Digital assets were designed around decentralisation, yet the responsibility for securing them increasingly sits with institutions.

Banks, fintechs, and specialised platforms now safeguard billions of dollars in cryptocurrencies, stablecoins, and tokenised assets on behalf of customers.

As digital asset markets mature, conversation is shifting from innovation to infrastructure, and, more importantly, security.

Yet the biggest risks rarely originate from the blockchain itself.

Most major breaches stem not from flaws in blockchain protocols but from the surrounding infrastructure, particularly the systems responsible for managing private keys.

Recent data illustrate the scale of the problem.

According to Chainalysis, more than US$2.2 billion worth of cryptocurrency was stolen through hacks in 2024, a 21% increase from the previous year.

Nearly 44% of those losses were linked to compromised private keys, making it the single largest attack vector in the industry.

The trend continued into 2025.

By mid-year, more than US$2.17 billion had already been stolen from crypto services, much of it tied to compromised wallets and infrastructure attacks.

A separate analysis from CertiK found that US$1.71 billion in losses during the first half of 2025 resulted from wallet compromises.

The reason is simple. In digital asset finance, the private key is the ultimate credential.

Whoever controls the key controls the asset.

As institutions increasingly hold those keys on behalf of clients, protecting them has become one of the most critical challenges in digital asset security.

When the Weakest Link Is the Private Key

Many high-profile crypto thefts share a common pattern.

Attackers rarely break the blockchain itself. Instead, they gain access to the private keys that unlock them.

Industry reports estimate that nearly half of digital asset losses are linked to private key compromises or insider threats, elevating key management from a technical concern to a board-level issue for financial institutions.

Richard Chiu, Head of Sales Engineering (Hong Kong and Taiwan) at Thales, says the core problem often lies in where keys are stored and managed.

“Nearly half of all digital asset losses result from private-key compromise or insider threats. A hardware root of trust moves the security boundary from vulnerable human-operated software to a hardened cryptographic environment where keys never exist in clear form.”

Software-based environments remain exposed to common attack paths, including phishing, privilege abuse, and insider threats.

Moving key operations into dedicated hardware changes that boundary entirely.

Hardware Security Modules (HSMs) generate and store cryptographic keys within tamper-resistant hardware, ensuring they never appear in plain form outside the device.

Richard says the design also addresses insider threats.

“In the HSM environment, it mitigates insider threats through rigorous physical controls that offer a high standard of data access governance as well as multi-layer authentication.”

Establishing a Hardware Root of Trust

Institutional security rarely relies on a single control. Strong custody infrastructure combines multiple safeguards designed to eliminate single points of failure.

HSM-based systems allow organisations to enforce strict governance over sensitive operations such as transaction signing or policy changes.

Critical actions may adopt quorum-based authentication, meaning multiple authorised personnel must approve a request before it proceeds.

“No single administrator can execute a critical operation. It requires a predefined quorum of personnel to proceed with the operation, with identity authenticated and authorized,” Richard explains.

Some environments also require physical authentication devices, such as PED keys connected to dedicated PIN entry devices. These tokens provide an additional safeguard against stolen credentials.

Together, these mechanisms shift trust away from passwords and administrative privileges toward hardware-enforced security policies.

MPC Alone May Not Be Enough

While hardware-based controls form the foundation of many custody architectures, institutions are also exploring additional cryptographic safeguards.

Multi-Party Computation (MPC) has become one of the most widely discussed technologies in digital asset custody. By distributing key shares across multiple systems, MPC reduces the risk of a single point of compromise.

However, purely software-based implementation introduces new operational concerns.

“MPC in a purely software environment results in fragmented accountability. While mathematically sound, software-based MPC shares are still hosted on vulnerable servers and lack a verifiable audit trail.”

Combining MPC with HSM infrastructure introduces a hardware-backed layer of assurance. Key shares anchored in HSMs benefit from secure storage, hardware isolation, and an auditable signing process, together with temper detection and resistance.

“HSMs serve as the trusted foundation that transforms MPC into a tangible security standard capable of meeting the high-assurance expectations of regulators.”

This hybrid approach allows institutions to maintain flexibility while meeting stricter expectations around governance and accountability.

Security at the Speed of Modern Finance

Beyond security architecture, digital asset infrastructure must also keep pace with the development of modern financial systems.

Emerging use cases, including tokenised deposits, blockchain settlement networks, and digital securities now require ever-faster transaction processing than traditional custody models were designed to handle.

Speed.

Financial institutions must now maintain strict security controls while enabling near-instant transaction execution.

“Authorised institutions can scale-out with performance demand by high-availability architectures using HSMs with load balancing and hardware-enforced partitioning,” Richard says.

Even as transaction volumes rise, private keys remain confined within FIPS-certified tamper-resistant hardware, preserving security guarantees.

Preparing for the Quantum Era

Security planning is also beginning to consider longer-term threats.

One growing concern is the “Harvest Now, Decrypt Later” scenario, where attackers collect encrypted data today in hopes of decrypting it once quantum computing becomes viable.

Richard believes institutions managing long-term financial assets must prepare early.

“With 61% of organisations citing ‘Harvest Now, Decrypt Later’ as a leading threat, any institution managing long-life assets has a fiduciary duty to protect that data against future quantum decryption.”

The industry’s response lies in Post-Quantum Cryptography (PQC), a new set of algorithms designed to resist quantum attacks.

HSM platforms that support PQC provide the cryptographic agility needed to introduce quantum-resistant signatures without replacing existing hardware.

Early preparation helps ensure assets issued today remain secure in the future.

The Convergence of Crypto and Banking Infrastructure

As digital assets integrate with mainstream finance, the line between traditional banking systems and blockchain infrastructure continues to blur.

Capabilities once considered specialised are increasingly becoming part of the core security stack used by financial institutions.

Richard says the shift is already visible.

“The convergence is already an operational reality. Blockchain-specific capabilities such as BIP32, SLIP-010, and support for curves like Ed25519 have transitioned from niche requirements to standard features in our HSMs.”

Whether processing traditional payments, tokenised deposits, or stablecoins, the underlying requirement remains the same.

Everyone needs to start protecting cryptographic keys.

Hardware-based key protection therefore serves as a common security foundation for both conventional and blockchain-based financial systems.

Protecting the Infrastructure Behind Digital Value

Digital assets are steadily evolving from experimental technology into regulated financial infrastructure.

Banks, fintech firms, and digital asset platforms now face the same challenge: safeguarding the keys that control billions of dollars in digital value.

The focus has shifted from questioning whether digital assets should be part of financial services to figuring out how institutions can protect them efficiently on a larger scale.

Solutions such as Thales Luna HSM aim to provide that foundation by combining tamper-resistant hardware, policy-driven transaction controls, and support for emerging cryptographic standards.

In a financial system powered by cryptography, the private key remains the ultimate gatekeeper.

Get it right, and the system works.

Get it wrong, and the headlines write themselves.

Featured image: Edited by Fintech News Hong Kong based on an image by Juan J. J. Labrador via Freepik.