Beyond Private Keys: The Rising Threat of Client Data Compromises in Digital Assets
4 June 2026
Taken from the published LinkedIn Pulse article.
When thinking about security in the blockchain industry, emphasis is generally placed on the security infrastructure and controls surrounding digital assets themselves; cryptographic safeguards and private key storage solutions tend to dominate marketing narratives and commercial perceptions of what security means.
Notwithstanding the undeniable criticality of these principles, digital asset firms are facing increasingly frequent client data compromises due to third-party vendor breaches and insider threats. Recent major incidents reveal that while user funds and private keys are often protected, personal identifiable information (PII), such as names, contact details, and addresses, is regularly exposed. These incidents are often treated separately from discussions of platform security, allowing firms to maintain that core systems remain uncompromised and client funds remain safe.
But as retail digital asset ownership increasingly becomes an integral part of the global financial landscape with an estimated 560 million people now owning cryptocurrencies, the data privacy of these individuals, the controls in place to protect them, and firms' responsibility to ensure client data is not compromised are of ever-increasing significance.
The current understanding of ‘hacking’ or a security breach in the digital assets space is unfortunately reductive, only taking into account the loss of assets or funds to malicious actors. This has allowed companies to claim they have never been hacked or faced serious security breaches, when in reality this is questionable. Any compromise of a company system, whether leading to the loss of assets or client data, should be categorised as a critical breach, and the integrity of the firm’s infrastructure and controls should be scrutinised accordingly.
A clear symptom of this imbalance in priorities is the narrow scope of security and compliance SOC2 reports prevalent in the digital assets industry. Many platforms achieve SOC2 compliance only for the ‘Security’ Trust Services Criteria (TSC), which evaluate a firm’s governance, risk management, and operational controls. Far fewer firms are evaluated against the ‘Privacy’ TSC, which tests an organisation’s controls over the collection, use, retention, disclosure, and disposal of personal information. Without the Privacy criteria, SOC2 auditors do not thoroughly examine data-handling practices, support team access controls, third-party data flows, or retention policies.
Arguably, the illicit exposure of personal data – a name, address, asset holdings, and transaction history – creates a distinct risk category that current asset-centric security frameworks inadequately capture, as it directly enables targeted phishing scams, extortion, and, in more dramatic cases, physical kidnapping.
Unfortunately, the dangers of the lack of client data controls are evident in a surge of attacks and kidnappings of digital asset owners. Physical coercion incidents targeting digital asset holders rose by 75% globally in 2025 compared to the previous year, and over 40 digital asset-motivated kidnappings were reported in France between January and April 2026 alone.
The increased risks to individuals, and loss of user security and trust as a consequence of compromised client data are significant, and with recent data breaches impacting some of the largest firms in the industry, including Coinbase, Kraken, Ledger, and Waltio, it is impossible for companies to proceed without revising their data protection controls. Digital asset companies must apply the same institutional-grade rigour to client data that they already apply to technical infrastructure protecting funds.
Clearly, the nature and severity of threats in the digital asset industry are shifting. While previous attacks were primarily focused on exploiting on-chain vulnerabilities, attack vectors have now shifted to exploiting off-chain client data, often through insider recruitment and bribery, especially of outsourced overseas support staff. The rise of social engineering powered by leaked personal data raises the question: Will companies change their operations to protect client data?
Evidently, the crypto industry is changing, and standards that once may have been disregarded as pedantic are now imperative. A lacklustre approach to data controls carries significant reputational and financial risks. As institutions increasingly take an interest in digital assets and blockchain integrations, the need for more stringent protections is clearly signalled by highly publicised data breaches, which are increasingly noticed by VCs and regulators. As digital asset firms mature, privacy governance is increasingly becoming a component of operational resilience rather than a standalone compliance exercise. The question is no longer solely on whether client assets are secure, but also whether organisations can demonstrate institutionally robust controls over the information that makes the owners of those assets identifiable.
Appold is an award-winning independent blockchain advisory firm with in-depth expertise in data governance, control environments, and operational standards required for institutional adoption. Through customised strategies to address identified gaps and implement best practices, Appold can help you meet the stringent risk, governance and procedural requirements necessary to move forward safely in the ever-changing technical, risk, and regulatory landscapes of the digital assets ecosystem.
Reach out to us for further discussion.
For further information, please contact:
info@appold.com