Why security has become a practical question rather than a topic for debate
A few years ago, cryptocurrency in the corporate world looked like an experiment for a handful of technology companies. By 2026 the picture has changed. Businesses pay overseas contractors in crypto, hold part of their reserves in stablecoins, pay salaries to distributed teams, and accept client payments in digital assets. Along with the convenience came a flip side: every such operation creates points where a company can lose money or run into questions from a regulator.
The scale of the threat is clear from the 2025 results. According to Chainalysis, more than $3.4 billion was stolen from the crypto industry over the year[1]. A large share came from a single episode: the February breach of the Bybit exchange, with losses of around $1.5 billion, became the largest theft in the history of cryptocurrency. Attacks are becoming less frequent but larger, and the gap between the biggest hack and the median incident crossed the thousandfold mark for the first time. North Korean groups remain the main source of the threat, accounting for at least $2.02 billion over the year.
A map of risks: what actually threatens a company
When an executive hears the phrase "crypto risks," they usually picture a hack and the theft of funds from a wallet. The real picture is broader, and it helps to break the threats into three groups.
The first group brings together technical and operational risks. These include theft of private keys, errors in wallet setup, phishing of employees, and substitution of the recipient's address. They sit closest to classic information security but have one specific feature: a blockchain transaction is irreversible, and an erroneous or fraudulent transfer cannot be recalled.
The second group covers compliance and regulatory risks. A company may receive funds from a counterparty whose wallet is linked, through a chain of transfers, to a sanctioned address or an illegal source. It may fail to meet the requirements for transmitting data about the sender and the recipient. It may run into a bank that freezes an incoming crypto-related payment until the origin of the money is clarified. These risks do not lead to instant theft, but they can paralyze settlements and result in fines.
The third group includes financial and counterparty risks. Exchange-rate volatility, the choice of an unreliable trading platform, a counterparty that failed to meet its obligations. Here losses arise not from a hacker but from a poor management decision.
A telling example dates to the turn of 2025 and 2026, when the number of "address poisoning" attacks rose sharply. The Blockaid service recorded a jump in such transactions from 628,000 in November 2025 to 3.4 million in January 2026, more than a fivefold increase. The scheme is simple and dangerous precisely for businesses. An attacker generates an address that looks visually similar to the address of the company's real counterparty and sends a small transaction to its wallet. An accountant or finance specialist who is used to copying details from the transaction history then selects the fake address for the next payment and sends the money to the fraudster. There is no technical hack here at all; habit and inattention did the work.
The technical aspect: where assets are stored and who has access to them
The foundation of corporate security in crypto is the management of private keys. Whoever controls the key controls the funds, so the question of storage should be settled before any meaningful sums appear on the company's balance sheet.
The main division runs between hot and cold wallets. Hot wallets are connected to the internet and are needed for day-to-day operations; payments and settlements pass through them. Cold wallets keep reserves offline and are used rarely. A sensible practice is to keep only a working minimum in hot wallets and move the bulk of assets into cold storage. Then even a successful attack on an operational wallet will not lead to the loss of the company's entire capital.
The next layer of protection is the technology for signing transactions. Two approaches compete here:
- Multi-signature requires several independent keys to confirm a transfer, for example on a "three of five" model, where at least three of the five holders must sign. The approach is transparent and well suited to management control, since every signature is visible.
- The second approach is called multi-party computation (MPC). With it, the full private key never exists in one piece at any moment; it is split into encrypted shares distributed across different devices and nodes.
By 2026 the combination of these methods has become the standard in practice among institutional players: MPC provides the operational speed of daily transfers, while multi-signature handles transparent control over large decisions.
For a company that does not want to build the infrastructure itself, it makes sense to evaluate a custody provider by formal criteria. SOC 2 Type II and ISO 27001 certifications stopped being an advantage by 2026 and turned into a minimum requirement for any serious player. It also helps to understand how roles are separated within the system: when one employee initiates a transaction and another confirms it with a hardware or biometric key, the likelihood of both external fraud and internal abuse drops noticeably. Regular renewal of the key shares deserves separate attention, as it lets you strengthen protection without changing the wallet address.
The human factor: the most vulnerable point in the system
Defensive technology improves faster than people's habits. According to AMLBot, which studied more than 2,500 real investigations, around 65% of incidents in 2025 were driven by social engineering rather than technical vulnerabilities[2]. In most cases the attackers did not break the code; they deceived a specific person. Phishing accounted for 18% of all incidents and became the second most common type of attack after investment schemes.
For a business this means that investment in defense is pointless if an employee is ready to transfer funds at a convincing request in a fake email, or to confirm a transaction after a conversation with someone posing as a partner or a service representative. That is why procedures and staff training stand on the same level as technology.
A few measures give the greatest effect at minimal cost. Address whitelists limit the range of recipients a company can send funds to at all, and any new destination goes through separate approval. Limits on the size of a single operation and on daily turnover prevent large sums from being moved in one go. A ban on copying the recipient's address from the transaction history directly closes the address-poisoning threat described above: details are checked against the original source rather than taken from the feed of past transfers. Finally, the separation of powers prevents a single person from making a large payment alone, which reduces the risk of both error and collusion.
Compliance and the legal side: risks that are not visible right away
This group of threats is insidious because it surfaces with a delay. A company may operate calmly for months and then face a blocked payment or a request from its bank, because one of its counterparties turned out to be linked to a problematic source of funds.
The key practice here is to check the counterparty and the address before carrying out a transaction, not afterward. Every external address a company sends funds to or receives them from should be checked against sanctions lists and databases of addresses linked to illegal activity. The difficulty is that a direct match is often absent. A wallet passes the check without flags, but analysis of the chain reveals that several steps back it received funds from a sanctioned address. Such connections through intermediaries are visible only when the transfer history is analyzed, and that is exactly what superficial checks miss.
Regulatory pressure adds to this. The rule on transmitting data about the sender and the recipient (the FATF Travel Rule) requires virtual asset service providers to accompany transfers with information about the parties to the deal. In the European Union there is no threshold at all for transactions between licensed platforms; data is required for any transfer. The transitional period of the MiCA regulation, which brought order to the EU crypto market, ended on July 1, 2026 with no extensions: from that date, any company serving EU clients without a CASP authorization is in breach of Regulation (EU) 2023/1114. Few firms made the deadline. Of the more than 1,200 platforms previously registered under national regimes, only around 210 obtained full MiCA authorization, roughly one in six. For a business that runs cross-border settlements, this means the pool of counterparties with clean legal standing has narrowed noticeably, and the choice of platform now directly affects the legal cleanliness of operations.
A management fork appears here. Building the entire compliance function inside the company is expensive and requires separate expertise. The alternative is to shift part of the load onto the infrastructure of a partner that already operates within the legal framework and takes on the checks, the documentation, and the interaction with banks.
Choosing an operations partner as part of the security system
When a company carries out large crypto operations, much is decided not so much by the wallet technology as by whom the exchange and the deposit and withdrawal of funds go through. A licensed virtual asset service provider (VASP) closes several of the risks described above at once, because it operates within a regulated framework and provides documentary support for deals. GeCrypto is one such company: a VASP licensed by the National Bank of Georgia, and its experience working with businesses is worth looking at through three typical scenarios.
The first scenario concerns settlements with overseas contractors in the EU and the US. A classic bank transfer via SWIFT takes two or three days, and up to a week on some corridors, while the total cost of a cross-border payment, including the exchange-rate spread, intermediary-bank fees, and compliance overhead, usually runs from 3% to 7% of the amount. A settlement through crypto infrastructure goes through in minutes and costs a fraction of a percent. Beyond the savings and the speed, the company spares itself the headache of intermediary banks, which tend to hold up payments for additional checks. It is no coincidence that the volume of B2B payments in stablecoins grew several times over within a year.
The second scenario involves depositing and withdrawing large sums to a bank account. A business that has received client payment in cryptocurrency for services rendered sooner or later faces the task of bringing those funds into a bank. This is where the value of a license shows. When money arrives in a bank account from a licensed VASP, the compliance teams of Georgian banks usually have no questions even about transfers of around a million dollars, because the source is transparent and comes with a full set of documents on the deal. The reverse scenario also works, when a company needs a large sum in cryptocurrency in exchange for a payment from its bank account. In both cases, the documentary traceability of the operation reduces the risk of a freeze or of claims.
The third scenario covers paying employees in cryptocurrency. For distributed teams whose specialists are located outside Georgian jurisdiction, crypto often turns out to be the fastest and most predictable way to pay. Arranged through a licensed partner, such a payment keeps things transparent for accounting and does not turn into a source of regulatory questions.
In all three cases the logic is the same. A well-chosen operations partner becomes the same kind of element in the security system as a multi-signature wallet or an address-checking procedure. It removes part of the financial, compliance, and counterparty risks that the company would otherwise have to cover on its own.
A checklist: how to build a risk-minimization system
Below is a short list of steps that is convenient to use as a reference point when setting up corporate work with cryptocurrency.
- Split storage into hot and cold, keeping only a working minimum in operational wallets.
- Implement multi-signature or MPC to confirm transactions, and separate the roles of initiator and approver.
- When choosing a custody provider, check for SOC 2 Type II and ISO 27001 certifications.
- Set up address whitelists, limits on operations, and a ban on copying details from the transfer history.
- Train employees regularly to recognize phishing and social engineering, since people remain the main target.
- Check counterparties and addresses against sanctions databases before a transaction, not after it.
- Account for Travel Rule requirements and the end of the MiCA transitional period when working with European partners.
- Route large deposit, withdrawal, and cross-border settlement operations through a licensed VASP to obtain documentary support and reduce the load on your own compliance.
Systematic work on these points does not make the risks zero, but it moves them out of the category of chance events the company cannot influence and into the category of manageable parameters. That is the main goal of corporate security when working with digital assets.
[1] Chainalysis. 2026 Crypto Crime Report.
[2] AMLBot. Crypto Crime Report 2025.
