We set up a 2-of-3 Multisig wallet for our web3 startup. Me, my co-founder, and our lead dev held the keys. I thought we were safe. Then, the lead dev convinced my co-founder to sign a “contract upgrade.” They colluded, executed the transaction, and drained the treasury to a mixer. I called our commercial crime insurer. They pointed to the “Theft by Insured” exclusion.
Key Takeaways
- Theft by Insured/Partner: Insurance covers theft by strangers. If a business partner or employee with authorized access steals the funds, standard theft policies deny it. You need “Employee Dishonesty” or “Fidelity” coverage.
- Authorized Access: Since they had the valid keys and permissions (2 of 3 signatures), the blockchain sees a valid transaction. The insurer sees “authorized” movement of funds.
- Fidelity Bonds: This is the specific product for insider theft. However, obtaining one for a crypto startup is difficult and requires strict background checks on all signers.
- Collusion Risks: Multisig is only as strong as the human trust layer. Insurance underwriters know this and often exclude “collusion by partners” specifically.
The “Why” (The Trap)
The trap is “Partner Liability.”
In a partnership or LLC, acts by one partner are often legally binding on the entity. If a partner drains the account, it’s often a civil dispute, not a crime (initially). Insurance covers crimes, not civil disputes between owners. The “Insured vs. Insured” exclusion prevents the company from claiming a loss caused by one of its own directors.
The Investigation (I Quoted Commercial Crime)
I looked for policies that cover “Insider Jobs.”
Evertas (Crypto Specialist)
- Analysis: They can write policies covering “Employee Theft,” but they demand rigorous key management protocols. If the keys were on hot wallets, they might deny.
- Requirement: They often require independent third-party signers (like a professional custodian) to break ties, rather than just 3 internal founders.
Travelers (Standard Business Crime)
- Analysis: Covers employee theft of money, but “Virtual Currency” is often excluded or sub-limited to $10,000 unless you have a specific rider.
- Exclusion: Almost always excludes theft by a Partner or Owner (anyone with >10% equity).
Comparison Table
| Perpetrator | Standard Crime Policy | Fidelity Bond | Cyber Policy |
| External Hacker | Covered | N/A | Covered |
| Employee (Dev) | Denied (Usually) | Covered | Denied |
| Partner (Co-Founder) | Denied (Owner Exclusion) | Denied (Owner Exclusion) | Denied |
Step-by-Step Action Plan
- File a Lawsuit & Injunction: You need to legally classify this as theft/embezzlement immediately to have any chance with insurance. Get a temporary restraining order (TRO) against the rogue partner.
- Trace the Funds: Engage a forensic firm (Chainalysis/TRM Labs) to track the funds. If they hit a KYC exchange, the TRO can force a freeze.
- [IMAGE: Diagram showing a 2-of-3 multisig setup and the flow of unauthorized funds]
- Review the Operating Agreement: Does your company agreement define authorized transactions? If not, the partner might argue they were “investing” the funds, not stealing them.
- Future Proofing: Use a 3-of-5 setup with at least one key held by a legal firm or institutional custodian (like Anchorage) that only signs upon board resolution.
FAQ
Can the DAO vote to freeze their funds?
Only if the funds are in a smart contract with a blacklist function (like USDC or USDT). If they swapped to ETH, no one can freeze it.
Is the co-founder liable?
Yes, personally. But if he fled to a non-extradition country, good luck collecting.