Deepfake fraud is usually discussed like a consumer-awareness problem. Do not trust the video call. Verify the voice. Beware urgent transfers.
Abu Dhabi’s financial regulator is framing it more usefully: synthetic voice and video are virtual-asset cyber risks.
That matters because crypto firms do not only lose money through smart-contract bugs or exchange hacks. They also lose money when humans approve the wrong movement, trust the wrong identity, or treat a convincing impersonation as an instruction from a client, executive, vendor or regulator. In virtual assets, the social-engineering layer and settlement layer sit dangerously close together.
On April 30, ADGM’s Financial Services Regulatory Authority issued a cyber-threat notice for Virtual Asset Service Providers. The notice lists AI-generated voice or video impersonation as a threat, warning that attackers may use synthetic audio or video to impersonate executives, clients or regulators and trick staff into authorising transfers, disclosing sensitive information or bypassing normal controls. The same notice tells firms to use proactive, risk-based measures to strengthen cyber resilience and to report material IT or cyber incidents to FSRA within 24 hours of discovery.
This is the right regulatory move. Deepfakes are not a content problem when they can trigger asset movement. They are control-plane risk.
The Attack Is Not The Video
Synthetic media gets attention because it looks uncanny. That is not where the control failure sits.
The control failure sits in the process that accepts the synthetic signal as authority. A fake voice note approving a withdrawal, a video call that appears to include a senior executive, a spoofed regulator requesting information, a cloned client asking for wallet changes: none of those attacks need to fool everyone. They need to fool the one workflow that moves funds, updates permissions or exposes sensitive data.
VASP operations make that sharper.
Virtual-asset businesses sit on fast-moving balances, irreversible settlement paths, privileged wallet operations, custody controls, client onboarding and market-sensitive information. If an attacker can impersonate authority inside that environment, the loss may not wait for a bank recall window. The boring internal control either catches the fraud before movement or becomes a footnote in an incident report.
FSRA’s notice implicitly understands that. It does not stop at “be aware of deepfakes.” It ties impersonation to staff training, transaction verification, access controls, transaction monitoring and incident-response readiness. That is the useful part. Detection tools can help. They are not enough. The control has to assume that some synthetic media will look and sound convincing.
The operational question is not “can we spot every fake?” It is “can a fake alone authorize anything important?”
Cyber Resilience, Not PR Cleanup
ADGM has already been moving cyber risk into regulated-firm governance.
In July 2025, FSRA announced cyber risk management amendments requiring firms to integrate cyber risk into existing risk frameworks, with compliance required from January 31, 2026. The regulator described the move as part of operational resilience and cybersecurity, not a standalone technology hygiene exercise.
That context matters. The April VASP notice is not a random warning about scams. It lands inside a broader framework where firms have to show that cyber risk is governed, assessed, tested and reported.
FSRA’s IT risk-management page also says Authorised Persons must immediately notify the regulator of incidents impacting operations, and no later than 24 hours after becoming aware of information reasonably suggesting that a material cyber incident has occurred. The page lists cyber-attacks and operational disruption examples, and points firms to initial and progressive reporting templates for incident submission.
That turns synthetic-media fraud into more than reputational embarrassment. If a deepfake-led event causes material operational impact, unauthorized access, data exposure or asset movement, the firm may have a reporting clock.
This is where many AI-fraud discussions are too soft. They focus on whether employees can recognize fakes. Regulators care about whether governance survives fakes.
The Controls Are Old, The Signal Is New
The strongest controls against synthetic-media fraud are not exotic.
Use callback verification on known numbers. Require dual approval for sensitive transfers and wallet changes. Separate voice/video confirmation from transaction authority. Limit privileged access. Monitor unusual transaction patterns. Reconcile client instructions against authenticated channels. Train staff on regulator and executive impersonation. Preserve logs. Test the incident plan.
None of that requires pretending deepfake detection is solved.
That is the point. The most dangerous response to synthetic media is to build a binary “real or fake” gate and assume it will work. Attackers do not need perfect media if they also have urgency, context, scraped personal details and a plausible workflow. A mediocre synthetic voice can work if the process is weak.
For VASPs, the better posture is layered friction around high-impact actions. A cloned executive should not be able to create a new withdrawal path. A fake client video should not update wallet instructions without out-of-band verification. A spoofed regulator should not extract sensitive information without escalation. A synthetic message should be treated as an input, not authority.
This is unglamorous. So are most good controls.
The Crypto-Specific Problem
Crypto firms have an extra challenge: users expect speed.
The industry sells instant movement, 24/7 markets and reduced friction. That promise collides with fraud controls. Add too much verification and customers complain. Add too little and the firm becomes an impersonation machine with a token interface.
This is why the FSRA framing is useful. It moves the question from “how do we warn users?” to “how do VASPs design operations where synthetic identity cannot override risk controls?”
That includes client-facing controls, but also internal ones. Treasury operations, custody approvals, support-ticket escalation, VIP-client servicing, incident communications and regulator interactions all become likely targets. Attackers will not politely stay in the consumer help desk.
The notice also pushes firms to think about third parties. VASPs rely on cloud providers, custody technology, analytics vendors, KYC providers and communication systems. If a synthetic-media attack compromises a vendor interaction or operational handoff, the firm still owns the resilience problem. Outsourcing rarely impresses regulators as a plot twist.
The Implication
Deepfakes are becoming part of financial cyber supervision because they attack authority.
That is a better frame than the usual panic over fake videos. In virtual assets, the relevant unit is not the media file. It is the control path the media tries to influence.
ADGM’s FSRA is effectively telling VASPs to treat synthetic voice and video as an operational risk that belongs in cyber resilience, transaction governance and incident reporting. That is where it belongs. Scam awareness posters will not protect custody operations.
For crypto firms, the rule is simple: if a voice or video can move money, change access, expose client data or bypass escalation, it is not a communication channel. It is a control weakness.
The fakes will get better. The controls have to stop needing them to be bad.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.