Offensive Security

A leading cryptocurrency bank needed to assess the strength of its defenses against increasing security threats to its industry, demonstrated by events such as the attack on the Bybit crypto exchange. A collaborative purple teaming engagement by Kroll matured into a sophisticated adversary simulation program—including two social engineering exercises at the bank’s head office—and culminated in its first red team assessment. By elevating the crypto bank’s security posture on all fronts, this strategic partnership significantly advanced its resilience to potential attacks.

The Challenge

A leading European crypto bank had recently completed a major migration of core systems to the cloud and wanted to gain a deep, end to end understanding of its security posture in the new environment. The organization’s leadership recognized that the shift introduced new risks around access control, key management and the resilience of their cloud based security architecture.

The bank recognized that the level of risk affecting its industry and the complexity of its operations meant it would require ongoing expert support with assessments and improvements. To ensure they were taking the most effective approach, the Chief Information Security Officer (CISO) sought more than a standardized or generic testing engagement with a transactional vendor. Instead, they wanted a highly focused, threat driven exercise that would deliver real defensive improvement—not just a report. The bank wanted to work with a partner that understood the complexities of implementation and was capable of developing tailored solutions to address its specific vulnerabilities.

Given the small scale of its internal blue team, the bank was specifically looking to complete a purple team engagement to maximize value. This would allow its defenders to work side by side with a seasoned offensive security team, gaining practical, real time insight into how attacks unfolded, where detection and response gaps existed, and which weaknesses in its new cloud environment required the most urgent attention.

Kroll’s Solution

The bank’s board and CISO first reached out to Kroll after the company migrated from one technology stack to another. Its initial goal was adversarial emulation, starting from tackling the low-hanging fruit (validating existing controls) and slowly moving to more advanced TTPs over the course of the engagement. The bank’s decision to work with Kroll was based on the quality of frontline insight provided through Kroll’s incident response teams, as well as access to Kroll’s Cyber Threat Intelligence team, which would ensure that the focus was specifically on threat actors targeting the crypto industry and the bank’s own technology stack. At every stage, the bank’s aim was to improve its ability to detect potential indicators of compromise as soon as possible. Later on, this evolved into putting in automated responses to slow or isolate the attack. Through this collaborative model, the bank aimed to begin the journey in strengthening its defenses, building internal capability and obtaining a clear picture of any security exposures following the cloud migration.

In 2023, the bank opted for a purple team assessment as a first engagement because its teams were relatively small and it wanted to work in collaboration with Kroll to enhance its defenses. Kroll’s red team experts conducted a two-phase purple team engagement focused on the execution of low-to-moderate complexity tactics, techniques and procedures (TTPs) and the simulation of stealthy, long-dwell adversaries. This was directly informed by in-depth analysis into known threat actors in the financial sector by Kroll’s Cyber Threat Intelligence team and Detection Engineering teams. The assessments also included deep telemetry analysis and gap identification across endpoints, network and cloud. This threat-informed exercise resulted in Detection-as-Code (DAC), ensuring codified, reusable detections, and Response-as-Code (RAC), which delivered orchestrated incident response.

In the same year, an engineer from the Kroll Offensive Security team completed a physical penetration test at the bank’s head office, in which they attempted to socially engineer their way into the company building, for example, by testing door security and access cards. This assessment provided valuable insight into the bank’s vulnerabilities at premises level.

By this stage, Kroll was very much a trusted partner, with the bank fully recognizing that Kroll understood its network and could advance its resilience year-on-year. As a result, Kroll undertook a second, two-phased purple teaming exercise in 2024. This time, the team collaborated with Kroll’s Research and Development team to design and execute custom-developed TTPs. These represented bleeding-edge techniques that had not yet surfaced broadly in the wild. Despite executing fewer TTPs due to their sophistication, this purple team exercise gave the bank greater confidence in its detection logic for identifying stealthy and highly targeted attacks and resulted in more mature analytical workflows and incident triage processes. The assessment also led to fewer, but more refined DACs and RACs, tuned to subtle behavioral indicators.

To test the progress achieved by the purple teaming exercises, Kroll completed the bank’s first red team assessment in 2025. The attack on the cryptocurrency exchange, Bybit, had highlighted concerns about wallet key management, insider abuse and vulnerabilities in multi-party computation. In response, the bank’s CISO was keen to leverage the most advanced testing approaches and technology. Rather than relying on off-the-shelf red teaming, the bank was aiming for a highly targeted and threat-driven approach to testing that would leverage the most advanced techniques and technology.

The red team assessment involved real-world and on-premises threat simulation and development of custom TTPs. Taking TTPs executed as part of the Bybit Attack, Kroll’s Research and Development Team developed specific malware for this simulation, for example the custom creation and legitimate publishing (via an app store) of a custom browser injection tool, used to target the crypto wallets. This approach was designed to mirror the European threat intelligence-based ethical teaming (TIBER) framework. The exercise incorporated threat intelligence, stealth and real-world attacker tools and approaches to fully test the bank’s operational resilience.

Following this, Kroll undertook some additional detection engineering work to meet the crypto bank’s goal of aligning with the Digital Operational Resilience Act (DORA). This involved a “purple replay,” a workshop in which Kroll, as the bank’s pen testing and red teaming partner, replayed the TTPs that were executed against the environment.

The next phase in the collaboration between the Kroll and the crypto bank was a second physical penetration test of the bank’s head office in 2025. This involved pattern-of-life analysis to observe employee behavior around the building. Over a period of three days, a Kroll consultant attempted three entry points into the bank through social engineering, posing as a new employee, resulting in successful access into areas restricted to security card holders only—including the crypto vault—and the deployment of a number of dummy devices around the building to simulate an attack.