Read the translated Japanese version of this blog here.

At BitGo, security is at the core of everything we do. With a long-standing track record as a secure custodian, we have never lost customer funds in that configuration. As the digital asset ecosystem evolves, so do the threats we face. Attackers continue to develop more sophisticated tactics, and it is our responsibility—as well as that of the broader industry—to stay ahead of these threats.

Evolving Threats in Digital Assets

Recently, we have observed a rise in targeted attacks across the digital assets space. Notable incidents have highlighted a common attack vector: an adversary triggering unwanted transaction requests that pass security checks. The FBI has publicly addressed these types of threats, reinforcing the need for ongoing vigilance.

BitGo actively monitors changes in attack tactics. Through rigorous internal reviews, we have confirmed that our security architecture does not allow for similar attack vectors. However, we don’t rely solely on our own expertise. We maintain strong working relationships with law enforcement and operate a public bug bounty program, encouraging security researchers to identify and report vulnerabilities. In response to emerging threats, we have further enhanced our portal security, minimizing even theoretical risks, including those posed by malicious insiders.

Independent Security Testing and Validation

Beyond internal security measures, we continuously engage external experts to validate our practices. Alongside routine penetration testing, we have contracted a third-party security firm to conduct an independent evaluation of our transaction signing process. Their findings have been reassuring—no major vulnerabilities of concern were discovered.

In addition, we conduct regular, fully independent red team tests. Last year, we went a step further: an external red team was provided with a laptop and given highly privileged administrator access to our environment, including GitHub. During their initial reconnaissance, our monitoring systems detected and blocked their activities. Despite continued attempts over several months, their ultimate attack on our production environment was detected within minutes and thwarted. This demonstrates the strength of our security posture—protecting against even highly credentialed insiders.

A Multi-Layered Approach to Security

At BitGo, security is not just about technology—it’s about culture. We implement a multi-layered defense strategy to mitigate risks at every level:

  • Security Awareness & Training: Employees receive monthly phishing tests, and any failures are followed up on. This ensures ongoing vigilance against social engineering attacks.

  • Endpoint & Network Security: We enforce strict device restrictions, employ anti-malware solutions, and prevent the use of browser-stored passwords. Session hijacking attempts face additional barriers through our mandatory hardware-based 2FA.

  • Continuous Monitoring: Every aspect of our environment, from SaaS usage to endpoint DNS traffic, is actively monitored. Unusual activity is promptly investigated.

  • Access Controls: We enforce least-privilege access, continuously adjust permissions, and require BitGo-issued devices for all internal system interactions.

  • Physical Security: Employees must work from the office for identity verification, further reducing risks related to remote compromises.

These measures align with industry best practices, including the MITRE ATT&CK framework, regulatory guidelines, and leading security standards. By continuously refining our security posture, we ensure that our defenses remain robust against an ever-changing threat landscape.

Our Ongoing Commitment

BitGo has built a reputation for safeguarding customer assets, and we remain unwavering in our commitment to security. We achieve this through a combination of in-house expertise, external validation, and a proactive approach to emerging threats. Security is a shared responsibility, and by working together, we can continue to provide the highest level of protection for our customers.

We will remain vigilant, adaptive, and transparent in our security practices—because protecting digital assets is not just our business, it’s our mission.

Own your financial future.

The latest

All News arrowRight icon

About BitGo

BitGo is the digital asset infrastructure company, delivering custody, wallets, staking, trading, financing, and settlement services from regulated cold storage. Since our founding in 2013, we have been focused on accelerating the transition of the financial system to a digital asset economy. With a global presence and multiple regulated entities, BitGo serves thousands of institutions, including many of the industry's top brands, exchanges, and platforms, and millions of retail investors worldwide. For more information, visit www.bitgo.com.

©2025 BitGo, Inc. (collectively with its parent, affiliates, and subsidiaries, “BitGo”). All rights reserved. BitGo Bank & Trust, National Association (“BitGo Bank & Trust”) is a national trust bank chartered and regulated by the Office of the Comptroller of the Currency (OCC). BitGo Bank & Trust is a wholly-owned subsidiary of BitGo Holdings, Inc., a Delaware corporation headquartered in Palo Alto, California. Other BitGo entities include BitGo, Inc. and BitGo Prime LLC, each of which is a separately operated affiliate of BitGo Bank & Trust.

BitGo does not offer legal, tax, accounting, or investment advisory services. The information contained herein is for informational and marketing purposes only and should not be construed as legal, tax, or investment advice. You should consult with your own legal, tax, and investment advisor for questions about your specific circumstances.

Digital assets are subject to a high degree of risk, including the possible loss of the entire principal amount invested. Past performance and illustrative examples do not guarantee future results. The value of digital assets can fluctuate significantly and may become worthless. No BitGo communication is intended to imply that any digital asset services are low-risk or risk-free. BitGo is not a registered broker-dealer and is not a member of the Securities Investor Protection Corporation (“SIPC”) or the Financial Industry Regulatory Authority (“FINRA”). Digital assets held in custody are not guaranteed by BitGo and are not subject to the insurance protections of the Federal Deposit Insurance Corporation (“FDIC”) or SIPC. Custody and other digital asset services are subject to eligibility, jurisdictional, and regulatory restrictions. Availability of specific products and services may vary by location and entity.

BitGo endeavors to provide accurate information on its websites, press releases, blogs, and presentations, but cannot guarantee all content is correct, completed, or updated. Content is subject to change without notice. BitGo disclaims any obligation to update or supplement such information except as required by applicable law or regulation.

BitGo makes no representation that the information contained herein is appropriate for use in any jurisdiction where its distribution or use would be contrary to law or regulation or would subject BitGo or any of its affiliates to any registration or licensing requirements in such jurisdiction. Persons who access this information are responsible for complying with all applicable laws and regulations.