Read the translated Japanese version of this blog here.

At BitGo, security is at the core of everything we do. With a long-standing track record as a secure custodian, we have never lost customer funds in that configuration. As the digital asset ecosystem evolves, so do the threats we face. Attackers continue to develop more sophisticated tactics, and it is our responsibility—as well as that of the broader industry—to stay ahead of these threats.

Evolving Threats in Digital Assets

Recently, we have observed a rise in targeted attacks across the digital assets space. Notable incidents have highlighted a common attack vector: an adversary triggering unwanted transaction requests that pass security checks. The FBI has publicly addressed these types of threats, reinforcing the need for ongoing vigilance.

BitGo actively monitors changes in attack tactics. Through rigorous internal reviews, we have confirmed that our security architecture does not allow for similar attack vectors. However, we don’t rely solely on our own expertise. We maintain strong working relationships with law enforcement and operate a public bug bounty program, encouraging security researchers to identify and report vulnerabilities. In response to emerging threats, we have further enhanced our portal security, minimizing even theoretical risks, including those posed by malicious insiders.

Independent Security Testing and Validation

Beyond internal security measures, we continuously engage external experts to validate our practices. Alongside routine penetration testing, we have contracted a third-party security firm to conduct an independent evaluation of our transaction signing process. Their findings have been reassuring—no major vulnerabilities of concern were discovered.

In addition, we conduct regular, fully independent red team tests. Last year, we went a step further: an external red team was provided with a laptop and given highly privileged administrator access to our environment, including GitHub. During their initial reconnaissance, our monitoring systems detected and blocked their activities. Despite continued attempts over several months, their ultimate attack on our production environment was detected within minutes and thwarted. This demonstrates the strength of our security posture—protecting against even highly credentialed insiders.

A Multi-Layered Approach to Security

At BitGo, security is not just about technology—it’s about culture. We implement a multi-layered defense strategy to mitigate risks at every level:

  • Security Awareness & Training: Employees receive monthly phishing tests, and any failures are followed up on. This ensures ongoing vigilance against social engineering attacks.

  • Endpoint & Network Security: We enforce strict device restrictions, employ anti-malware solutions, and prevent the use of browser-stored passwords. Session hijacking attempts face additional barriers through our mandatory hardware-based 2FA.

  • Continuous Monitoring: Every aspect of our environment, from SaaS usage to endpoint DNS traffic, is actively monitored. Unusual activity is promptly investigated.

  • Access Controls: We enforce least-privilege access, continuously adjust permissions, and require BitGo-issued devices for all internal system interactions.

  • Physical Security: Employees must work from the office for identity verification, further reducing risks related to remote compromises.

These measures align with industry best practices, including the MITRE ATT&CK framework, regulatory guidelines, and leading security standards. By continuously refining our security posture, we ensure that our defenses remain robust against an ever-changing threat landscape.

Our Ongoing Commitment

BitGo has built a reputation for safeguarding customer assets, and we remain unwavering in our commitment to security. We achieve this through a combination of in-house expertise, external validation, and a proactive approach to emerging threats. Security is a shared responsibility, and by working together, we can continue to provide the highest level of protection for our customers.

We will remain vigilant, adaptive, and transparent in our security practices—because protecting digital assets is not just our business, it’s our mission.

The digital asset infrastructure company.

The latest

All News arrowRight icon

About BitGo

BitGo is the digital asset infrastructure company, delivering custody, wallets, staking, trading, financing, and settlement services from regulated cold storage. Since our founding in 2013, we have been focused on accelerating the transition of the financial system to a digital asset economy. With a global presence and multiple regulated entities, BitGo serves thousands of institutions, including many of the industry's top brands, exchanges, and platforms, and millions of retail investors worldwide. For more information, visit www.bitgo.com.

©2026 BitGo, Inc. (collectively with its parent, affiliates, and subsidiaries, “BitGo”). All rights reserved. BitGo Bank & Trust, National Association (“BitGo Bank & Trust”) is a national trust bank chartered and regulated by the Office of the Comptroller of the Currency (OCC). BitGo Bank & Trust is a wholly-owned subsidiary of BitGo Holdings, Inc., a Delaware corporation headquartered in Sioux Falls, South Dakota. Other BitGo entities include BitGo, Inc. and BitGo Prime LLC, each of which is a separately operated affiliate of BitGo Bank & Trust. BitGo does not offer legal, tax, accounting, or investment advisory services. The information contained herein is for informational and marketing purposes only and should not be construed as legal, tax, or investment advice. Digital assets are subject to a high degree of risk, including the possible loss of the entire principal amount invested. Past performance and illustrative examples do not guarantee future results. BitGo Holdings, Inc., BitGo Bank & Trust, BitGo, Inc. and BitGo Prime LLC are not registered broker-dealers and are not members of the Securities Investor Protection Corporation (“SIPC”) or the Financial Industry Regulatory Authority (“FINRA”). Digital assets held in custody are not guaranteed by BitGo and are not subject to the insurance protections of the Federal Deposit Insurance Corporation (“FDIC”) or SIPC. This communication contains forward-looking statements. Forward-looking statements include all statements that are not historical facts. These statements may include words such as “aim,” “anticipate,” “assume,” “believe,” “contemplate,” “continue,” “could,” “estimate,” “expect,” “forecast,” “foreseeable,” “guidance,” “intend,” “likely,” “may,” “objectives,” “outlook,” “plan,” “potentially,” “predict,” “project,” “seek,” “should,” “target,” “will,” “would,” or variations of these terms and similar expressions. Such forward-looking statements are subject to various risks and uncertainties. Accordingly, there are or will be important factors that could cause actual outcomes or results to differ materially from those indicated in these statements. These factors include but are not limited to those described under “Risk Factors” in BitGo Holdings, Inc.’s registration statement on Form S-1, as amended, relating to the initial public offering. These factors should not be construed as exhaustive and should be read in conjunction with the other cautionary statements that are included in the registration statement. Although BitGo believes that the expectations reflected in its forward-looking statements are reasonable, it cannot guarantee future results. BitGo undertakes no obligation to publicly update or review any forward-looking statement, whether as a result of new information, future developments or otherwise, except as required by law.