I remember sitting in a Sydney co-working space in 2017, reading the Ethereum whitepaper for the fourth time. I was 20, convinced that trustless systems would render intermediaries obsolete. Six years later, a group of scammers in London built a fake police website, pretended to be officers, and convinced victims to hand over £4.2 million in crypto. The cops arrested them. The victims? They didn’t lose money to a smart contract bug. They lost it because they trusted authority.
This isn’t just a crime story. It’s a mirror held up to our industry’s deepest contradiction: we preach code is law, but we still upgrade contracts via multi-sig. We say “don’t trust, verify,” but when someone in a uniform calls, most of us comply.
Context: The Case That Won’t Change the Market But Should Change the Conversation
In March 2025, three men were sentenced in London for running a “police fraud” operation. They built a website mimicking the Metropolitan Police, contacted crypto holders, and demanded funds under the guise of “investigating suspicious activity.” Total haul: £4.2 million (about $5.3 million). They bought Rolexes, luxury holidays, and were eventually caught because the Met’s cyber unit traced the money on-chain.
The market yawned. $5.3 million is a rounding error in a bull run where daily volumes are in the billions. But the case matters for a different reason. It exposes the soft underbelly of our entire decentralized project: the human tendency to trust a badge over a blockchain.
The Met used blockchain analytics to track the funds. Good for them. But the fact that the victims never questioned the call — that they handed over private keys to someone impersonating a cop — tells me something about the limits of our technology.
Core: The Three Layers of Trust We Pretend Don’t Exist
I’ve spent years arguing that DAO governance is a farce because multi-sig holders have upgrade keys. I’ve written about how Layer2 sequencers are centralized nodes with a fancy name. But this case reveals a deeper issue: trust isn’t just a protocol problem. It’s a human cognitive problem.
Let me break it down into three layers I’ve come to recognize in my years of audit deep-dives and community building:
1. Technical Trust (“Code is Law”) This is what we sell. The smart contract will execute as written. No censor, no bailiff. But as I learned in 2020 when my entire savings got drained by an unaudited yield farm, code is only law if you read it. Most people don’t. They trust the project’s website, the team’s Twitter, the shiny UI. The fake police website didn’t have a bug in its Solidity; it had a bug in its aesthetic. It looked official.
2. Institutional Trust (“The Badge”) The victims didn’t use a smart contract to vet the caller. They used a lifetime of conditioning: police are safe, authority is reliable. This is the same trust that makes KYC checks feel legitimate, even when they’re just a database leak waiting to happen. It’s also the same trust that makes people believe a multibillion-dollar centralized exchange won’t rug them — until it does.
3. Social Trust (“My Friend Said…”) Most crypto adoption happens not because someone read the whitepaper, but because a friend showed them an app. Social trust is the most powerful on-ramp, and also the most exploited. The fake police network probably used referrals or targeted known crypto communities.
Now, here’s where it gets uncomfortable. Every blockchain project that claims to be “decentralized” but relies on a foundation, a core team, or a well-known founder is, in part, selling institutional trust. We don’t need to audit the code because Vitalik/Vitalik-forks/CEO said it’s safe. That’s no different from believing a police officer on the phone.
I’ve personally audited five DAOs over the past two years. Not a single one had full on-chain execution of upgrades. Each had a multi-sig with five signers — effectively a boardroom hidden behind a smart contract. The latest? The foundation had the ability to pause any proposal. When I pointed it out in a public call, the lead developer said, “But we’re the good guys.” That sentence is the fake police website all over again.
Contrarian: Maybe We Need Less Tech and More Civic Infrastructure
The typical response to this case is: “We need better education. Don’t trust cold calls.” I agree. But I also wonder if our obsession with replacing all intermediaries is actually counterproductive.
Here’s a thought experiment I wrestled with after reading the sentencing report: What if the victims had called the real police to verify the caller? The real police would have said, “No, that’s a scam.” The fake authority would have been exposed by the real one. That means the system worked — not through a trustless protocol, but through a trusted institution that the victims could cross-reference.
We are so afraid of central points of failure that we forget humans need anchoring points. The internet didn’t kill the post office; it created verified senders. Perhaps the optimal system is not “code only” but “code + accountable institutions.”
The most successful DeFi apps today still have front-end teams, customer support, and explicit terms of service. The most robust stablecoins — yes, even DAI — rely on oracles that are essentially trusted entities. We pretend they’re not, but the reality is that true decentralized trust is a philosophical ideal, not a practical operating system for billion-dollar markets.
And this is where my own idealism took a hit. In 2021, I founded a community for artists learning NFT tech. I thought we could self-organize with moderation DAOs. Instead, I spent weekends deleting spam accounts and banning scammers impersonating me. I became the authority. I was the fake (but legitimate) police for my own project. The need for someone to be “in charge” is not a bug in human nature; it’s a feature.
Takeaway: Don’t Mistake Tools For Wisdom
I’m not saying we should abandon decentralization. I am saying that we need to be honest about the levels of trust we actually rely on. Every time I see a project marketing itself as “trustless,” I now check their GitHub for admin keys. Every time I hear someone say “just read the code,” I remember the fake police website — more polished than any real police portal.
The lesson from the London scam isn’t that crypto is dangerous. It’s that trust is not something you can eliminate; it’s something you have to design for. The solution isn’t to make every interaction cryptographically verified — that’s impossible for humans who don’t read 500-page whitepapers. The solution is to create verifiable anchors: places where people can quickly check if an authority is real.
Imagine a crypto-native identity system where the Met Police could register a DID, and when they call, a pop-up on your hardware wallet confirms their signature. But who controls the DID registry? A DAO? A government? We’re back to the same question.
Truth in blockchain isn’t about killing authority. It’s about making authority accountable. That requires code, but also process. And process requires people who care.
I don’t have a tidy answer. But I know that every time we pretend smart contracts alone can solve for trust, we leave the door open for a fake cop with a landing page. We didn’t need better blockchain tech to prevent this scam. We needed better public infrastructure for verifying police identities. That feels unsexy, but it’s real.
So here’s my forward-looking question: In a bull market where everyone is chasing the next zk-rollup, who is building the simplest, most boring layer: a verified directory of institutions that work across chains?
Because until we solve that, every $5 million scam is just a reminder that the human gap is the only gap that matters.