The first half of 2025 saw the continuation of the complex themes that shaped the threat landscape in 2024. Email compromise retained its place as the most prominent threat type, while phishing continued to take the lead in initial access methods. Yet another trend that persisted was that of groups such as Akira, PLAY and LockBit retaining their place as key ransomware players. However, alongside familiar threat types and players, risks associated with cryptocurrency proved to be a notable theme in Q1 2025, likely due to changing regulations and a rise in malware leveraging the blockchain. As a result, this report focuses on key findings and observations around cryptocurrency.

With significant potential rewards, cryptocurrency has become the focus for cyberattackers almost as fast as for investors. This presents some uniquely complex and unprecedented security risks. Political shifts have led to more giant leaps forward into the mainstream—further driving the scope for attacks. The Kroll Cyber Threat Intelligence team observed nearly $1.93 billion was stolen in crypto-related crimes in the first half of 2025 alone, surpassing the total for 2024 and putting 2025 on track to be the worst year for digital asset theft. Additionally, phishing attacks targeting cryptocurrency users increased by 40%, primarily through fake exchange sites. These underscore the growing cybersecurity risks in the crypto space, from direct thefts and hacks to more sophisticated scams and laundering operations.

Continue reading for more insights into the cryptocurrency security risks shaping 2025 and the steps you can take to safeguard your organization.

 

The Changing Crypto Landscape: Political Shifts and Physical Threats

• Crypto Kidnapping Attempts Accelerate
  Crypto exchanges and financial organizations are becoming increasingly lucrative targets—not just for cyber threats but also for physical security threats—as their visibility and value continue to grow. The level of the physical risk now associated with crypto has been highlighted by recent kidnappings and ransom attempts, leading to a rise in investors seeking protection services, including bodyguards. Risks to companies also increase when they are only potentially exposed, as discovered in the May 7, 2025, LockBit breach, where negotiation conversations were leaked along with their Bitcoin wallet addresses.
• Compliance Failures Driving Risk
  Failure to establish compliance protocols for crypto services can expose financial institutions and organizations to serious legal repercussions, including fines, sanctions and reputational damage. In recent years, crypto services have garnered attention and a reputation as hubs for criminal activity, leading to stringent regulatory measures across various jurisdictions.
• Poor Financial Insight as a High Cost
  Financial intelligence failures in the crypto industry can have disastrous real-world consequences. These include the financing of terrorist activities and enabling organized crime groups. Past crypto breaches highlight the concerns of digital assets causing financial turmoil across markets. For example, the Bybit breach coincided with the price of Bitcoin plunging by 20%. 
    

 

Achieving Crypto Compliance: Evolving Regulatory Requirements

• Proving Compliance with Penetration Testing Proving Compliance with Penetration Testing

Penetration testing (pen testing) is a crucial aspect of an organization’s overall cybersecurity and compliance efforts, and it serves dual purposes for crypto exchanges: first, by enhancing overall security posture and helping businesses meet compliance requirements set by various regulatory bodies. Secondly, documented penetration tests provide tangible evidence of an organization’s commitment to security and compliance, which may be required during regulatory audits or assessments. While no single, universal law mandates pen testing, several regulations and frameworks require or strongly encourage it. These include:

• Regulations and Frameworks Requiring Penetration Testing
• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• General Data Protection Regulation (GDPR)
• International Organization for Standardization (ISO) 27001—the international standard which sets guidelines for Information Security Management Systems (ISMS)
• American Institute of CPAs (AICPA) SOC 2 Trust Services Criteria

Penetration testing is also relevant for compliance with other regulations and frameworks, such as those related to critical infrastructure and government systems. Penetration testing regulations for cryptocurrency businesses are primarily focused on ensuring security, complying with regulations and protecting user assets.  

 

Crypto Oversight: Charting the Regulatory Landscape

The U.S. and EU have two separate characteristics in relation to crypto risk; where the U.S. relies on existing securities laws and enforcement actions to address them, the EU framework is intended to provide a well-coordinated regulatory framework for crypto assets for all EU member states.

 

Crypto in the U.S.: Robust Security Testing Required

In the U.S., January 2025 saw President Donald Trump issuing an executive order declaring crypto a national priority and supporting “the responsible growth and use of digital assets, blockchain technology and related technologies across all sectors of the economy.”

A fundamental regulatory point being addressed is whether cryptocurrency should be regulated by the SEC as a security or by the Commodity Futures Trading Commission as a commodity. Several bills are under consideration in Congress, including the Clarity for Payment Stablecoins Act and the Lummis-Gillibrand Payment Stablecoin Act.

The Financial Crimes Enforcement Network (FinCEN) stipulates that exchanges must implement comprehensive security measures that include penetration testing as part of their compliance with the Bank Secrecy Act (BSA). Further, crypto exchanges that process credit card payments must adhere to requirement 11 of Payment Card Industry (PCI) Data Security Standard (DSS) 3.2.1, which specifically mandates regular penetration testing. The SEC treats many cryptocurrencies as securities and is concerned with investor protection. While not explicitly requiring penetration testing, it does require financial institutions to have robust security testing to ensure compliance. The testing could be used to identify potential vulnerabilities that could be exploited by threat actors.

 

Crypto in the UK: Seeking a Balanced Regime

In December 2024, the UK’s Financial Conduct Authority (FCA) published a Discussion Paper (DP) titled DP24/4: Regulating Cryptoassets—Admissions & Disclosures and Market Abuse Regime for Cryptoassets. In keeping with the FCA’s latest five-year strategy, it is keen to introduce a balanced regime which supports growth in the UK. To this end, the focus of DP 24/4 is spot cryptoassets, such as stablecoins, and what the FCA refers to as unbacked cryptoassets (e.g., bitcoin). It does not include those already captured under the existing list of specified investments in Part III of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001, such as tokenized financial instruments. The FCA published DP23/4 to help develop the UK’s regime for fiat-backed stablecoins. This is part of a series of publications by the FCA designed to facilitate the development of the UK’s cryptoasset regulatory regime.

 

Crypto in the EU: DORA Sets Out Need for Threat-Led Pen Testing

The Digital Operational Resilience Act (DORA) applies to a wide range of financial entities, including crypto-asset service providers and issuers of crypto-assets. DORA requires relevant organizations in the EU to carry out controlled assessments—Threat-Led Penetration Tests (TLPTs)—of their cyber resiliency on a regular basis. This involves an intelligence-led approach to classic red team testing that targets an organization’s most critical business systems.

Articles 25–27 stipulate that TLPTs take place against IT assets:

• Supporting “critical or important functions” of a financial entity (including third-party systems if/as appropriate).
• Using real-world tactics, techniques and procedures (TTPs) obtained via tailored threat intelligence analysis.
• To proactively identify—and allow entities to swiftly mitigate/remediate—any weaknesses, deficiencies or gaps in their implementation of controls and counteractive measures.

TLPTs must be performed at least every three years if an organization is deemed in scope by the supervising authorities. Finally, TLPTs for DORA should be followed in accordance with the preexisting Threat Intelligence-Based Ethical Red-Teaming (TIBER)-EU framework, with some additional considerations and aspects now also formalized and included in DORA, such as now mandatory purple team exercises.

Navigating the Crypto Gold Rush: All That Glitters Is Not Gold

Political and cultural changes mean that the cryptocurrency ecosphere offers a new frontier for investors, businesses and cybercriminals alike. Trends observed by our Cyber Threat Intelligence team in Q1 2025 demonstrate that while the concept of crypto isn’t exactly new, its continued development and move to the mainstream mean that it poses some very new and very real threats to both financial services companies and businesses seeking to evolve the way they transact with customers. From information stealing to malware to social engineering, patterns noted by Kroll in 2025 highlight that all organizations need to stay vigilant about the potential of attacks that focus on obtaining cryptocurrency or leveraging its vulnerabilities.

Kroll’s Cyber Threat Intelligence team recommends the following steps:

• Address the Essentials

Avoid giving attackers an easy way in by ensuring that your core security controls are addressed. This means ensuring all staff use strong passwords (particularly those linked to cryptocurrency wallets) and enforcing the use of multifactor authentication. Alongside this, implement regular security awareness and training.

• Audit, Assess, Review

Security audits provide critical insight into the wider resilience of your organization. Rather than relying on one-off security checks, establish a regular program of audits to identify vulnerabilities and test the limits of your cybersecurity defenses. With physical attacks associated with crypto now ramping up, organizations should review their physical safety measures as soon as possible, both on an organizational and an individual level.

• Keep Private Keys … Private

The security of private cryptocurrency wallet keys is critical. Ensure they are stored and safeguarded using secure methods, such as encryption and hardware wallets.

• Look Out for the Big Phish

With phishing a key weapon for crypto scammers, ensure that employees are vigilant about all types of unsolicited emails, especially those related to cryptocurrency.

• Apply Customer Intelligence

A key defense against crypto-related threats is current and precise insight into the people and companies your organization is seeking to work with. The most effective actionable intelligence for compliance among organizations and institutions is to thoroughly know their customers. This involves implementing robust Know Your Customer procedures to verify the identities of clients, understand their financial activities and assess potential risks. Overall, organizations must take proactive and preventive intelligence actions to avoid damages.

• Act Fast

In the event of an attack, it is critical to take effective action to mitigate and minimize the impact on your assets and reputation. Organizations can ensure this by collaborating with a trusted security partner who has a proven track record for enabling crypto companies, investors and law enforcement to meet their most critical challenges, as well as a focus on investigating and remediating at pace.

• Get Ahead of Regulatory Requirements

Responding to the changing crypto threat also involves the ability to keep pace with changing rules and regulations; developing robust governance; establishing risk and compliance frameworks; implementing effective anti-money laundering, sanctions and market surveillance programs; and preparing for compliance with incoming digital asset regulations.

It is critically important for companies using crypto globally to be aware of individual country regulations so they are not in violation of global financial system regulations or other countries’ integration and regulation policies. Again, expert advice from a trusted partner can ensure that effective arrangements and documentation are in place to meet regulatory expectations and progress at pace through remediation and regulatory scrutiny.