Hello Fraud Fighters!
This week, the crypto ATM industry got a reality check it's been avoiding for years, and the largest operator in North America didn't survive it. Visa dropped its semi-annual threats report and confirmed what every fraud team already suspects: scams have lapped card fraud as the number-one consumer threat. The Verizon DBIR landed too, with a landmark finding that should rattle every CISO. And in the UK, TSB reported Q1 courier fraud losses that have already eclipsed the entirety of 2025.
Let's get into it.
Big Story: Bitcoin Depot collapses — and takes the crypto ATM model with it
Bitcoin Depot was, until Monday, the largest Bitcoin ATM operator in North America. On May 18, it filed for Chapter 11 bankruptcy in the Southern District of Texas and immediately pulled its entire network of more than 9,000 kiosks offline. The company is winding down and selling assets.
The proximate causes are regulatory. Indiana banned Bitcoin ATM kiosks in March 2026. Tennessee and Minnesota followed, and Connecticut suspended Bitcoin Depot's operating license the same month. CEO Alex Holmes, brought in just two months earlier to navigate the crisis, cited "increasingly stringent compliance obligations, including new transaction limits, and in some jurisdictions, outright bans on BTM operations." By April, the company was warning investors that 2026 revenue would fall 30–40% versus prior years, purely due to fraud mitigation and compliance costs. A month before the filing, hackers breached Bitcoin Depot's IT systems and stole $3.7 million from its crypto wallets. For good measure, the attorneys general of Massachusetts and Iowa had also sued the company over alleged facilitation of crypto scams. Q1 revenue was down 49.2% year over year. The stock went from $1.29 at the start of the year to pennies.
The underlying driver — the one that made regulators act — is fraud. The FBI logged 13,460 crypto-kiosk fraud complaints in 2025, with reported losses of $389 million; a 58% jump from the prior year, and it's the number that finally exhausted political patience. The playbook is well-worn: a scammer calls a victim, impersonates the IRS, their bank, or law enforcement, tells them their account is compromised, and instructs them to deposit cash at a nearby Bitcoin ATM and send the funds to a "safe wallet." The ATMs are irreversible, largely anonymous at lower thresholds, and conveniently located in gas stations and convenience stores where victims in a panic won't attract attention.
Bitcoin Depot had actually invested in compliance (enhanced identity verification, customer fraud warnings, lower transaction limits, per-transaction ID collection), but it wasn't enough, not because the measures were wrong, but because the economics of the model don't survive proper fraud remediation costs once states start assigning liability. Restructuring advisor Roshan Dharia of Echo Base stated that the traditional crypto ATM model historically depended on high transaction spreads and limited regulatory scrutiny to offset compliance, logistics, fraud remediation, and retail revenue-sharing costs. That model is now pushing up daisies.
So what for operators: Bitcoin Depot's collapse is a cautionary tale for any fintech channel that serves as a reliable off-ramp for social engineering scams — whether crypto ATMs, P2P payment rails, or wire transfer products. You will eventually face the same regulatory reckoning once loss data accumulates loudly enough. The question isn't whether your channel has fraud. It's whether your fraud remediation economics are viable when regulators start assigning the bill.
Get ahead of next-gen financial fraud
Generative AI is helping fraud evolve faster than traditional defenses can handle. But these same tools can be put to good use. Read MIT Technology Review’s latest report to see how to fight back.
You’ll discover:
● AI-powered fraud tactics targeting your customers
● Why layering AI into your defense is key
● How industry collaboration is reshaping fraud prevention
Learn more about the latest fraud tactics, AI-enabled defenses, and how data sharing and policy alignment are helping the industry stay one step ahead.
Quick Hit #1: Visa confirms scams have lapped card fraud
Visa's Spring 2026 Biannual Threats Report landed this week with a finding that should end any lingering debate about where consumer payment fraud has moved: from July to December 2025, Visa identified nearly $1 billion in scam-related activity, making scams the single largest category of consumer payment fraud on its network.
These attacks don't require breaching technology. Scammers impersonate trusted brands, manufacture urgency, and trick victims into authorizing the transaction themselves. Meanwhile, device token fraud actually declined 9.6% over the same period, confirming that network-level card security is working — which is precisely why criminals have moved up the stack to target humans instead. Ransomware activity rose 26%, but only 23% of victims paid ransoms, the lowest rate on record. The key quote from Visa SVP Michael Jabbara: "What once required deep technical skill can now be executed with a prompt."
Quick Hit #2: Verizon DBIR — vulnerabilities dethrone passwords as top breach vector
For 18 consecutive years, stolen credentials topped Verizon's annual Data Breach Investigations Report as the leading way attackers get in. That streak ended this week. The 2026 DBIR, covering 22,000 confirmed breaches across more than 145 countries (the largest dataset in the report's history) finds that vulnerability exploitation now accounts for 31% of initial access, surpassing credential theft for the first time. AI has compressed the time between public vulnerability disclosure and active exploitation from months to hours. Third-party supply chain breaches jumped 60% and now represent 48% of all breaches. Shadow AI is a growing internal risk — employee use of unapproved AI tools tripled to 45%, creating data leakage exposure that most security programs aren't yet measuring. Mobile social engineering success is up 40%. The practical read for fraud and security teams: if you're still treating patch management as a quarterly compliance exercise rather than a continuous operational discipline, the attackers have already moved on.
Quick Hit #3: TSB — Q1 courier fraud already worse than all of 2025
TSB this week published data on higher-value courier fraud that should alarm any UK fraud team: cases in Q1 2026 have already surpassed the total recorded for the entire year of 2025, with the value of losses 116% higher. Almost 9 in 10 victims — 89% — are aged 70 or above. Courier fraud is operationally crude but devastatingly effective: criminals impersonate banks or police, convince victims their accounts have been compromised, and either persuade them to post their cards and PINs or send a "courier" (in some cases, a fake police officer) to collect cash and cards in person. Fraudsters then use the cards on spending sprees at high-end retailers and supermarkets, relying on chip-and-PIN to authorise payments. The City of London Police has described it as one of the most harmful and serious fraud types currently operating in the UK.
Quick Hit #4: The Massachusetts bank fraud ring that bought off the people checking IDs
A federal guilty plea filed in Boston on May 2 pulls back the curtain on a scheme that should make any fraud team uncomfortable; Victor Kolawole and Keith Wainaina pleaded guilty to bank fraud, conspiracy to commit bank fraud, and conspiracy to commit money laundering, two of six defendants in a ring that operated across Massachusetts, Connecticut, and Rhode Island for more than two years.
The mechanics: a ringleader obtained customer PII without authorization and used it to produce fake ID documents carrying victims' details but imposters' photos. Those imposters were driven to bank branches and walked up to teller windows to withdraw funds as cashier's checks. Wainaina deposited or attempted to deposit more than $762,000; Kolawole approximately $373,000. The detail that makes this more than a routine fraud case: bank insiders were paid to facilitate the scheme, deliberately skipping customer verification protocols and disabling account notifications that would have alerted victims. The fraud beat two layers of defense — identity documents and the humans reviewing them — because one of those layers was on the payroll.
This Week in Fraud is a publication for fintech operators, fraud teams, and risk professionals. Have a tip or story? Drop Nick Holland a note at [email protected]
