In February 2025, Bybit — one of the world's largest cryptocurrency exchanges — lost $1.5 billion in Ethereum in a single attack. But the Lazarus Group didn't crack the blockchain: Instead, they exploited the people and workflows surrounding it using social engineering, compromised internal communications, and a manipulated interface that made a malicious transaction look routine.
It was the largest crypto heist in recorded history, and it wasn't even the most instructive breach of the year.
That distinction belongs to an incident that didn't involve a single line of blockchain code. Overseas support agents at a major U.S. crypto exchange were bribed to access customer service tools and exfiltrate names, home addresses, masked Social Security numbers, government-issued IDs, and account balances for tens of thousands of customers. Attackers used that data to impersonate the exchange and social-engineer victims out of their remaining holdings. The estimated financial exposure was up to $400 million.
You might expect such an attack to be caused by a smart contract or a cracked wallet, but this wasn't the case. The breach traveled through the operational layer: Email threads, support tools like Zendesk, and Know Your Customer (KYC) documents that financial services organizations handle every single day.
By the end of the first half of 2025, nearly $1.93 billion had been stolen in crypto-related crimes — more than all of 2024. Phishing attacks targeting crypto users were up 40% year over year. Email compromise remained the number-one initial access method across the industry.
The threat is not where most security teams are looking.
The Federal Reserve has identified five distinct risk areas posed by crypto assets:
Technology and operations risks
AML/CFT (anti-money laundering/countering the financing of terrorism) risks
Consumer protection risks
Legal compliance risks
Financial stability risks
What's striking is how many of them live entirely off-chain. Technology and operations risk: cybersecurity vulnerabilities in employee workflows. Consumer protection risk: unauthorized access to customer PII. Legal compliance risk: the inability to demonstrate data governance to regulators. These are entirely disconnected from the blockchain itself.
Yet crypto firms continue to invest disproportionately in on-chain security like multi-signature wallets, hardware security modules, and smart contract audits. These investments are necessary — Bybit proves that. But they don't protect the KYC documents emailed to compliance teams. They don't secure the customer service thread containing a wallet address and transaction history. They don't cover the internal AML investigation file shared across four reviewers.
The operational layer — email, file sharing, employee communications — is where sensitive financial data lives much of the time. It's also where security investment remains thinnest.
The instinctive response to this gap is encryption. Encryption matters. But standard email encryption or TLS-in-transit protection answers only one question: was this data protected when it was sent?
It doesn't answer the questions that follow.
What happens when a file is forwarded to someone who shouldn't have it?
What happens when an employee is terminated — or worse, bribed?
What if a laptop is stolen six months after a sensitive file was downloaded to it?
What if a deal collapses and the counterparty still has access to your client's financial projections?
Encryption without revocation is a lock you can never change after the key is handed out. In financial services — where GLBA, the FTC Safeguards Rule, FINRA requirements, and emerging crypto-specific mandates require demonstrated, active control over full data lifecycles, not just the lifecycle of data until it leaves your organization. Full-lifecycle data audit is what regulators are increasingly asking organizations to document.
Revoke is not a permission setting on a shared drive, or simply encrypting an outbound email. Data-centric revocation means protection is bound to the file itself. The file carries its own access policy wherever it goes — across email, cloud storage, a hard drive, a forwarded attachment chain.
When you can truly revoke access, you are disabling the decryption key at the source. The file becomes unreadable instantly, regardless of where it lives or how many copies exist. Protection travels with the data — from the first mile to the last mile.
The scenarios where this matters aren't hypothetical:
The common thread here is that security does not end with delivery. It persists across the data's full lifecycle.
Here's what Virtru's revoke function looks like in practice — easy for users and admins alike to take back an email sent in error.
For digital asset firms, the attack surface for operational data is unusually broad — and the consequences of exposure are unusually severe.
Unlike a fraudulent credit card transaction, a crypto transfer cannot be reversed. Once funds move, they move permanently. That irreversibility makes the data layer — the information that enables social engineering and account takeover — more valuable to attackers, and more dangerous in the wrong hands.
Consider what a typical day of operational data looks like at a crypto exchange:
Every one of these workflows generates files and emails that — once sent — can be forwarded, downloaded, and stored beyond the sender's control, unless protection travels with them. Also consider the likelihood that one of these external parties gets their email compromised. Whether it's this year or years down the road, if sensitive information remains stored in their inbox, it's
The Bybit breach began with social engineering of internal staff. The unnamed exchange breach that cost up to $400 million began with bribed agents accessing operational tooling. In both cases, the exploitation pathway ran directly through the communications layer. The data didn't need to be stolen from a blockchain. It was sitting in email, waiting.
A practical evolution underway in 2025–2026 is the normalization of wallet-risk scoring and counterparty analytics as standard AML controls. These are, of course, important to ensure the protection of digital assets. But even the most sophisticated on-chain monitoring does nothing to protect the case file emailed to outside counsel, or the customer identity document a compromised employee forwards to an attacker.
Regulators are paying attention. The Federal Reserve's risk framework explicitly flags technology and operations risk and consumer protection risk as areas of distinct exposure for crypto firms. Emerging crypto-specific mandates are moving in the same direction as GLBA and the FTC Safeguards Rule: Toward requirements for demonstrated, active data governance, beyond just encryption at rest.
Audit trails make a difference. If a regulator asks whether customer PII was protected during an infrastructure incident, "we used TLS" is not a satisfying answer. A documented audit trail, showing every access event, every forwarding action, and the precise timestamp when access was revoked, is a different conversation entirely.
With Virtru, that audit trail is generated automatically. It documents who accessed what, when, and from where, as well as when access was terminated. For a compliance team managing AML obligations, consumer protection requirements, and the reputational weight of a breach, that log is a differentiation and a genuine life-saver.
One persistent objection to data-centric security is friction: if protecting files requires a new platform, a new workflow, or staff retraining, adoption collapses. Security that slows operations doesn't get used. Security that doesn't get used doesn't protect anything.
Virtru is built for integration, not replacement. It works natively inside Google Workspace and Microsoft 365 — the environments your teams already use. Encrypting a KYC document, setting an expiration on a sensitive email, or revoking access to a file shared last quarter doesn't require a new system. It requires a single click inside the tools your compliance and support teams open every morning.
Security should empower teams, not stifle productivity. For financial services organizations operating in a threat environment where nearly $2 billion was stolen in the span of six months, the urgency of secure collaboration couldn't be higher.
The question for financial services security leaders isn't whether operational data needs protection. The breaches have answered that. The question is whether your current stack gives you a kill switch — the ability to revoke access to any file or email you've ever sent, instantly, from anywhere, regardless of where it now lives.
If the answer is no, request a demo to see how Virtru closes that gap for crypto exchanges, fintechs, and financial services organizations operating at the intersection of high-value data and irreversible consequences.