How BitGo is Redefining Transaction Security

Key Takeaways

• By validating every transaction across intent, device, identity, behavior, and policy, BitGo is building a forward-looking security model designed for how modern attacks actually occur.

• BitGo Verify enhancements such as device attestation, biometric authentication, and on-demand Video ID ensure approvals happen on trusted devices and in real time, reducing reliance on vulnerable browser environments.

• With policy recommendations, duplication, and webhook integrations, organizations can scale governance, standardize controls, and enforce how assets move across teams and workflows.

• BitGo flags suspicious destination addresses at the moment of withdrawal, allowing operators to catch and stop copy/paste attacks before funds are sent.

Today's attacks don't just target private keys, they target everything around them. They manipulate what users see, compromise the environments where approvals happen and exploit gaps between systems. A transaction can be cryptographically valid and still be malicious. This is the fundamental shift in the threat landscape and it requires a different model for security.

At BitGo we've rearchitected how transactions are secured, not as a single control point but as a system. BitGo evaluates transactions across five independent layers, and only when all five align does a transaction execute.

Intent: Ensuring the Transaction Matches the User's Intent

Most systems assume that what a user sees is what gets signed but issues such as API-level tampering can alter transaction details after a user reviews them but before they are executed. The signature may still be valid, but the intent is compromised.

BitGo addresses this with API attestations and intent verification. When a transaction is created, BitGo cryptographically verifies that what is being executed is exactly what was approved. This closes the gap between the application layer and the execution layer.

Device: Establishing a Trusted Environment for Critical Actions with BitGo Verify

Browsers are convenient but are also exposed to extensions, malware and session hijacking. They can't guarantee the integrity of what is being displayed or executed. BitGo shifts transaction approvals to a trusted-device model with BitGo Verify.

BitGo Verify, BitGo's approvals-only mobile app released in 2025, is purpose-built for high-risk actions like transaction approvals and identity verification. It acts as a dedicated execution channel for approvals, separate from the environment where transactions are initiated. By decoupling initiation from approval, BitGo reduces the risk that a compromised session, manipulated interface, malicious workflow or actor, can influence both sides of a transaction.

With our latest enhancements, BitGo Verify ensures that approvals are not just tied to a user, but to a specific, trusted device operated in a verified state. These include:

• Device attestation: verifying hardware is pre-registered and trusted to perform certain functions

• App integrity checks: blocking any non-official, tampered versions of the app

• Hardware-bound push tokens: ensuring only registered physical devices can receive and respond to certain critical requests

• Session binding: cryptographically linking web sessions to a verified mobile device to prevent man-in-the-middle attacks

The result is a shift from "trusted sessions" toward trusted devices, where approvals are verifiable and resilient to the types of attacks that increasingly target browser-based workflows.

Identity: Verifying Users in a Deepfake World with BitGo Verify

Deepfakes, injected video feeds, and social engineering attacks are making it harder to distinguish legitimate users from attackers. BitGo approaches identity verification as a dynamic, real-time process that occurs within a trusted environment.

Because approvals and high-risk actions are already isolated within BitGo Verify, identity verification can be performed at the exact moment it matters, at the point of approval, not as a disconnected, one-step step.

With the introduction of on-demand video ID, BitGo leverages verification mechanisms that can be triggered in real time. When required, users complete a life verification flow directly within the BitGo Verify app, ensuring identity checks occur on a trusted device, through a controlled interface and in direct connection with the action being performed. This process combines multiple validation methods including biometric authentication to confirm the presence of the authorized user and liveness detection to ensure the user is physically present and responding in real time.

Behavior: Detecting Threats at the Moment They Matter

Some attacks don't rely on compromised credentials or devices. They rely on subtle manipulation of user behavior. A common example is address poisoning, where attackers introduce a lookalike address into a user's transaction history, hoping they will copy and paste the wrong destination. In these scenarios, everything appears normal but the outcome is not. BitGo addresses this with real-time threat detection.

At the moment of withdrawal, the platform evaluates recent transaction activity to identity patterns consistent with manipulation. Suspicious destination addresses are flagged before execution giving operators the opportunity to review and intervene. These signals are surfaced directly within the approval flow. This capability is further strengthened by AI-driven risk analysis, which evaluates activity across users, wallets, and workflows to detect anomalies that static controls may miss.

Policies: Defining and Enforcing How Assets Move

Even when a transaction is valid, initiated by an authorized user, and approved on a trusted device, it may still be undesirable. This is where BitGo's Policy Engine plays a critical role.

Policies allow organizations to define the rules that govern how assets can move. These rules can be tailored to each organization's operational and risk requirements, including:

• Requiring additional approvals for high-value transactions

• Restricting withdrawals to pre-approved (whitelisted) addresses

• Enforcing velocity limits over time

• Separating roles between transaction initiators and approvers

What makes this powerful is that policies are enforced independently of cryptographic signing. A transaction can meet every technical requirement to be signed and still be blocked if it violates policy. This creates a clear separation between authorization and governance.

Recent enhancements to the Policy Engine make these controls more scalable and easier to implement across organizations. Policy recommendations provide starting points based on similar enterprise configurations. Policy duplication ensures consistency across teams and environments. Webhook integrations allow external risk systems to participate directly in approval workflows.

Together, these capabilities transform policy from a static configuration into a dynamic, enforceable layer of control that governs every transaction in real time.

A System Designed for How Attacks Happen

Security is no longer about protecting a single component. It's about ensuring that no single failure leads to loss.

At BitGo, a transaction must now:

• Match user intent

• Originate from a trusted device

• Be approved by a verified identity

• Align with expected behavior

• Comply with organizational policy

If any one of these conditions fails, the transaction does not execute. This is the shift from point-in-time security to continuous verification.

As attackers increasingly target the gaps between systems, security must evolve to close those gaps. By validating every transaction across intent, device, identity, behavior, and policy, BitGo is establishing a model for transaction security that reflects how modern attacks actually occur.

The next generation of digital asset security is already taking shape. Connect with our team to learn how BitGo is helping institutions adapt to a changing threat landscape.