The Growing Threat of Digital Asset Hacks and the Importance of Strong Operational Resilience

18 March 2025

Taken from the published LinkedIn pulse article.

Opaqueness and a lack of transparency around internal governance and IT controls have been key features for many service providers in the digital asset industry over the years, highlighted by the volume of hacks and scams that have occurred around the industry. For years, it has been tolerated by many market participants who have continued to use these services while accepting these risks for the potential high rewards. Some of these industry issues stemmed from some founders' backgrounds, where their focus and experiences have been on perfecting technology and functionality while not always ensuring the same impetus is placed on controls and governance that is found in traditional finance.

A lack of strong compliance and clear regulation has enabled less accountability than the high standards of traditional markets. In addition to regulatory concerns, this has been a reason for major institutions to stay clear of many of these firms, and this may remain the case for some time to come.

The digital asset industry has grown significantly in recent years, but with this expansion has come several high-profile cyberattacks. Digital asset service providers have been targeted in hacks, some resulting in billions of dollars in stolen assets. These breaches can erode trust in the digital asset space but also highlight the urgent need for stronger security controls and more robust operational resilience.

In 2022, approximately $3.8bn was stolen in cryptocurrency hacks, marking a significant increase from previous years. In 2024, losses from such hacks surged by 21% compared to 2023, totalling $2.2bn across 303 incidents. In 2025, the trend has continued, with significant losses reported, including an approximate $1.46bn theft from the Bybit exchange in February. This incident alone has contributed to a substantial increase in losses compared to 2024.

Even the world’s largest exchanges are not immune. In October 2022, Binance suffered a $570 million attack when hackers exploited a flaw in its cross-chain bridge (a system used to transfer assets between blockchains)​. The attackers created fake withdrawal proofs to siphon funds (mainly Binance’s own BNB token) from the bridge. In response, Binance halted its blockchain network temporarily to freeze assets and was able to limit the damage. In this occurrence, the exchange later covered all user losses from its own reserves. While Binance’s swift response protected customers, this incident highlighted how attack vectors can emerge within complex systems (like cross-chain tools) and the importance of having contingency funds and stronger incident response plans to shield users.

Understanding the Risks 

The blockchain industry presents unique security challenges compared to traditional finance. Unlike centralised banking systems, digital asset transactions are irreversible, making stolen funds difficult to recover. Additionally, digital assets operate in a decentralised environment, meaning there are often few regulatory safety nets or certain types of insurance to compensate for losses. As attacks become more sophisticated, firms must proactively assess and mitigate the risks malicious actors pose. 

 When breaches occur, the repercussions extend beyond financial loss. The reputational damage to exchanges and institutions can lead to regulatory scrutiny and, in severe cases, business collapse. As the industry matures, organisations must adopt a proactive security approach to mitigate some of the risks listed: 

·       Private Key Theft – If private keys are compromised, attackers gain full access to funds. 

·       Smart Contract Vulnerabilities – Poorly audited code can be exploited, leading to losses. 

·       Insider Threats – Internal security lapses or malicious employees can facilitate attacks. 

·       Phishing & Social Engineering – Attackers trick users into revealing sensitive credentials. 

·       Third-Party Risks – Weak security in service providers can expose entire ecosystems. 

 

 Governance as a Key Defence against Digital Asset Hacks

“Good governance means the Board of Directors and C-suite are asking tough questions about operational governance and security preparedness and insisting on ongoing oversight​. For example, leadership should regularly review factors such as what safeguards are in place to prevent hacks. Are thorough policies and procedures up to date and in place? What ISO certifications do they have? Are there independent audits of security and IT controls? By creating a culture of accountability, where security and operational governance isn’t left solely to the IT department, companies can prevent weaknesses before attackers exploit it.” 

- Pete Osborne, Appold

One lesson from recent hacks is that poor internal governance can be a root cause of security failures. The DMM Bitcoin case is a prime example: the exchange reportedly concentrated critical duties (operations and security) in one group with full access to customer assets​. This violated a basic principle of internal control—the segregation of duties—and, therefore, created a single point of failure.

High-level corporate governance and rigorous internal controls have emerged as some of the most effective shields against digital asset hacks. While technical defences (like encryption and firewalls) are vital, many breaches succeed due to human error (including coding), process gaps or insider manipulation – all areas that stronger governance can address. Governance in this context means the leadership, policies and oversight structures that ensure an exchange is managed prudently and securely.

More broadly, executive and board-level involvement in security is crucial. Exchanges and custodians where top leadership treats security as a core business risk tend to implement stronger controls. In fact, experts advise that directors and officers of digital asset related firms should actively participate in risk management discussions​.

Strong governance also entails transparent communication and compliance. Regulators worldwide are increasingly scrutinising digital asset platforms, especially after major incidents. These platforms must be prepared to demonstrate how they protect user funds and meet relevant security standards​. This means having documented policies, audit trails, and possibly certifications to prove the platform’s security maturity. In jurisdictions like Japan, authorities have shown they will step in (with business improvement orders or even license suspensions) if an exchange’s governance is found lacking post-hack​. On the positive side, exchanges that invest in governance and compliance – such as by appointing a Chief Information Security Officer (CISO), forming risk committees, and adhering to international security frameworks – not only reduce the likelihood of hacks but also reassure customers and regulators that their money is in responsible hands. In short, the industry needs to adhere to institutional standards if it wants to grow beyond its current capacity, and those that do should have a much stronger growth trajectory in the future.

There are two key areas of initial focus. These are:

1.         Strengthening Resilience Measures

Operational resilience is the ability of an organisation to maintain core business functions in the face of disruptions, including cyberattacks. A well-structured resilience strategy enables firms to minimise downtime, protect customer assets, and comply with regulatory requirements. Without proper resilience measures, firms face significant financial and reputational consequences when cyber incidents occur. 

Some examples of effective resilience measures include:

·       Regular Security Audits – Conducting periodic penetration testing and smart contract audits. 

·       Robust Custody Solutions – Implementing multi-signature wallets and cold storage for secure asset management. 

·       Incident Response Planning – Preparing teams for rapid action in the event of a breach. 

·       Continuous Monitoring – Utilising real-time blockchain analytics to detect suspicious transactions. 

·       Staff Training & Awareness – Educating employees to recognise and prevent phishing attacks. 

 

2.         Implementing IT Security Processes  

Strong IT controls are essential for securing digital asset operations, as many security breaches stem from inadequate system protections, poor access management and untested infrastructure. Establishing a structured IT governance  model helps prevent unauthorised access and protect critical assets. Companies operating in the digital asset space must adopt best practices in security, such as access controls and data protection, to ensure long-term sustainability and regulatory compliance. 

Key security processes include:

·       Access Control & Authentication – Using multi-factor authentication (MFA) and role-based access controls. 

·       Network Security – Ensuring firewalls, intrusion detection systems (IDS), and regular updates are in place. 

·       Data Encryption – Encrypting sensitive data both in transit and at rest. 

·       Resilience Testing – Simulating cyberattack scenarios to evaluate security measures. 

·       Regulatory Compliance – Adhering to standards such as ISO 27001 and SOC 2 for information security. 

Digital assets and blockchain technology promise a more open and innovative financial system, but that promise can only be realised if participants feel their assets are safe. Strengthening corporate governance – from the boardroom down to everyday procedures – is key to bridging the trust gap created by high-profile hacks. Exchanges that implement stringent security standards, maintain user transparency, and plan for the worst-case scenarios are far better positioned to reduce the likelihood of breaches or respond effectively. In the long run, embracing these governance and control measures is not just about avoiding losses – it is about ensuring the sustainability and credibility of the digital asset ecosystem itself. By learning from past hacks and rigorously applying best practices, the industry can make digital asset trading and investing considerably safer for everyone involved.

 

How Appold Supports Digital Asset Security 

At Appold, we continually assist firms in navigating the challenges of digital asset security through regulatory compliance and operational resilience. Our extensive experience as Auditors' Experts, which requires us to assess systems, internal controls, and digital asset governance frameworks, has equipped us with firsthand experience not only to identify likely governance and control pitfalls efficiently but also to provide tailored solutions to fortify security frameworks, implement IT governance controls, and develop effective risk management strategies. Through our work we are able to observe the issues and challenges firsthand, enabling us to ensure that clients stay ahead of emerging threats while maintaining operational stability.  

Some of our expertise includes:

·       Security & Risk Assessments – Identifying vulnerabilities and strengthening defences. 

·       Regulatory Compliance Support – Ensuring adherence to evolving global security regulations. 

·       Blockchain Audit Expertise – Providing independent oversight and verification for IT controls. 

·       Incident Response & Recovery Planning – Helping firms build robust breach mitigation strategies. 

·       Institutional-Grade Best Practices – Implementing security frameworks aligned with financial institutions.

As digital asset adoption grows, ensuring strong security measures will be critical to the industry's credibility. Firms that prioritise operational resilience and IT security will be best positioned to protect assets, maintain regulatory compliance and build institutional trust. This in turn should enhance and grow their businesses over the long term.

Reach out to us for further discussion.

 www.appold.com

For further information, please contact:

info@appold.com

Previous
Previous

Appold Market Watch - Week ending 21 March 2025

Next
Next

Appold Market Watch - Week ending 14 March 2025