Crypto Security: Why Multi-Layered Defense Matters, and Where Korea's Framework Falls Short

Key Takeaways

• Institutional digital asset security is not determined by a single technology, but by the weakest layer across cryptographic security, operational controls, transaction verification, and incident response.
• Recent hacks such as GDAC, Ozys, and Bybit show that attackers often bypass core cryptographic protections and exploit weaker layers such as endpoint security, access control, signing interfaces, and response procedures.
• MPC, HSM, and TEE each address the cryptographic layer differently, but none of them are sufficient without strong operational controls, independent transaction verification, and fast incident response.
• Global custody leaders such as Fireblocks, Anchorage Digital, and Fordefi are setting institutional standards by combining cryptographic key management, regulatory licenses, policy engines, transaction simulation, audits, and insurance coverage.
• In Korea, ISMS certification and the 80% cold wallet rule are necessary but insufficient; local players need to proactively adopt SOC 2 audits, independent policy engines, transaction simulation, on-chain monitoring, and predefined asset-freezing protocols.

This article is adapted from "Korean Blockchain Guidebook for Institutions 2026," jointly published by Four Pillars and Pantera Capital. The full report covers 14 more themes for companies and institutional investors.

1 Overview: Security Is Layered, and the Weakest Layer Sets the Ceiling

1.1 Four Security Layers

Any discussion of opportunities in blockchain-based institutional finance has to begin with a prior question: is the security infrastructure supporting the custody and transfer of digital assets actually sound? The evidence suggests it often is not. That foundation has collapsed repeatedly, and the shape of the attacks keeps changing.

According to Chainalysis, roughly $2.2 billion in cryptocurrency was stolen through hacks in 2024, with private key compromises accounting for 43.8% of total losses. Yet when we look back at the largest incidents affecting centralized exchanges (CEXs) and custody providers, including the $1.5 billion Bybit hack, the attackers rarely broke the cryptographic key protection itself. Instead, they exploited the layers around the keys: access controls, endpoint security, signing verification interfaces, and incident response systems.

Institutional-grade security is not a single technology choice but the design of a multi-layered defense. That system has four broad layers:

• Cryptographic layer: the technologies that protect key generation, storage, and signing.
• Operational layer: the systems that govern who, and what, can reach those keys.
• Verification layer: the mechanisms that confirm a signature matches the signer's intent.
• Response layer: the playbooks that contain damage once an incident occurs.

No matter how sophisticated an encryption protocol is, it offers little protection if the employee running it has a compromised workstation. No matter how robust cold wallets and multisig setups are, they become useless the moment signers can no longer verify what they are signing. The weakest layer sets the ceiling for the entire system.

For companies preparing to operate in the Korean market, domestic incidents are as instructive as global ones. The three cases that follow illustrate, in turn, what failure in the operational, verification, and response layers actually looks like in practice.

• GDAC (April 2023): GDAC, a Korean cryptocurrency exchange, lost roughly KRW 18 billion in cryptocurrency from its hot wallet, which amounted to 23% of its total custodied assets. According to an analysis by the security firm Theori, the attacker did not steal individual wallet private keys. The attacker penetrated the exchange's internal API infrastructure and manipulated the deposit and withdrawal system. Just as serious as the technical vector was a failure in asset allocation policy. [Even though the Financial Intelligence Unit (FIU) had demanded an increase in cold wallet allocation one month before the hack, GDAC's hot wallet ratio still exceeded 86%](https://www.boannews.com/media/view.asp?idx=117274.)), and the exchange's entire bitcoin holding sat in the hot wallet. The response layer was equally weak: disclosure came 36 hours after the hack, narrowing the window to trace and freeze the stolen funds. Although GDAC was the first cryptocurrency exchange in Korea to obtain ISMS certification for its custody operations, it went bankrupt after the hack. It stands as a case of compounded failure across the operational and response layers.
• Ozys (January 2024): Approximately KRW 109 billion in cryptocurrency was stolen from Orbit Bridge, a cross-chain platform. Court filings show that an unidentified attacker hijacked an employee's remote access account, distributed malware to other employees' workstations, infiltrated the server, and generated fraudulent transactions. Remote access account hijacking has been a recurring attack vector in the crypto industry ever since remote work became widespread during the pandemic. However sophisticated key management technologies such as MPC or HSM may be, they offer little protection once an employee's access environment is compromised. That is precisely why endpoint security, multi-factor authentication (MFA) on remote access accounts, and anomalous access detection matter as much as cryptographic key protection itself. The Ozys incident is a textbook case of operational layer failure, and specifically of endpoint security failure.
• Bybit (February 2025): The largest hack in cryptocurrency history, in which 401,347 ETH was stolen. Bybit's multisig worked exactly as designed, and the cold wallet keys were never exposed. Investigators concluded that the Lazarus Group had used social engineering to compromise a Safe{Wallet} developer's device and then tampered with the front end. The signers' UI displayed what looked like a legitimate transaction, but the underlying signing data had been swapped for a malicious payload. Ledger hardware wallets could not decode the complex transaction and displayed only the hash value (blind signing), and three signers approved it without being able to verify what they were signing. Had an independent simulation layer existed to check the actual effect of the transaction before signing, the anomaly could have been detected even with the front end compromised. This was a failure of the verification layer, and it represented an attack paradigm that cold wallets and multisig alone could not defend against.

The scale and context of each incident differ, but the patterns converge in three ways. First, no incident involved a direct breach of cryptographic key protection. Attackers always found the weakest layer. Second, post-incident recovery is extremely difficult. GDAC went bankrupt, Ozys's Orbit Chain was delisted, and Bybit had to sit through more than 30 external audits and rebuild its infrastructure from scratch. Third, no layer compensates for failure in another. Institutional-grade security has to be built as a multi-layered defense from the start.

1.2 Cryptographic Layer: Key Generation, Storage, and Signing

The core challenge of this layer is simple to state: make sure a private key never exists in complete form at a single location at any moment, while still producing valid signatures when needed.

• MPC (Multi-Party Computation): a cryptographic technique that splits a private key into multiple independent shares, allowing each shareholder to jointly produce a valid signature without revealing their own share. Major protocols include GG-18/GG-20, Lindell17, and Fireblocks' MPC-CMP. MPC is not tied to any specific chain, which is an advantage for multi-chain operations, and the signing structure is not exposed onchain. Shares can also be periodically regenerated, which helps with insider threat mitigation and key management during employee turnover. The BitForge vulnerability disclosed by Fireblocks in 2023 affected more than 15 wallet providers, including Coinbase WaaS, and it served as a reminder that implementation accuracy matters as much as protocol safety.
• HSM (Hardware Security Module): dedicated hardware in which keys never leave the hardware boundary. HSMs have been validated in banking and payment systems over decades. Support for a new signature algorithm requires recertification, which makes multi-chain adaptation slow, and the device itself becomes a single point of failure. That said, HSMs remain the most direct path in environments that require regulatory certification, such as CBDC infrastructure and government-related custody. For cryptocurrency services, a hybrid model that stores each MPC share inside an HSM is generally considered the practical approach.
• TEE (Trusted Execution Environment): a hardware security technology that creates an isolated execution environment inside the processor. TEEs are structurally exposed to side-channel attacks, but most such vulnerabilities require physical access. TEE is used as a complement rather than a standalone layer, particularly alongside MPC and HSM architectures for server-side share processing and policy engine isolation. AWS Nitro Enclaves, a cloud-based TEE, has become a practical option for cloud custody thanks to its relatively small attack surface.

1.3 Operational Layer: Controlling Access Paths to Keys

1.3.1 Access Control: Least Privilege and Zero Trust

Institutional-grade access control starts with the principle of least privilege. Every employee, system, and API gets only the minimum access rights required for its role, and those rights are reviewed on a regular schedule.

Zero Trust Architecture takes this one step further. Rather than extending trust simply because a request originates inside the network, Zero Trust requires authentication, authorization, and encryption for every access request. Role-based access control (RBAC) should be layered on top so that access scope tracks each employee's role. Traders, security operators, and signing approvers should not hold the same level of system access, and any system involved in the key signing process should be physically and logically separated from the general operating environment.

1.3.2 Endpoint Security and Remote Access

The direct cause of the Ozys incident, a hijacked remote access account, has been a recurring attack vector in the crypto industry ever since remote work became widespread during the pandemic. Defense here rests on three pillars:

• Mandatory MFA: MFA should apply at every authentication point, including remote access, VPN, internal management systems, and cloud consoles. Accounts that reach into key management systems in particular require phishing-resistant MFA built on hardware security keys (FIDO2/WebAuthn). SMS and email OTPs remain vulnerable to SIM swapping and account takeover.
• EDR (Endpoint Detection and Response) deployment: EDR detects malware on employee devices, monitors abnormal behavior in real time, and automates containment when a breach is identified.
• Device authentication and compliance verification: only company-managed devices should be able to reach internal systems, and each device's OS patch status and security software installation should be verified at the moment of connection.

1.3.3 Insider Threat Management

Insider threat management covers the immediate revocation of all access rights on departure, periodic review of permissions (at least quarterly), audit logging of every access to the key management system, and automated detection of anomalous access patterns.

The connection to MPC-based key management is worth highlighting. MPC's key refresh capability lets an organization invalidate a departing employee's share and generate new shares in its place. This stands in contrast to multisig, where changing a signer requires an onchain transaction, and it represents a practical advantage of MPC at the operational layer.

1.4 Verification Layer: Checking What Is Being Signed

If the operational layer controls the paths that reach keys, the verification layer controls what happens at the moment the key actually signs. The Bybit case showed that a single missing verification layer is enough to let an attack succeed, even when the cryptographic and operational layers are both functioning. The security measures available at this layer include:

• Transaction simulation: a capability that simulates the actual effect of a transaction before signing and shows the signer the direction of asset movement, the amounts involved, and any smart contract state changes. The critical design property is independence. If the simulation runs through the same path as the front end, a compromised front end can manipulate simulation results as well. The simulation therefore has to execute in an environment separate from the signing infrastructure.
• Human-readable signing verification: converting transaction contents into a format a human can actually read and displaying them on the signing device. This addresses the problem exposed in the Bybit incident, where Ledger displayed only a hash value and left signers unable to judge whether the transaction was legitimate. Ledger has accelerated this initiative since the incident.
• Policy engine: a system that automatically checks whether a transaction satisfies predefined rules such as amount limits, whitelists, and time-of-day restrictions, blocking non-compliant transactions or escalating them for additional approval. The core design principle is independent enforcement. Fireblocks runs its policy engine inside a hardware-isolated environment (TEE), which allows the policy engine to block policy-violating transactions even if the signing infrastructure has been compromised.
• Independent verification channel: confirming a signing request through a channel entirely separate from the signing infrastructure. In the Bybit incident, all signers used the same UI, so when that UI was tampered with, every signer was deceived at once. Verification through separate devices, networks, and software is essential for large-scale transactions.

1.5 Response Layer: Containing Damage After an Incident

The working assumption of security is that perfect defense does not exist and that attacker capability keeps evolving. The response layer is the system that contains damage when a breach occurs and preserves the chance of recovering assets. The measures available at this layer include:

• Real-time monitoring and anomaly detection: monitoring for cryptocurrency services must span both onchain and offchain activity. Onchain monitoring analyzes blockchain transactions in real time to detect abnormal patterns. Chainalysis, TRM Labs, and others provide this service to institutional clients, with typical detection targets including abnormally large withdrawals, transfers to previously unapproved addresses, fund movements to cryptocurrency mixers, and interactions with sanctioned addresses. Offchain monitoring brings together server logs, access records, and API call patterns to surface early signs of compromise.
• Incident response protocol: effective incident response depends on predefined protocols and on execution speed. Global institutional-grade custody providers establish service-level agreements covering the full sequence from detection and internal escalation to asset freezes, law enforcement notification, and stakeholder disclosure, and they rehearse these protocols through regular simulation exercises.
• Asset freezing and tracking: because of how blockchains work, recovering stolen assets is structurally harder than in traditional finance, though not impossible. Stablecoin issuers' freeze functions can block the path that converts stolen assets into stablecoins, and cooperative frameworks between exchanges can delay the cash-out process. Time is the decisive variable, and the speed of the response layer directly shapes the likelihood of recovery.
• Insurance coverage: the final line of defense in the response layer is insurance. This is one of the most important factors institutional clients weigh when selecting a custody provider, but its actual structure and limitations are often poorly understood. Digital asset custody insurance is supplied through the traditional insurance market centered on Lloyd's of London, as well as through crypto-specialized insurers such as Evertas, Coincover, and Relm.

2. Global Trends: Players Setting the Standard, Layer by Layer

The four layers described above are no longer theoretical. They are already being implemented in the global institutional custody market. This section reviews how major players are building each layer and how the U.S. regulatory framework enforces those layers from the outside.

2.1 Layer-by-Layer Assessment of Major Players

2.1.1 Fireblocks: Leading the Cryptographic and Verification Layers

Fireblocks currently holds the most dominant position in the institutional digital asset infrastructure market. Robinhood, Revolut, BNY Mellon, BNP Paribas, Galaxy, Bakkt, and FalconX all run on Fireblocks.

Fireblocks is strongest at the cryptographic and verification layers. At the cryptographic layer, the company has developed and implemented its proprietary MPC-CMP protocol and publishes MPC-related research through an in-house research team. In 2025, it also led an industry joint letter to NIST calling for MPC standardization, alongside Fidelity, Anchorage, and Kraken.

At the verification layer, Fireblocks runs a configurable policy rules engine inside a hardware-isolated environment, which allows policy-violating transactions to be blocked even if the signing infrastructure is compromised. At the operational layer, Fireblocks received a Trust Company Charter from the New York Department of Financial Services (NYDFS) in 2024, which secured qualified custodian status. That status places the company under ongoing NYDFS supervision and functions as an external regulatory enforcement mechanism for operational security.

2.1.2 Anchorage Digital: The Highest Regulatory Standard at the Operational Layer

Anchorage Digital obtained a federal bank charter from the U.S. Office of the Comptroller of the Currency (OCC) in 2021. It is the first federally chartered cryptocurrency bank in U.S. history.

Anchorage's clearest differentiator lies at the operational layer. A federal bank charter places the firm under the same regulatory framework as other U.S. national banks. That framework includes ongoing OCC supervision, completed SOC 1 and SOC 2 Type II audits, and independent third-party verification of security, confidentiality, and availability. It represents the highest level of external enforcement applied to the operational layer anywhere in the industry.

At the verification layer, Anchorage operates a behavioral analysis-based authentication system that pairs automated anomaly detection with human oversight for every transaction approval. At the response layer, it is worth noting that Anchorage serves as the custodian for all digital assets seized or forfeited in criminal cases under its contract with the U.S. Department of Justice (DOJ).

2.1.3 Fordefi: DeFi-Specialized at the Verification Layer

Since its founding in 2021, Fordefi has grown into a DeFi-specialized institutional MPC wallet platform with around 300 institutional clients. In November 2025, Paxos acquired the company for more than $100 million.

Fordefi's standout strength is the verification layer, and specifically verification inside DeFi environments. Its pre-execution transaction simulation feature independently verifies the real effects of a transaction before signing, and combined with direct dApp connectivity through a browser extension, it defends against malicious transaction signing attacks that typically arise in DeFi.

At the cryptographic layer, Fordefi pairs server share isolation built on AWS Nitro Secure Enclaves with user share protection that leverages mobile device hardware enclaves.

Fordefi's technology is now being integrated with Paxos' regulatory infrastructure, which includes the NYDFS charter and SOC 2 certification among others. The Paxos acquisition of Fordefi suggests that custody and wallet infrastructure are converging with stablecoin issuance, asset tokenization, and payment systems, and that layer-by-layer security capabilities are becoming a core competitive asset in the process.

2.2 The U.S. Custody Security Regulatory Framework

In the United States, the regulatory framework for institutional-grade digital asset security is shaped by multiple agencies in a multi-tiered manner, with each regulator enforcing a different security layer.

• SEC (Securities and Exchange Commission): operates a custody rule that requires registered investment advisors (RIAs) to hold client assets with qualified custodians. In September 2025, the SEC issued a no-action letter confirming that state trust companies can serve as qualified custodians for digital assets, which opened a clear regulatory pathway for state charter-based custodians such as Fireblocks Trust.
• OCC (Office of the Comptroller of the Currency): supervises digital asset custody services at the federal level. An institution holding an OCC charter automatically meets the SEC's qualified custodian criteria.
• NYDFS (New York Department of Financial Services): regulates digital asset businesses in New York State through the BitLicense and the Trust Company Charter.
• GENIUS Act: a federal law that requires stablecoin issuers to maintain 1:1 reserves, hold assets with qualified custodians, and operate AML programs. Detailed implementing regulations are scheduled for finalization by July 2026. This law is expected to further specify requirements at the response layer (safety of reserve custody) and at the operational layer (AML programs).

The core function of this regulatory framework is to set minimum standards across the security layers through external enforcement, rather than relying on voluntary security investment by individual firms. The SEC's qualified custodian requirements enforce the operational layer. SOC 2 Type II audits enforce the operational and response layers. NIST's MPC standardization work enforces or standardizes the cryptographic layer.

Summed up, the U.S. institutional-grade security standard looks like this: MPC-based key management (cryptographic layer), plus SOC 2 Type II audits (operational layer), plus policy engines and transaction verification (verification layer), plus insurance coverage and an incident response system (response layer), plus a federal or state-level regulatory license.

3 Korea's Security Framework: How Should Korean Players Respond?

3.1 Korea's Security Framework

3.1.1 ISMS Certification System

The security requirements a virtual asset service provider (VASP) must meet to operate in Korea are structured quite differently from those in the United States.

To register as a VASP in Korea, a firm must obtain the Information Security Management System (ISMS) certification operated by KISA (Korea Internet and Security Agency). ISMS effectively functions as a prerequisite for market entry, and certification requires demonstrated compliance with 101 control items across three domains: 16 items for management system establishment and operation, 64 items for protection measure requirements, and 21 items for personal information processing stage requirements.

Mapped against the security layer framework, ISMS certification looks like this:

• Partial coverage of the operational layer: ISMS protection measure requirements touch on some elements of the operational layer. However, these items were designed for general-purpose IT systems and do not explicitly address blockchain-specific access control requirements such as access to key management systems or signing processes.
• Partial coverage of the response layer: ISMS includes items on breach incident management. These items focus on general IT incident response and do not cover blockchain-specific response requirements such as onchain monitoring, asset freeze protocols, and coordination with stablecoin issuers.
• Insufficient coverage of the cryptographic layer: the focus is on traditional IT encryption practices such as communication encryption, data-at-rest encryption, and cryptographic key management. There are no specific requirements for digital asset-specific key management technologies such as MPC or HSM. ISMS certification therefore leaves companies flexibility in technology selection, but it also means that the actual level of key management can vary widely even among certified firms.
• Insufficient coverage of the verification layer: verification mechanisms specific to the digital asset signing process, including transaction simulation, human-readable signing verification, and policy engines, fall outside the scope of ISMS.

3.1.2 Cold Wallet Storage Mandate

Under the Virtual Asset User Protection Act, which took effect in July 2024, exchanges must hold at least 80% of customer assets in cold wallets. This rule is meaningful in that it enforces asset allocation policy, and it reflects a direct lesson from the GDAC incident. The current enforcement decree sets the ratio on a total asset basis, however, which leaves the storage method for any individual digital asset to each exchange's discretion.

The 80% cold wallet rule sits at the intersection of the cryptographic and operational layers. On its own, though, it does not meet the requirements of the verification or response layers, and the signing process from cold wallets can still function as an attack vector.

3.1.3 Supervision by the FIU and Financial Authorities

The Financial Intelligence Unit (FIU) continuously inspects VASPs' KYC, suspicious transaction reporting (STR), and currency transaction reporting (CTR) systems, and exchanges report their wallet status to financial authorities on a quarterly basis. This arrangement enforces certain elements of the response layer.

3.2 The Current Status of Digital Asset Basic Act Legislation

The Digital Asset Basic Act is currently experiencing significant legislative delays. As of April 2026, the bill has been removed from the agenda of the National Policy Committee's legislation review subcommittee.

Two legislative questions deserve particular attention from a security infrastructure perspective.

The first is the proposed introduction of an exchange licensing system and the separation of trading from custody. If that separation takes effect, a separate set of security standards will be required for independent custody.

The second is the structure for Korean won stablecoin issuance. The current baseline compromise under discussion is a consortium model in which banks hold at least 50% plus one share, which would make the custody security requirements for stablecoin reserves a live design question.

The current draft of the Digital Asset Basic Act remains contested. Industry and regulators disagree on restrictions on majority shareholder stakes in exchanges and on the Financial Supervisory Service's demand for bank-level inspection and sanctioning authority. Legal experts expect passage sometime in 2026, but they caution that substantive discussion may not resume until after the June local elections.

3.3 Decision-Making Considerations for Korean Companies

As the analysis above makes clear, Korea's current security framework covers only parts of the operational and response layers. Meeting ISMS and the 80% cold wallet rule is a prerequisite for market entry, but it is not enough to reach global institutional-grade standards on its own. Closing that gap requires layer-by-layer decisions.

3.3.1 Cryptographic Layer

Building an MPC protocol in-house is not recommended. Talent capable of cryptographic auditing and side-channel defense is scarce globally, and the pipeline into Korean industry is narrower still. A more practical path is to integrate a globally audited solution such as Fireblocks or Fordefi and adapt it to Korean regulatory requirements.

The risks that come with solution dependency must be managed in parallel.

First, single-vendor dependency creates structural exposure to that vendor's outages, policy shifts, or price increases. Using different vendors for hot and cold wallets is an effective multi-vendor strategy for eliminating single points of failure.

Second, if some MPC shares are held in overseas cloud environments, the potential conflict with the Personal Information Protection Act and with future data localization requirements under the Digital Asset Basic Act should be reviewed in advance by legal counsel.

Third, the safety of a vendor's protocol and the accuracy of its implementation are separate matters. Implementation accuracy has to be verified independently, and the frequency and standards for those security audits should be defined ahead of time.

3.3.2 Operational Layer

Korean regulations do not yet require SOC 2 Type II audits, but the audit is expected to become a de facto requirement for attracting global institutional clients and for preparing for the post-Digital Asset Basic Act environment. SOC 2 Type II requires at least six months of internal control preparation before the audit itself, which argues for starting early.

Many ISMS and SOC 2 control items overlap, so designing an integrated audit strategy that handles both through a single internal control system is cost-effective.

In parallel, firms should establish blockchain-specific access controls that ISMS does not cover, and a phased adoption is realistic.

Hardware-based MFA (FIDO2/WebAuthn) for signing approvers is a measure that can be implemented immediately at minimal cost. From there, firms should move to physical and logical separation between key management systems and the general operating environment, restriction of internal system access to company-managed devices, and a device compliance verification process.

3.3.3 Verification Layer

Because the verification layer is absent from Korea's current framework, adopting it in itself can serve as a differentiator. Three priorities stand out:

• Policy engine: performs automated verification against amount limits, whitelists, and time-of-day restrictions. It must run in an environment independent of the signing infrastructure.
• Transaction simulation: provides independent verification of real effects before signing. Firms can either build this capability in-house or integrate a global solution. If the simulation runs through the same path as the signing infrastructure, a compromised front end can manipulate simulation results as well, so an independent execution environment is a precondition.
• Independent verification channel: for large-scale transactions, confirmation must take place on separate devices and networks, apart from the signing infrastructure. This can be implemented immediately through operational process alone, with no additional technology investment required.

3.3.4 Response Layer

The time elapsed between a hack and the response is decisive for asset recovery. Adoption of onchain monitoring services (Chainalysis, TRM Labs, and others), documentation of incident response protocols with biannual simulation exercises, and pre-established hotlines with stablecoin issuers and major exchanges are all necessary.

Hotlines for asset freeze coordination with stablecoin issuers such as Tether and Circle, and with major exchanges, must be established before an incident occurs. The legal documents and procedures required for a freeze request should be prepared in advance. Time is the decisive variable, and the speed of the response layer directly determines the likelihood of asset recovery.

Insurance coverage is not a legal obligation, but it is a de facto requirement for attracting institutional clients. Global insurers' underwriting criteria for Korean VASPs have yet to be firmly established, so the process should start early. Engaging insurers proactively to understand underwriting terms and premium levels, and then presenting SOC 2 audit results and verification layer implementation track records as supporting evidence during underwriting review, would be a strategically sound approach.