Crypto Firms Grapple With Bank-Like Risks, Without the Regulation

Crypto exchanges are rapidly evolving into digital-age banks, amassing vast troves of customer data and assets — but without the regulatory muscle or hardened security infrastructure of traditional finance.

A recent breach at Coinbase, exposing sensitive user information through a social engineering attack, underscores the growing risk posed by centralized crypto platforms as they scale into mainstream financial powerhouses.

Like banks in the 20th century, crypto firms are beginning to sit at the intersection of money, identity and financial services.

This brings with it a heightened degree of risk, and a growing need for guardrails. Many of the largest crypto firms in the world are exchanges that centralize massive troves of data and assets, inadvertently making them single points of failure if credentials get compromised. 

And with the crypto sector discovering that Coinbase, the largest U.S. exchange, was recently hacked via employees who were allegedly offered cash in exchange for access to sensitive customer data, the implications of such a centralized store of correlated user information are top of mind for the rest of the financial ecosystem, particularly as crypto moves more mainstream.

“In the last two days alone, we’ve been approached by dozens of Coinbase customers who were likely on that list and have since been targeted by attackers impersonating Coinbase Support. They used fear tactics — ‘Your account has been breached’ — along with instructions to ‘safeguard’ their assets by transferring them directly to the attackers’ wallets,” Bezalel Eithan Raviv, CEO of Lionsgate Network, told PYMNTS in an interview.

In a Securities and Exchange Commission (SEC) filing Friday, Coinbase projected the incident could cost it up to $400 million, and the company has said it will reimburse customers who were tricked into sending funds to criminals.

Rival exchanges Binance and Kraken were reportedly targeted in a fashion similar to Coinbase, via the social manipulation of human employees and customer support staff, although their respective in-house policies and technologies, such as policy of least privilege (PoLP), prevented them from falling victim to the attacks.

Breaches in financial services are regrettably nothing new, and neither is the attack on the human element by bad actors. But traditional financial institutions have spent decades developing layered defenses around both funds and data, and have cybersecurity and governance ingrained in their policies and processes, in many cases thanks to regulation. Fast-growing FinTechs and crypto firms may be more challenged when scaling their security programs, particularly those operating in regulatory gray zones.

Read more: Why Privacy Is Crucial for Scaling Blockchain Across Financial Services

The episode underscores a deeper issue. Even when crypto assets themselves are secured, the surrounding data that orbits them, such as user identities, metadata and system-level documents, has value that’s often underestimated. Particularly when it is also pieced together.

“In this case, the breach was the result of a social engineering attack. There are standard approaches to addressing such threats, including least privilege access, separation of duties, and monitoring and alerting on suspicious activities. Behavioral monitoring is another key area, and we will likely hear more about its role in future security solutions and controls,” Randolph Barr, CISO of Cequence Security, told PYMNTS.

As crypto matures, it resembles the traditional financial system in ways that extend beyond just payments or investment. Exchanges now provide onboarding, identity verification, customer service and support. In effect, they are becoming banks — but without the same regulatory muscle memory or legacy security protocols.

The Coinbase breach handed attackers a rare advantage: access to comprehensive, correlated customer data in a single strike. Unlike typical hacks that require stitching together stolen information from multiple sources, this breach resulted in a potentially fuller record of customer data than can be typically made off with.

“Even masked bank data is valuable when aggregated. Attackers use it for targeted phishing, social engineering and identity chaining,” Mazyar Torkpour, CEO at Paymento, told PYMNTS.

“The real lesson is architectural: custody concentrates risk. Traditional financial institutions partnering with crypto firms need to evaluate how data is managed at the core, not just whether a company is licensed or regulated.”

Read also: Crypto’s Institutional Future Could Hinge on Solving the Risk Puzzle

The concept of concentration of risk is the idea that the more centralized a critical function becomes, the greater the fallout if that function is compromised.

As exchanges and custodians scale, they hold not just billions in digital assets, but the metadata around those assets. This includes customer profiles, linked bank accounts, compliance records, and internal communications, all of which can be weaponized in a breach. Earlier this year, the Bybit exchange suffered a historic $1.5 billion cyberattack.

“Until we address these critical issues in the crypto market, unfortunately, we’ll continue to see more severe attacks from black hat hackers that could potentially shake the market and undermine the incredible growth potential that this emerging asset class holds for all of us,” Lionsgate Network’s Raviv explained.

According to the PYMNTS Intelligence report, “The State of Fraud and Financial Crime in the U.S. 2024: What FIs Need to Know,” social engineering fraud has jumped by 56% in the past year.

The post Crypto Firms Grapple With Bank-Like Risks, Without the Regulation appeared first on PYMNTS.com.