In the world of digital assets, attackers need to succeed only once.
When a malicious transaction reaches finality on the blockchain, there is rarely a way to recover funds. This reality makes the domain fundamentally different from traditional cybersecurity. In a standard IT environment, a breach might mean system downtime or leaked data. These are serious events but are often recoverable.
With digital assets, the risk is direct and irreversible loss of funds. For the growing number of businesses managing these assets for their own operations or on behalf of customers, this is an existential threat.
The threat landscape is relentless. Our recent intelligence regarding campaigns like Shai-Hulud 2.0, the Kiln incident, and the North Korean “Contagious Interview” social engineering efforts confirms that these threats are real, ongoing, and highly sophisticated.
That’s why we are releasing Securing Digital Assets in an Evolving Threat Landscape, a white paper built from our experience securing over $10 trillion in digital asset transfers and protecting more than 550 million wallets globally.
The Adversary: Professionalized and Persistent
We are no longer defending only against isolated hackers. We are defending against sophisticated, well-resourced business operations that treat digital asset theft as a primary revenue stream.
In 2025 alone, hackers stole over $3.4 billion in cryptocurrency, bringing the total stolen since 2020 to over $17 billion. This is driven by three major categories of threat actors:
- State-Sponsored Operations: The Democratic People’s Republic of Korea (DPRK) remains the most significant nation-state threat. The Lazarus Group accounts for three-quarters of all attacks on crypto platforms, with their operations averaging nearly five times the size of other threat actors. In 2025, DPRK-linked hackers were responsible for over $2 billion of the total stolen value.
- The Commoditization of Crime: The rise of Drainer-as-a-Service (DaaS) has lowered the technical barrier to entry. Developers create turnkey wallet-draining kits and license them to non-technical affiliates on a revenue-share basis. These groups operate like legitimate SaaS businesses competing for market share.
- Opportunistic Crime and Insiders: Beyond organized external threats, loosely coordinated groups and opportunistic criminals continue to exploit vulnerabilities across a range of vectors. Additionally, malicious insiders including employees and contractors can exploit legitimate access to steal keys or manipulate signing processes.
Building for Resilience: Why Architecture is the Primary Defense
In an environment where adversaries are well-resourced and increasingly professionalized, a defense-in-depth approach to digital asset security is a business imperative. Point solutions are insufficient against persistent threat actors who operate across a range of attack vectors.
Effective security is not about being “unhackable.” It is about resilience. Fireblocks architects for the “Assume Breach” reality. Our goal is to build an environment that protects against unauthorized fund movement even if a component, machine, or individual is compromised. This requires moving beyond perimeter security toward an architecture where multiple independent layers provide overlapping controls to protect against losses.
Practical Defense: Mapping Controls to the Institutional Threat Model
Our new white paper provides a comprehensive framework for applying this “Assume Breach” mindset to your operations. It serves as a practical reference point to help organizations evaluate their own security posture.
Foundational Controls
The core of the framework is the Defense-in-Depth Stack. This layered architecture covers everything from hardware-isolated zero-trust foundations to distributed wallet infrastructure.
- The Policy Engine: Our research indicates that nearly all digital asset theft incidents stem from actions that were “technically authorized” by weak policies. A cryptographically enforced, stringently applied governance engine is the most critical layer for preventing unauthorized transfers, ensuring that even if a credential is stolen, the system blocks the movement of funds.
- Transaction Clarity: To eliminate “blind signing,” the framework emphasizes decoding complex smart contract interactions into human-readable actions. This ensures that approvers see the true intent of a transaction, identifying malicious unlimited approvals or hidden transfers before they ever sign.
Assessing Your Security Readiness
To demonstrate these layers in action, the paper includes a Threat-to-Defense Mapping Matrix, showing how the Fireblocks approach to security avoids single points of failure across some of the most concerning threat vectors. Every identified threat vector faces at least three independent layers of protection, and many face four or more. We further illustrate how these defense layers work in practice with Attack Scenario Walkthroughs for nation-state attacks, DeFi wallet drainers, and malicious insiders.
To help you apply these defense-in-depth security principles to your digital asset operations, we have included a Security Readiness Checklist. This assessment allows security leaders to audit their posture across the digital asset transaction lifecycle and identify gaps before they are exploited.
Staying Ahead of Evolving Threats
Threats do not stay static. Neither can the architecture protecting digital assets. Fireblocks has secured more than $10 trillion in digital assets and protects over 550 million wallets globally, continuously evolving our approach as both our clients’ operations and our adversaries grow more sophisticated.
We constantly monitor the threat landscape to help businesses understand and adapt to emerging risks, providing a solution that stays ahead through robust, overlapping controls. From day one, we have been dedicated to building the infrastructure that gives institutions the confidence to operate in digital assets and protects the future of finance.
Read the full white paper here and talk to an expert to assess your organization’s defense-in-depth readiness.
