral patterns such as specific device fingerprints or anomalous payment profile reuse.
They also need to implement technology patterns that protect consumers at the protocol level. For example, a “circuit breaker” pattern should be used to properly prevent cascading problems across all critical flows in the payments ecosystem. A similar philosophy should be applied to wallet interactions. If a transaction signature deviates from a user’s typical behavior, the system should trigger an architectural circuit breaker that suspends the transaction before the funds leave the institution’s control, similar to how rent payment anomalies are monitored.
As we plan new rails such as stablecoin payment projects, we cannot ignore the huge risks of DaaS. The goal is to improve the economics of payments and shift costs, but doing so without a robust defense platform is a recipe for disaster. We need to co-create product roadmaps with risk and compliance teams and ensure that engineering is a co-owner of the results.
Competition is no longer between banks. It’s between the platforms. DaaS operators have built large, real-time organizations that work closely with their own versions of product and risk management. To survive this change, we must stop treating security as a checkbox and start treating it as a core architectural competency. We need to build high-performing, resilient systems that scale beyond the industrialization of theft. Only by adopting an ownership mindset and applying first-principles thinking to infrastructure can we secure the future of the global payments value chain.
