At BitGo, security is at the core of everything we do. With a long-standing track record as a secure custodian, we have never lost customer funds in that configuration. As the digital asset ecosystem evolves, so do the threats we face. Attackers continue to develop more sophisticated tactics, and it is our responsibility—as well as that of the broader industry—to stay ahead of these threats.
Evolving Threats in Digital Assets
Recently, we have observed a rise in targeted attacks across the digital assets space. Notable incidents have highlighted a common attack vector: an adversary triggering unwanted transaction requests that pass security checks. The FBI has publicly addressed these types of threats, reinforcing the need for ongoing vigilance.
BitGo actively monitors changes in attack tactics. Through rigorous internal reviews, we have confirmed that our security architecture does not allow for similar attack vectors. However, we don’t rely solely on our own expertise. We maintain strong working relationships with law enforcement and operate a public bug bounty program, encouraging security researchers to identify and report vulnerabilities. In response to emerging threats, we have further enhanced our portal security, minimizing even theoretical risks, including those posed by malicious insiders.
Independent Security Testing and Validation
Beyond internal security measures, we continuously engage external experts to validate our practices. Alongside routine penetration testing, we have contracted a third-party security firm to conduct an independent evaluation of our transaction signing process. Their findings have been reassuring—no major vulnerabilities of concern were discovered.
In addition, we conduct regular, fully independent red team tests. Last year, we went a step further: an external red team was provided with a laptop and given highly privileged administrator access to our environment, including GitHub. During their initial reconnaissance, our monitoring systems detected and blocked their activities. Despite continued attempts over several months, their ultimate attack on our production environment was detected within minutes and thwarted. This demonstrates the strength of our security posture—protecting against even highly credentialed insiders.
A Multi-Layered Approach to Security
At BitGo, security is not just about technology—it’s about culture. We implement a multi-layered defense strategy to mitigate risks at every level:
-
Security Awareness & Training: Employees receive monthly phishing tests, and any failures are followed up on. This ensures ongoing vigilance against social engineering attacks.
-
Endpoint & Network Security: We enforce strict device restrictions, employ anti-malware solutions, and prevent the use of browser-stored passwords. Session hijacking attempts face additional barriers through our mandatory hardware-based 2FA.
-
Continuous Monitoring: Every aspect of our environment, from SaaS usage to endpoint DNS traffic, is actively monitored. Unusual activity is promptly investigated.
-
Access Controls: We enforce least-privilege access, continuously adjust permissions, and require BitGo-issued devices for all internal system interactions.
-
Physical Security: Employees must work from the office for identity verification, further reducing risks related to remote compromises.
These measures align with industry best practices, including the MITRE ATT&CK framework, regulatory guidelines, and leading security standards. By continuously refining our security posture, we ensure that our defenses remain robust against an ever-changing threat landscape.
Our Ongoing Commitment
BitGo has built a reputation for safeguarding customer assets, and we remain unwavering in our commitment to security. We achieve this through a combination of in-house expertise, external validation, and a proactive approach to emerging threats. Security is a shared responsibility, and by working together, we can continue to provide the highest level of protection for our customers.
We will remain vigilant, adaptive, and transparent in our security practices—because protecting digital assets is not just our business, it’s our mission.
About BitGo
BitGo is the leading infrastructure provider of digital asset solutions, delivering custody, wallets, staking, trading, financing, and settlement services from regulated cold storage. Since our founding in 2013, we have focused on enabling our clients to securely navigate the digital asset space. With a large global presence through multiple regulated entities, BitGo serves thousands of institutions, including many of the industry's top brands, exchanges, and platforms, as well as millions of retail investors worldwide. As the operational backbone of the digital economy, BitGo handles a significant portion of Bitcoin network transactions and is the largest independent digital asset custodian, and staking provider, in the world. For more information, visit www.bitgo.com.
©2025 BitGo Inc. (collectively with its affiliates and subsidiaries, “BitGo”). All rights reserved. BitGo Trust Company, Inc., BitGo Inc., and BitGo Prime LLC are separately operated, wholly-owned subsidiaries of BitGo Holdings, Inc., a Delaware corporation headquartered in Palo Alto, CA. No legal, tax, investment, or other advice is provided by any BitGo entity. Please consult your legal/tax/investment professional for questions about your specific circumstances. Digital asset holdings involve a high degree of risk, and can fluctuate greatly on any given day. Accordingly, your digital asset holdings may be subject to large swings in value and may even become worthless. The information provided herein is not intended for distribution to, or use by, any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. BitGo is not directing this information to any person in any jurisdiction where the publication or availability of the information is prohibited, by reason of that person’s citizenship, residence or otherwise.