Best Practices for Securing Crypto Assets

Effective crypto asset management is now a critical priority. As adoption grows, so too does the scale and sophistication of threats that individuals and organizations now face. Digital asset security requires a layered approach, including cold storage, robust key protection, regular security testing and proactive regulatory compliance. This article examines the most prevalent threats to digital assets, outlines practical measures to mitigate risk and explores the evolution of global regulation.

Crypto Asset Management: Common Threats 

The convergence of adoption, risk and regulation is reshaping expectations around cryptocurrency. Security is no longer a purely technical concern; it’s now a governance issue requiring demonstrable controls, accountability and resilience. Organizations that fail to adapt to these rising standards risk regulatory exposure and increased vulnerability to attack. As highlighted in the Kroll 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era, the Kroll Cyber Threat Intelligence team observed that nearly $1.93 billion was stolen in crypto-related crimes in the first half of 2025 alone. 

While the risks associated with cryptocurrency continue to increase, many of the more common forms of attack have been in use for years. Some of the most widespread threats to crypto include:

• Ransomware Attacks

  Bad actors use ransomware to lock down devices and encrypt files containing sensitive data, such as crypto wallets and private keys, with ransoms demanded in cryptocurrency.
 

• Phishing and Social Engineering

  Threat actors also turn to tested social engineering techniques to coerce individuals to share their private keys or other sensitive information. Common tactics include use of scareware, which employs fake alerts to prompt action; baiting attacks, in which victims are enticed to download malicious files; and pretexting, the impersonation of trusted individuals.
 

• Address Poisoning

  This type of scam features tailored on-chain infrastructure used to steal crypto. The threat actor analyzes an individual’s crypto buying and selling habits to identify frequently used addresses and then generates new addresses to create one as similar as possible to the one the victim most frequently uses. The perpetrator then sends a minor transaction from the fake address to “poison” the victim’s address book, in the hope that the victim will accidentally send funds to the fake address in the future.
 

• Decentralized Finance (DeFi) Protocol-related Risks

  Several risks are associated with DeFi protocols, the smart contracts and software code on a blockchain that ensure lending, borrowing and trading can be executed without intermediaries. Threat actors have been seen to exploit vulnerabilities in crypto infrastructure, smart contracting and cross-chain bridges.Crypto Asset Management Best Practices 

Crypto Asset Management Regulations

A key element of crypto security is to ensure your organization keeps pace with evolving asset management regulations, establishing risk and compliance frameworks and preparing for compliance with incoming digital asset regulations. Companies using and working in crypto globally must stay abreast of individual country regulations to ensure that they are not in violation of global financial system regulations or other countries’ policies.

Crypto Asset Management in the U.S.: Continued Uncertainty

The regulation of crypto assets in the U.S. has been been a topic of regular debate over the past year. In March 2026, the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission issued a landmark joint interpretive crypto asset framework which seeks to clarify how federal securities laws apply to certain crypto assets and transactions. 

This guidance, however, has been met with skepticism by much of the crypto legal and compliance community, given the framework’s limited timescale and nonbinding nature, ongoing uncertainty about ecosystem promises and lack of detail regarding secondary transactions. At state level, some regulation gaps, not just with interpretive token taxonomy but with comprehensive compliance and security requirements. For example, California’s new Digital Financial Assets Law (DFAL) and New York’s BitLicense framework require applicants to demonstrate mature cybersecurity and operational risk controls as a condition of licensing.

Crypto Asset Management in the EU: A Harmonized Framework

In the EU, crypto assets, crypto asset issuers and crypto asset service providers are covered under the Regulation on Markets in Crypto Assets (MiCA). This regulation covers crypto assets such as asset-referenced tokens, electronic money tokens, utility tokens for companies issuing and trading crypto assets. MiCA contains requirements regarding authorization, supervision of transactions, disclosure and transparency.

In addition to MiCA, relevant organizations and individuals should be aware of the EU’s Digital Operational Resilience Act (DORA), which applies to many types of financial entities, including crypto asset service providers and issuers of crypto assets. Under DORA, relevant organizations in the EU must carry out threat-led penetration tests (TLPTs) on a regular basis.

This testing involves an intelligence-led approach to classic red team testing and targets an organization’s most critical business systems. TLPTs must be performed at least every three years if an organization is deemed in scope by the supervising authorities. TLPTs for DORA should be executed in accordance with the pre-existing Threat Intelligence-Based Ethical Red-Teaming (TIBER)-EU framework, while additional considerations are now formalized by DORA, such as mandatory purple teaming exercises.

Cryptocurrency regulation continues to change quickly. For example, as of April 2026, the European Central Bank is supporting proposals to grant the European Securities and Markets Authority oversight of major cross-border financial firms, including large crypto asset service providers. Several EU states have resisted the plan.

Crypto Asset Management in the UK: Formal Regulations in Development

The UK is introducing a comprehensive, bespoke regulatory framework for crypto assets, bringing them formally within financial services regulation for the first time. Historically, crypto assets sat outside the UK regulatory perimeter because they were not classified as “specified investments” under the Financial Services and Markets Act (FSMA), and legislators were wary of legitimizing highly speculative products. Instead, oversight was limited largely to anti–money laundering (AML) registration and controls over financial promotions. 

As crypto assets grew in scale, HM Treasury concluded that a fuller regime was needed. Influenced by developments in the U.S. and EU, the UK is trying to strike a balance across consumer protection, market integrity and innovation and is guided by the principle of “same risk, same regulatory outcome”.

The new regime is implemented through secondary legislation—the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026—allowing flexibility as markets evolve. The legislation creates nine new regulated activities that apply to “qualifying cryptoassets,” rather than treating crypto assets as traditional investments. Firms involved in these activities will require Financial Conduct Authority authorization, including existing AML-registered crypto firms, authorized financial institutions offering crypto services and overseas firms dealing with UK consumers. The legislation is effective from October 25, 2027, from which date all firms falling within the scope of the regime will need to be authorized.

Crypto Asset Management in APAC: Significant Regulatory Momentum

In the Asia Pacific region, several jurisdictions are in the process of passing or enhancing cybersecurity and operational risk obligations akin to MiCA and DORA. 

The Securities and Futures Commission of Hong Kong released guidelines for licensed virtual asset trading platforms (VATPs) operating within its jurisdiction. The guidelines include information on inspections and cyber-hardening requirements.

Australia’s Corporations Amendment (Digital Assets Framework) Act 2026 will require crypto firms to hold an Australian Financial Services License (AFSL). Such firms will be subject to general AFSL risk management obligations, with crypto-specific technical and operational security standards coming soon.

Regulators in Japan and Singapore have announced that plans are in place to materially strengthen the cybersecurity and operational resilience of virtual-asset service providers, with requirements for baseline security controls and self-assessments in the works.

Cross-Jurisdictional Standards

Some prominent security standards span multiple jurisdictions and act as a badge of honor for crypto firms seeking to demonstrate their security maturity.

One such example is the System and Organization Controls 2 (SOC 2) framework. Initially developed as a data security auditing framework for technology companies in the U.S., SOC 1 covers internal controls relating to financial reporting, while SOC 2 focuses on IT and security controls. The SOC framework is growing in use globally, particularly in Europe and India. SOC 2 is now increasingly recognized by crypto businesses as providing additional compliance assurance, procured through annual attestation by independent auditors.

Similarly, International Organization for Standardization (ISO) 27001, originally developed in the UK, now stands as a leading international security standard. ISO 27001 outlines requirements for building and developing an information security management system. It is a methodical approach to identifying, managing and mitigating security risks. The standard has found a natural fit in the blockchain ecosystem, with crypto firms across the globe increasingly expected to be certified to demonstrate their commitment to security best practices.

Kroll Client Story: Driving Security Transformation for a Leading Crypto Bank

A leading European crypto bank had recently completed a major migration of core systems to the cloud and wanted to gain a deep, end-to-end understanding of its security posture in the new environment. The organization’s leadership recognized that the shift introduced new risks access control, key management and the resilience of their cloud-based security architecture. The bank recognized that the level of risk affecting its industry and the complexity of its operations meant it would require ongoing expert support with assessments and improvements. 
A collaborative purple teaming engagement by Kroll’s Offensive Security team matured into a sophisticated adversary simulation program—including two social engineering exercises at the bank’s head office—and culminated in the bank’s first red team assessment. By elevating the crypto bank’s security posture on all fronts, this strategic partnership significantly advanced its resilience to potential attacks.

Read more

The Future Outlook on Crypto Asset Management

Crypto asset management continues to be a hot topic. As digital assets become more embedded within financial systems, organizations must ensure that they are prepared to defend against varied threats and to adopt a more coordinated approach to regulatory compliance. 

Looking ahead, crypto asset security will increasingly resemble traditional financial risk management, with a greater emphasis on governance, auditability and continuous testing. Organizations that treat crypto as a peripheral or experimental capability are likely to put data at risk and fall short of regulatory expectations. 

To remain secure and resilient, organizations should prioritize:

• Institutional-grade key management and custody design, including clear governance and segregation of duties
• Continuous security testing, such as adversary simulation and threat-led exercises, rather than periodic assessments
• Proactive regulatory readiness across multiple jurisdictions
• Ongoing monitoring of counterparties and transaction risk
• Access to specialist expertise to address evolving technical and regulatory challenges

Safeguard Your Crypto Assets with Kroll

Kroll is the leading global provider of crypto compliance, risk and investigative services, including digital asset review, blockchain forensics, asset recovery and crypto cybersecurity services. Since the introduction of the first virtual asset in 2009, we have worked alongside crypto companies, investors and law enforcement to help navigate their most critical challenges. 

Our team includes crypto practitioners, open-source specialist investigators, computer forensic experts, regulatory and compliance specialists, forensic accountants and former prosecutors. As proud members of CryptoUK, the UK’s leading industry body for digital assets, we are helping to define proportionate regulation and raise standards to continue to protect consumers while advancing innovation.

We are experts in enabling organizations to navigate the evolving regulatory landscape of crypto. We’ve helped countless clients, including crypto exchanges with a combined market capitalization of over $53 billion, overcome regulatory challenges, conduct multijurisdictional investigations, navigate complex restructurings and improve cyber resilience.

Explore Our Cryptocurrency Security Services

Explore Our Crypto Compliance, Risk and Investigative Services