carders can simply check the data of stolen cards through you for operability, even without displaying
anything, you need to fight with antifraud, either regular from a payment service provider, or third-party services
https://www.maxmind.com/en/solutions/minfraud-services

The most common is when a hacker changes all wallets to his own in the database and withdraws from all users. After saving key 1, the second saving of key 2 to key 2 is impossible.

1. To this:

You can withdraw money only to the same details from which the replenishment was made.

Request TOTP -PIN confirmation when withdrawing funds and when changing the withdrawal account , which must be set (initiated!) during registration.
It is used in Google Authenticator .
3. And control over the client device (the first time he uses it or constantly).
-------------

If for some reason the user no longer has the opportunity to use his account from which the deposit was made, then he can deposit from another, and in this case he will also be able to withdraw only to him.

Change of account for withdrawal must be MANDATORY confirmed IMMEDIATELY AFTER replenishment, BUT! BEFORE withdrawing using TOTP (item 2).

Connect Robokassa and don't fool the boys.

What can be used from the obvious:
- prohibition of withdrawal to details other than those from which the input was made
- additional verification (phone number / documents / selfies, etc.)
- prohibition of withdrawal to anonymous details / verification of their belonging to the account owner
- classic anti-fraud when replenishing (starting from matching IP location, blocking proxies and anonymizers, ending with more tricky solutions)
- hold
- rejection of replenishment methods with the ability to cancel payments
- prohibition of withdrawal)