Digital Asset Custodians in Securing Crypto

 

                                    Photo: Author's own, at the Buddhist temple in Genting Highlands, Malaysia, 2018


As a longtime Crypto and (Crypto security) enthusiast, I was really interested when I came across news that Indian crypto exchange WazirX has now partnered with BitGo Trust, a regulated digital asset custodian. This partnership aims to improve security of funds on WazirX's platform and rebuild user trust.

Here is some background,  in July 2024, India's one of the largest crypto exchanges WazirX suffered a major cyberattack that led to nearly $235 million in digital assets being stolen (Explained: The WazirX Hack). This breach occurred despite WazirX implementing advanced safeguards (multi-signature wallets, address allowlisting, and hardware key storage), this highlights  how even pretty cautious and secure exchanges remain vulnerable.

The incident was a wake-up call across the industry, highlighting that traditional exchange security alone is not enough. Crypto platforms and users face unique risks that demand stronger solutions. This is where digital asset custodians come in, think of these as specialised entities whose core mission is to securely hold and manage crypto assets on behalf of users or exchanges. By entrusting assets to a qualified custodian, exchanges and investors can address critical security vulnerabilities and prevent becoming the next WazirX-style headline.

The Challenge: Why is Custodianship Needed?

Cryptocurrency users and exchanges face threat vectors that go beyond typical IT security concerns. Traditional cybersecurity tools are important, but they are often insufficient for protecting on-chain assets .

Unlike in traditional finance – where a fraudulent bank transfer can be reversed – blockchain transactions are irreversible, and stolen crypto is nearly impossible to recover . Below are key security challenges and why digital asset custodians are needed:

  • Private Key Loss or Damage: Crypto ownership is controlled by private keys; if a user loses their key (or seed phrase), the funds are permanently inaccessible. Self-custody brings “significant risks, such as losing private keys and passwords,” with no “forgot my password” recourse (How to Choose a Qualified Crypto Custodian). A custodian mitigates this by providing backup key management and recovery procedures so that a single mishap doesn’t mean permanent losses.

  • Theft and Hacks: Hackers target exchanges and individual wallets to steal keys or exploit software. Phishing, malware, and smart contract exploits have led to billions in crypto theft. In fact, $3.8 billion worth of cryptocurrency was stolen in 2022 across exchanges – an increase from the prior year (8 Crypto Exchange Hacks to Know About). Once thieves obtain private keys or transfer funds illicitly, victims have little recourse.
  • Exchange Hack: Crypto exchanges are juicy targets; breaches of “hot” wallets (online wallets for daily operations) can drain a platform’s reserves in minutes. The WazirX attack is one example, and numerous other exchange hacks have shaken user confidence. These incidents show that even strong network security can be bypassed if wallet management is flawed. Without an independent custodian, exchanges must hold keys internally, creating a large attack surface.
  • Insider Fraud or Mismanagement: In the absence of proper custody controls, an insider with sufficient access (a rogue employee) could illegally transfer or misuse funds. Traditional IT security might catch unauthorised server access, but would not stop a trusted insider with keys from moving crypto. This insider threat is very real, so companies must strictly limit who can access and move funds. Custodians enforce separation of duties and multi-approval processes that make it far harder for any one insider to steal assets.
  • Regulatory Non-Compliance: Holding digital assets also introduces regulatory responsibilities. Exchanges managing customer funds in-house must implement robust Anti-Money Laundering and KYC controls, reporting, and auditing. Failure to do so can result in fines or shutdowns. Global standards like the FATF Travel Rule require virtual asset service providers to collect and share customer information for large transfers – a complex task to implement. As governments impose stricter rules on crypto, firms must ensure compliance with KYC/AML controls to prevent legal issues and fines. Many smaller exchanges lack the infrastructure or licenses to meet these custodial regulations on their own.

                                  Getting into the Weeds - Tech Deep Dive

Digital asset custodians address the above challenges through a multi-layered security architecture and specialized operational controls. Some of the key technologies and practices custodians use include:

Multi-Signature Wallets & MPC: Custodians typically require multiple private keys to authorise any movement of funds, rather than a single key. A multi-signature (“multisig”) wallet might be configured as M-of-N (e.g. 3 of 5 keys needed to sign), so that no single compromise is fatal. This provides “greater security, loss prevention, and oversight” by design (How to Choose a Qualified Crypto Custodian). An advanced variant is Multi-Party Computation (MPC), which splits the cryptographic key into shards held by different parties/devices. MPC can eliminate a single point of failure, reducing theft risk by ensuring an attacker cannot assemble a full key from any one breach. In practice, these approaches mean that even if one key is stolen or one system is breached, the assets remain safe.


Cold Storage vs. Hot Wallets: Digital custodians minimise exposure by keeping the vast majority of client assets in cold storage, completely offline wallets or devices not connected to any network.Cold wallets (often stored in bank vaults or secure data centers) are essentially immune to online hacking attempts. A smaller portion of funds may be held in hot wallets for liquidity.

Hardware Security Modules (HSMs) and Physical Security: Custodians guard private keys using dedicated Hardware Security Modules

Policy-Based Risk Controls: Beyond pure technology, custodians layer on smart policies to catch or prevent unauthorized activity. For example, many custodial platforms allow withdrawal address whitelisting – funds can only be sent to pre-approved addresses – to block an attacker who somehow initiates a transfer to an unrecognized address. They also set rate limits and withdrawal limits (e.g. no more than X BTC per day) to contain losses if an account is compromised. Other controls can include time-delayed withdrawals, multi-person approval for large transfers, and restricted access windows (e.g. only during certain hours) (). Meanwhile, real-time transaction monitoring and anomaly detection are in place to spot unusual patterns (like a sudden large withdrawal or a series of failed login attempts), with security teams ready to intervene. These risk controls dramatically “limit the amount of damage a bad actor – whether internal or external – could do” (Wallet and Custody Guide | The Leader in Digital Asset Custody, Wallets & Financial Services).

Insurance Protection: Even with top-notch security, reputable custodians add an extra safety net through insurance. They obtain insurance policies to cover losses in case of extreme events like hacks or employee theft. For instance, BitGo, carries a $250 million insurance policy to protect digital assets under its custody (Digital Asset Insurance Policies | The Leader in Digital Asset Custody, Wallets & Financial Services). This insurance, backed by a syndicate of insurers (including Lloyd’s of London)

By combining these technologies and controls, digital asset custodians create a defense-in-depth approach specifically tailored to crypto’s needs. In essence, they bridge the gap between the traditional security world and the crypto world – bringing cutting edge protections to digital assets that were previously secured only by end-users or start-up exchanges. Custodians not only drastically reduce the likelihood of breaches, but also limit the fallout should one occur (through measures like insurance and distributed keys).


Disclaimer: The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of my employer.


Comments

Post a Comment

Popular posts from this blog

Supply Chain Mgmt. Simulation in the Beer Pub

Image
By Ron Sengupta Journey Begins - Discovering the World of Supply Chain I have recently signed up for Supply Chain Management Micromasters at MITx. This is a fascinating and rich program that dive deep into supply chain systems and technology. The program introduces four core components of supply chain technology, 1. Data Management, 2. Machine Learning for SCM, 3. Supply Chain Systems and 4. End to end simulation from the perspective of the supply chain management ecosystem. The simulation aspect of the supply chain is completely new to me. Although the formal program has yet to touch on simulation, it caught my attention (kind of a shiny new thing). So, I started exploring it on my own. This is my musing.   The Role of Simulation in Supply Chain Management As per  the “Supply Chain Management: Strategy, Planning, and Operation“ by Chopra and Meindl “A supply chain consists of all stages involved, directly or indirectly, in fulfilling a customer request. The supply chain not o...
Read more

Gen AI Canvas

Image
  A few years ago, a friend of mine, introduced me to the idea of the AI-ML Opportunity Canvas. I really liked the concept, and it has stayed with me since. So thought of creating my own version for Gen AI, inspired by the work of Louis Dorard and also a paper from Ulrich Kerzel and a LinkedIn blog from Amandeep. I think a Visual Canvas is a great idea because it helps structure thinking and brainstorm around how Gen-AI can create value, identify key challenges, and plan next steps. It’s a simple way to bring clarity. Feel free to use, share, or modify it as you see fit, Hope you find it helpful. [ Disclaimer] The views and opinions expressed in this blog are my own and do not necessarily reflect the official policy or position of my employer or any affiliated organisation. Any content provided is for informational purposes only.
Read more