Web3 Brand Protection: safeguarding institutional identity in the on-chain era
Web3 Brand Protection guards institutional identity on-chain. Impersonator domains (ENS, Unstoppable) can pose as your brand and collect funds from customers, invisible to legacy controls. Continuous monitoring detects and neutralizes these threats, MiCAR and DORA aligned.

During a recent demo run on a leading Italian bank, the Crypfy system detected 144 suspicious results targeting the institution’s brand. Five of these were high-risk domains configured as active impersonators, ready to receive funds from the bank’s customers. The bank was unaware of them.
This is not an isolated case. It is the norm in Web3.
The risk you do not see
In the traditional world, a fraudulent domain is a serious but manageable problem: it is a site that imitates yours, deceives your customers and must be taken down. A real risk, but one with well-established response tools.
In Web3 the problem changes nature entirely.
A name such as yourbank.eth is not simply a website, it is an on-chain financial identity. It can be configured to receive funds directly, effectively becoming an alternative “IBAN”. Anyone can register it. Anyone can use it to collect crypto assets from your customers, who believe they are interacting with you.
Criminals know this. They register variants of your brand and build phishing campaigns that start on Telegram or social media and end with an on-chain transfer to a fraudulent wallet. The damage is real, immediate and, without the right tools, completely invisible to traditional control systems.
The European regulatory framework has already taken account of this reality. MiCAR (Regulation (EU) 2023/1114) imposes on CASPs strict requirements on governance, operational risk management and protection of clients’ interests (Articles 66 and 68 MiCAR), which include managing the reputational and fraud risks linked to the unlawful use of the brand on-chain. DORA (Regulation (EU) 2022/2554) requires financial entities, including banks and CASPs, to put in place a framework for managing ICT risk (Article 6) and to continuously identify the cyber threats and vulnerabilities relevant to their functions (Article 8(2)), a category that fully includes phishing and digital impersonation campaigns. These are fully effective obligations, subject to active supervision by the competent authorities.
How Web3 Brand Protection works
Crypfy’s Web3 Brand Protection module continuously monitors, around the clock, everything that revolves around your brand in Web3, and beyond.
It detects threats before they become damage. The system automatically identifies ENS and Unstoppable Domains similar to your brand: variants with spelling errors (typosquatting), visually similar characters (homograph attack), clone names (cybersquatting). For each suspicious domain it calculates a similarity score and links it to the associated on-chain wallets, reconstructing the full profile of the threat.
It monitors in real time. New registrations, anomalous transfers, suspicious renewals: every event is intercepted and automatically classified by criticality level. Alerts arrive with complete metadata (UTC timestamp, ENS address, linked wallet, risk level), structured to ensure the documentary traceability required by the ICT incident management process under Article 17 DORA.
It does not stop at monitoring: it acts. This is the substantial difference compared with any other tool on the market. When a threat is identified, Crypfy steps in:
- Takedown of Web2 phishing sites through specialised partners
- Anonymous negotiation to recover .eth domains that have been unlawfully occupied, without exposing the institution’s identity
- Structured reporting of digital assets linked to fraud to exchanges and competent authorities, in support of freezing procedures before the legally competent venues
The Crypfy team manages the entire operational process, in full respect of the oversight and accountability role that remains with the client institution.
What you get
Adopting Web3 Brand Protection means having three concrete things in hand.
Full visibility into on-chain brand risk. For the first time you know how many active threats weigh on your brand in the Web3 layer, in real time, with wallet detail and on-chain behaviour. A level of visibility that legacy systems cannot provide and that the European regulatory framework now assumes as a minimum standard of control.
Active operational protection. Threats are not just monitored: they are neutralised. Sites removed, domains recovered, assets reported. A complete cycle of prevention, intervention and remediation managed entirely by Crypfy.
Structured documentation for compliance and regulators. Every alert and every intervention generates a complete audit trail with date, type of threat, measures taken and outcome. The periodic reports are structured to meet the traceability and retention requirements set out by DORA and the documentary needs of the national supervisory authorities, Banca d’Italia and CONSOB (the Bank of Italy and CONSOB, the Italian securities markets authority), within the competences allocated by D.Lgs. 129/2024 (Italian Legislative Decree 129/2024) on the supervision of CASPs. When the on-chain analysis matches Indicators 26 and 27 of the Provvedimento UIF of 12 May 2023 (Italian FIU Provision of 12 May 2023) (crypto-asset activity inconsistent with the customer’s profile, and activity towards addresses linked to high-risk contexts), the technical evidence is ready for a suspicious transaction report. On the on-chain side, this scheme mirrors the same control logic already outlined by Comunicazione UIF of 5 February 2010 on computer fraud (Italian FIU Communication of 5 February 2010), still in force as a reference scheme.
Three service levels
The service is available in three configurations, calibrated to the institution’s needs:
Basic → Monitoring. Continuous 24/7 surveillance with automatic alerts on new threats to the brand.
Pro → Monitoring + Analysis. Adds in-depth analysis of wallet clusters, of the relationships between suspicious domains and on-chain behaviour. A key tool for internal investigation teams.
Enterprise → Monitoring + Analysis + Acquisition. Includes the recovery and preventive custody of strategic Web3 domains, with multi-signature wallets. The most complete protection, from detection to remediation.
For those who want to start with an immediate snapshot of their exposure, a one-off Scanning Assessment is also available: a complete analysis of the active threats against the brand, with an executive report and an action plan, with no recurring commitment.
Why Crypfy
The large international players in the sector were built for forensics and for law enforcement. They work well once the fraud has already occurred, in hindsight. They were not designed for the day-to-day operational flows of a bank or a regulated European institution.
Crypfy was created for this specific context. It is the only managed service that simultaneously covers the Web2 layer and the Web3 layer, designed from the outset for the MiCAR and DORA framework and for European technological sovereignty requirements. It runs on European cloud infrastructure, requires no in-house Web3 expertise, and produces output that speaks the language of Compliance, Risk and Legal, not that of blockchain developers.
A platform built for those who must answer to the regulator, not just for those who study the blockchain.