How Crypto On-Ramps Work: The Custody Architecture Behind the 'Buy Crypto' Button
Thi Nguyen
Author
Founder
A technical deep dive into how on-ramps like MoonPay, Ramp, and Transak actually work - and why custody architecture decides who wins the on-ramp race.
TL;DR - A crypto on-ramp is a five-layer system that converts fiat (cards, bank transfers) into crypto delivered to a user's wallet. The layers are: fiat rails, FX & hedging, custody, liquidity routing, and on-chain delivery. Custody is the operational nexus - 80% of the operational risk lives there. Building it in-house takes 18-24 months and $5-10M; modern fintechs increasingly buy MPC-based custody infrastructure (SaaS or self-hosted) and own only the orchestration layer on top.
Table of contents
- What is a crypto on-ramp?
- The on-ramp gold rush in numbers
- What happens when a user clicks "Buy Crypto"
- Why custody is the silent failure mode
- How MPC custody automates payouts
- Build vs buy: the real economics
- What to look for in custody infrastructure
- SaaS vs self-hosted custody
- Frequently asked questions
What is a crypto on-ramp?
A crypto on-ramp is the infrastructure that lets a user convert traditional money (fiat - euros, dollars, naira, real, rupees) into cryptocurrency delivered to a wallet. From the user's perspective: tap "Buy Crypto," pay with a card or bank transfer, receive BTC / ETH / USDC in seconds. From the operator's perspective: a five-layer system spanning fiat payment rails, FX hedging, custody, liquidity routing, and on-chain delivery - all reconciling in real time.
The opposite is a crypto off-ramp (crypto → fiat). Most modern providers (MoonPay, Ramp, Transak, Bridge) offer both, plus increasingly stablecoin-specific flows for B2B payments and remittances.
The on-ramp gold rush in numbers
Stablecoins settled $33 trillion on-chain in 2025 - a 72% year-over-year jump, per Bloomberg using Artemis Analytics data. Even after stripping out bot activity and trading, the adjusted "real payment" volume reached ~$28 trillion, more than Visa's $16.7T full-year payments network. USDC alone accounted for $18.3T; USDT $13.3T. Q4 2025 set a single-quarter record at $11 trillion.
The companies sitting on top of this volume are no longer crypto experiments - they're payment infrastructure:
- MoonPay processed $8B+ across 30M users in 180 countries (Q1 2025 volume up 123% YoY)
- Stripe paid $1.1B for Bridge in October 2024 to own this layer of the stack
- Transak became MetaMask's exclusive stablecoin on-ramp partner in September 2025, exposing 100M+ users to one-tap stablecoin purchases
- 30% of Americans now own crypto - roughly 70.4M people, up from 27% in 2024 (Security.org)
- Stablecoin velocity has doubled since early 2024 (2.6x → 6x), meaning supply is being used for actual transactions, not just held (a16z)
- Active stablecoin wallets grew 53% in 2025 to surpass 30M
The GENIUS Act, signed in summer 2025, solidified the federal regulatory framework for payment stablecoins in the US. MiCA is live in the EU. Singapore, Hong Kong, the UAE, and Brazil all formalized stablecoin payment rules within the same window. The infrastructure is built. The regulation exists. The only question now is which on-ramps capture the volume.
Then in February 2025, Bybit lost $1.5 billion in a single transaction - the largest cryptocurrency theft on record. Centralized custody platforms accounted for 88% of all crypto losses in Q1 2025, according to Chainalysis. North Korean hackers stole $2.02B across the year - 76% of every service-side compromise. Total funds stolen from crypto services hit $3.4B in 2025.
The on-ramp gold rush is real. So is the custody graveyard underneath it. And almost every founder building in this space underestimates how much of the second determines whether they survive the first.
** Building an on-ramp?** Talk to Fystack - we ship MPC custody and treasury orchestration infrastructure for fintechs that need to ship safely at scale.
What happens when a user clicks "Buy Crypto"
Most product teams approach the on-ramp the way a user experiences it: tap a button, see a loading spinner, get crypto in your wallet, done. The reality is a five-layer orchestration problem running in real time, with custody at the operational center of every transaction.
The 5 layers of a crypto on-ramp:
1. Fiat rails - card networks, bank transfers, regional instant rails (SEPA, ACH, PIX, UPI)
2. FX & hedging - currency conversion + exposure management
3. Custody - inventory wallets + policy engine + signing infrastructure
4. Liquidity routing - smart order routing across CEXs and OTC desks
5. On-chain delivery - gas, KYT, confirmations, re-org handling
When a user buys €500 of BTC with a card, here's what actually happens:
Layer 1: Fiat rails
The card payment runs through 3DS authentication. Liability shifts from your platform to the issuing bank. You absorb the 2-3% interchange and the conversion drop from 3DS friction. If the user picked SEPA Instant instead, you'd settle in 10 seconds. PIX in Brazil, UPI in India, FPS in Hong Kong - every region has its own rail. Each rail is its own integration with its own KYB requirements, fraud rules, and chargeback exposure.
The fee gap is brutal: cards cost 3-4%, bank transfers cost 0.5-1.5%. That spread is essentially chargeback insurance - because crypto transactions are irreversible, but card payments aren't. If a user files a chargeback six months later, the on-ramp eats both the fiat AND the already-delivered crypto.
Layer 2: FX & hedging
EUR is locked at $1.0822 in a 30-second window. You convert to USD, then to USDC or USDT for routing. You're sitting on FX exposure across your daily flow that has to be hedged - overnight if you're conservative, 30 days forward if you're optimizing for cost. Every basis point of slippage is your margin.
Layer 3: Custody
The hot wallet releases 0.0091 BTC to the user's destination address in under three seconds. A policy engine has just auto-approved the transfer based on per-transaction caps, velocity limits, whitelist matches, and source authentication. Behind that engine, an MPC threshold signature scheme co-signs from three distributed nodes - no single key exists, no single point of compromise.
Layer 4: Liquidity routing
Asynchronously, your treasury system batches this transaction with ~2,000 others into a $1.08M aggregate buy. A smart order router splits the order across venues - typically Binance, Kraken, and Cumberland OTC - with TWAP execution to minimize slippage on orders above $100K. Counterparty risk is monitored live.
Layer 5: On-chain delivery
Gas is pre-funded by you. The destination address gets KYT-screened (Chainalysis or TRM). Confirmation triggers fiat capture or refund. Re-org and stuck-tx handling happens automatically.
Two to three days later, the card settles to your bank. In the meantime, your money funded the user's BTC. At even modest scale - 50,000 transactions a day, $25M in daily flow - you have $2-5 million of working capital trapped in settlement gaps every single day.
This is the operational reality of running an on-ramp. Custody isn't just one of five components - it's the only one where every other layer's decisions land.
Why custody is the silent failure mode of every on-ramp
The Chainalysis 2026 Crypto Crime Report makes the threat picture clear: centralized services are getting hit harder than ever, despite their institutional resources and professional security teams.
The top three crypto hacks of 2025 alone drove 69% of all service-side losses. Bybit's $1.5B loss came from a sophisticated attack on its signing infrastructure - not a smart contract bug, not a phishing scam. The attackers compromised the custody layer, and once they did, no amount of cold-wallet protocol could save them.
Crucially, 84% of all illicit crypto in 2025 rode stablecoins - meaning the same rails your on-ramp depends on for routing are the rails attackers use to extract value. Your custody policy engine isn't an optional safeguard; it's the firewall between your treasury and the next nine-figure headline.
There are four ways an on-ramp dies, and three of them are custody problems:
| Failure mode | What it looks like | Custody-related? |
|---|---|---|
| Capital float compromise | Hot wallet drained in one shot | Yes |
| Reconciliation breaks | Ledgers don't match across banks/venues/chains | Yes |
| Policy engine misconfiguration | Withdrawals freeze OR attackers walk out the door | Yes |
| FX & slippage drift | Margin leaks 0.4-1% per trade across thousands of executions | No Treasury problem |
Capital float compromise - Per-transaction caps don't save you because the attacker isn't acting like a user. They're moving the entire pool. Without sophisticated policy and shard-distributed signing, your $5M operating wallet is one credential leak away from zero.
Reconciliation breaks - Four banking partners, six liquidity venues, N blockchains, and millions of transactions per day. When the ledgers don't match - even by a few dollars - you have stuck funds, double-spent inventory, and a regulator asking why your reserves don't reconcile.
Policy engine misconfiguration - One bad rule and either withdrawals freeze (customers churn) or attackers walk out the door. Building a policy engine that handles the matrix of asset / chain / amount / source / destination / velocity correctly is genuinely hard engineering - and there's no margin for error.
FX and slippage drift - Conversion rates between platforms vary from 60% to 85%+, and single-provider strategies can lose up to 50% of potential transactions. Even 0.4-1% per-trade drift compounds into hundreds of basis points off your margin.
The companies that have survived in this space - Coinbase, Kraken, the major institutional players - didn't survive because they were faster to market. They survived because they invested years and tens of millions of dollars into custody infrastructure that most consumer-facing teams cannot afford to replicate.
How MPC custody automates payouts at scale
There's a common misconception that MPC custody = slow custody. The reasoning: if multiple parties need to sign every transaction, doesn't that block automation?
The reality is the opposite. In production MPC custody, the parties are machines, not humans. Three signing services in three different cloud regions co-sign transactions in under 500ms - fully automated, fully distributed, no single point of compromise.
What gates speed isn't the cryptographic primitive. It's the policy engine sitting on top of it.
Here's how a real auto-signed payout flow works:
Humans only touch the exceptions: - Transfers above the per-transaction cap - New whitelist destinations - Reserve-tier access (refilling the operating wallet) - Anomalies flagged by the velocity engine
For a retail on-ramp processing tens of thousands of transactions per day, this means 99%+ of payouts are auto-approved in under a second. The remaining 1% gets routed to ops review. Speed and safety are no longer a tradeoff - they're configurable parameters of the same engine.
** Want to see this in production?** Book a 30-minute architecture walkthrough - we'll show you how Fystack's policy engine + MPC TSS handles real on-ramp flows at scale.
Build vs buy: the real economics of crypto on-ramp custody
If you're a CTO at a fintech weighing whether to build custody in-house or buy from a custody infrastructure provider, the math is brutal:
| Factor | Build it yourself | Buy from a provider |
|---|---|---|
| Time to production | 18-24 months | 2-6 weeks |
| Engineering team | 10+ specialists | 2-3 integrators |
| Upfront cost | $5-10M | Usage-based |
| Compliance certifications | Build from scratch | Inherited |
| Liability for breaches | Yours | Shared (per SLA) |
| HSM procurement & key ceremonies | Yours | Provider handles |
| Ongoing security audits | Yours | Provider handles |
| Focus | Cryptography | Your moat (rails, FX, fraud, UX) |
For any on-ramp doing less than $500M/month in volume, the build path doesn't make economic sense. Even at higher volumes, the leading players increasingly outsource the cryptographic primitives and own only the orchestration layer on top.
Custody is a buy decision, not a build decision. The moat is in rails, FX, fraud detection, and orchestration - not cryptography.
What to look for in modern custody infrastructure
If you're evaluating custody providers, here's the floor - anything less and you're inheriting risk you can't see:
MPC threshold signatures (TSS), not single keys
The cryptographic primitive matters. Single-key wallets - even hardware-backed ones - are a single point of compromise. The Bybit-class attack vector becomes structurally impossible when no single party ever holds the full key.
HSM-protected key shards
The MPC nodes themselves should run inside trusted execution environments or HSMs. Shards encrypted at rest are not enough - they need to be unextractable in use.
Programmable policy engine
This is where automation lives. Per-transaction caps, velocity limits, asset/chain whitelists, source authentication, time-of-day rules. The policy engine is what lets you auto-sign 99% of payouts in under a second while requiring human approval for the 1% of exceptions.
Treasury orchestration, not just custody
Inventory replenishment from venues, settlement reconciliation across banks/exchanges/chains, automated rebalancing - these are the operational glue that turns custody from a vault into an inventory engine. Fireblocks describes the same pattern in its institutional treasury reports.
Self-hosted deployment as an option
This is the part most providers don't offer, and the part that increasingly matters as the regulatory landscape shifts.
SaaS vs self-hosted custody: which makes sense for your stack
The regulatory environment around crypto custody is hardening. MiCA in the EU is live. The GENIUS Act formalized US federal stablecoin oversight in summer 2025. Singapore, the UAE, Hong Kong - every major jurisdiction is implementing some flavor of "you must control your own custody stack or use a regulated provider."
For a growing class of on-ramp builders - especially banks, regulated brokerages, sovereign wealth funds, and enterprises - pure SaaS custody is no longer an option:
| Need | SaaS custody | Self-hosted custody |
|---|---|---|
| Speed to market | Yes Weeks | No Slower setup |
| Operational sovereignty | No Provider-controlled | Yes Your infrastructure |
| Regulatory inspection | Limited Limited | Yes Full topology access |
| Data residency | Limited Provider's regions | Yes Any jurisdiction |
| Vendor independence | No Critical dependency | Yes Replaceable |
| Compliance for banks / regulated entities | Limited Often insufficient | Yes Required |
This is where Fystack is positioned. We ship the same MPC + HSM + policy engine + treasury orchestration stack as the leading custody providers, but you can run it as SaaS for speed-to-market, or self-hosted for sovereignty. Same APIs, same security posture, same operational guarantees - your choice on where it runs.
For an on-ramp, brokerage, or payment processor making the buy-vs-build decision today, this is the third option that wasn't on the table five years ago. You don't have to build it yourself, and you don't have to depend on someone else's cloud.
The window is closing
The on-ramp market is consolidating fast. Stablecoin volumes are projected to exceed $50 trillion in 2026, and Chainalysis estimates they could hit $1.5 quadrillion by 2035. The companies that win the next 24 months will be the ones that ship safely while their competitors are still debugging their custody stack.
Stripe knew this when they paid $1.1B for Bridge. Visa, Mastercard, and PayPal all knew it when they launched stablecoin rails in late 2024. The next wave of fintechs and neobanks adding crypto rails will know it too - about six months after they wished they had.
If you're building an on-ramp, custody isn't your moat. Rails, FX, fraud detection, and customer experience are your moat. Custody is the table-stakes infrastructure that lets you focus on the moat without becoming the next nine-figure headline.
** Talk to Fystack** - whether you need SaaS to ship in weeks or self-hosted for sovereignty, we'll show you exactly what's behind the "Buy Crypto" button, and how to ship it without the 18-month build path. → Book an architecture review
Frequently asked questions
What is a crypto on-ramp?
A crypto on-ramp is the infrastructure that converts traditional fiat money (USD, EUR, etc.) into cryptocurrency delivered to a user's wallet. It typically combines fiat payment rails (cards, bank transfers, instant rails like SEPA or PIX), FX conversion, custody, liquidity sourcing from exchanges, and on-chain settlement. Examples include MoonPay, Ramp, Transak, and Bridge.
What's the difference between an on-ramp and an off-ramp?
An on-ramp converts fiat → crypto (you give USD, you receive BTC). An off-ramp converts crypto → fiat (you give USDC, you receive a bank transfer). Most modern providers offer both, plus stablecoin-to-stablecoin conversions and B2B payment flows.
How does a crypto on-ramp make money?
Three main revenue sources: (1) transaction fees of 0.5-3% per trade, with cards costing more than bank transfers due to chargeback exposure, (2) FX spread on currency conversion, typically 0.5-1%, and (3) interest on the working capital float held during settlement gaps (cards take 2-3 days to settle while crypto goes out instantly).
Is MoonPay a custody provider?
MoonPay is an on-ramp provider, not a standalone custody provider. They handle fiat-to-crypto conversion and delivery, but their custody infrastructure is operated internally to support their on-ramp business. Custody-as-infrastructure is offered separately by providers like Fystack, Fireblocks, BitGo, Anchorage, and Copper.
What is MPC custody?
MPC (Multi-Party Computation) custody uses threshold signature schemes to split signing authority across multiple distributed nodes. No single party ever holds the complete private key - transactions are signed only when a quorum of nodes (e.g., 2 of 3) cooperate. This eliminates the single-point-of-compromise vulnerability of traditional single-key or hardware wallet setups, and it can be fully automated when paired with a policy engine.
How much does it cost to build a crypto on-ramp?
Building a production-grade crypto on-ramp from scratch costs $5-10M in fully-loaded engineering, plus 18-24 months of build time, plus a team of 10+ specialists. The custody layer alone consumes the majority of that effort. Most modern fintechs outsource custody to infrastructure providers (Fystack, Fireblocks, BitGo) and focus their engineering on the rails, FX, fraud detection, and UX where they actually differentiate.
What's the best crypto custody for fintech and on-ramp services?
The right custody provider depends on your scale, regulatory requirements, and deployment preferences. The floor for any modern setup is: MPC threshold signatures (not single-key), HSM-protected shards, a programmable policy engine, and treasury orchestration capabilities. If you have data residency or regulatory inspection requirements, look for providers like Fystack that offer self-hosted deployment in addition to SaaS.
How do crypto on-ramps handle chargebacks?
Crypto on-ramps handle chargebacks through a combination of: (1) using 3DS authentication on cards to shift fraud liability to the issuing bank, (2) charging higher fees on reversible payment methods (cards = 3-4%, bank transfers = 0.5-1.5%) as chargeback insurance, (3) implementing strict KYC and fraud detection to reduce chargeback exposure, and (4) maintaining capital reserves to absorb losses from successful chargebacks where the crypto has already been delivered.
Sources & further reading
Stablecoin volume & adoption: - Bloomberg: Stablecoin Transactions Rose to Record $33 Trillion in 2025 - Artemis: Stablecoin Payments From The Ground Up 2025 (PDF) - a16z: 9 charts on what stablecoins are becoming - a16z: 6 trends for 2026 - Stablecoins, payments, and real-world assets - a16z: State of Crypto 2025 - The year crypto went mainstream
Custody & security: - Chainalysis: 2025 Crypto Theft Reaches $3.4 Billion - Chainalysis: 2026 Crypto Crime Report - Fireblocks: Treasury Optimization for Cross-Border Stablecoin Payments
On-ramp infrastructure: - a16z: What Stripe's Acquisition of Bridge Means for Fintech and Stablecoins - Lisk: On and Off Ramps - The Infrastructure Everyone Underestimates - Sam Boboev: BVNK vs. Bridge vs. Zero Hash - Stablecoin Payment Infrastructure Deep Dive - Onramper: Mistakes wallets make when designing their on-ramp flows
Consumer & market data: - Security.org: 2026 Cryptocurrency Adoption and Sentiment Report - CoinLaw: MoonPay Statistics 2026
