Security for Crypto Exchanges: incident containment and custody hardening
In crypto there is no chargeback. Decripte protects exchanges across the three layers — infrastructure, key custody, and Web3 — with a 24x7 SOC, on-chain monitoring, and Incident Response with a containment SLA of up to 1 hour.
Direct answer
To protect a cryptocurrency exchange, the top priority is to eliminate private-key exposure: keep the majority of assets in cold storage with multi-signature (multisig) or MPC, isolate hot wallets with withdrawal limits and allowlists, audit every smart contract and Web3 integration before each deploy, monitor the blockchain in real time to detect wallet drains and anomalous movements, and maintain an incident response plan capable of freezing withdrawals, engaging partner exchanges, and tracing funds on-chain within minutes. Decripte combines Web3 Security, 24x7 SOC, Pentesting, and Incident Response with a containment SLA of up to 1 hour, so that a key leak does not turn into an irreversible loss of treasury.
24/7
SOC monitoring wallets and API
<=1h
Incident containment SLA
On-chain
Fund tracing and attribution
ISO 27001
Compliance and risk management
In summary
- ›In crypto there is no chargeback: defense must be preventive (wallet segregation, multisig/MPC, withdrawal limits) because post-theft containment recovers only a fraction of the funds.
- ›An exchange's attack surface is threefold — traditional infrastructure (API, servers, employees), the custody layer (hot/cold wallets, keys), and the Web3 layer (smart contracts, bridges, integrations) — and it demands defense in depth across all three.
- ›Private keys should never reside in cleartext, in environment variables, or at a single point; HSM, MPC, and separation of duties reduce the impact of any single compromise.
- ›Continuous on-chain monitoring makes it possible to detect a hot wallet drain within seconds and trigger withdrawal freezes, stablecoin allowlisting, and partner outreach before the funds are laundered through mixers or bridges.
- ›Incident response at an exchange is a race against the blockchain's finality clock: every minute of delay is funds moved out of reach, which is why Decripte's containment SLA of up to 1 hour is designed for this sector.
- ›Smart contract audits and Web3 pentesting before every deploy prevent reentrancy, broken access control, and approval bugs from becoming treasury-draining vectors.
Cibersegurança para Cryptocurrency Exchanges
In crypto there is no chargeback. Decripte protects exchanges across the three layers — infrastructure, key custody, and Web3 — with a 24x7 SOC, on-chain monitoring, and Incident Response with a containment SLA of up to 1 hour.
Why crypto exchanges are the most targeted financial prize in the world
A cryptocurrency exchange custodies, in a single set of wallets, what for a traditional bank would be spread across physical vaults, clearinghouses, and settlement systems with multiple layers of reversal. The fundamental difference is irreversibility: a transaction confirmed on the blockchain has no chargeback, no refund, no court order that can undo it at the protocol level. When a private key leaks and an attacker signs a transfer from the hot wallet to an address under their control, the money is gone — and what remains is a forensic race to trace it, freeze it at cash-out points, and, when possible, recover a fraction through cooperation with other exchanges and authorities.
This design makes the exchange the preferred target of financial APT groups — including state actors such as the Lazarus Group, historically associated with billion-dollar thefts in the crypto ecosystem. For these groups, the exchange concentrates the highest return per unit of effort: a single successful compromise can drain entire wallets in one stroke, with no reversal window. Unlike card fraud, where the gain is diluted and reversible, here the attack is binary and definitive.
The irreversibility factor changes everything
In traditional banking security, many controls are detective and corrective: you detect the fraud and reverse it. In crypto, the control must be preventive and real-time, because after on-chain confirmation there is no correction. This raises the cost of any custody failure from 'recoverable loss' to 'permanent loss of treasury and market confidence'.
There is also a reputational and regulatory component. An exchange that loses customer funds faces a run on withdrawals, freezes by partner banks, press scrutiny, and, in Brazil, obligations to the ANPD when there is a leak of users' personal data (KYC), in addition to the Virtual Asset Service Provider (PSAV) regime regulated by the Central Bank under the Crypto Legal Framework (Law 14.478/2022). The technical incident becomes an existential crisis, and that is why an exchange's security must be treated as a matter of business survival, not as an IT cost.
The threefold attack surface of an exchange
Defending an exchange requires understanding that it is, at the same time, three overlapping systems, each with its own threat model. Treating everything as 'web infrastructure' is the most common strategic mistake — and the most expensive.
Layer 1 — Traditional infrastructure and application
This is the part that looks like any fintech: trading APIs, matching engine, web and mobile portals, databases, microservices, employee identity. Here live the classic vectors — leaked credentials, injection, authorization flaws, server-side request forgery, exposure of admin panels, and the human link: spear phishing targeting engineers and operators with access to signing systems. In nearly every major exchange heist, the initial point of entry was this: a compromised key employee, not an exotic blockchain bug.
Layer 2 — Custody and key management
This is the heart of the risk. Where and how do the private keys that control the funds live? Hot wallets (online, for operational liquidity) versus cold storage (offline, for the treasury). Who can sign a transaction? How many signatures are required? Are the keys protected by an HSM (hardware security module) or by MPC (multi-party computation, which never reconstructs the entire key in a single place)? A single point of failure in this layer — a key in cleartext on a server, a seed in a config file, a sole signer — is what turns an incident into a catastrophe. This is the layer that distinguishes an exchange's security from that of any other fintech.
Layer 3 — Web3 and smart contracts
Modern exchanges interact with smart contracts: tokens, staking contracts, cross-chain bridges, DeFi integrations, approval contracts (approve/allowance). Each contract is immutable code handling real value. Reentrancy flaws, broken access control, excessive approval logic, manipulable oracles, and bridge bugs have already caused some of the largest heists in the sector's history. This layer requires specialized auditing that traditional pentesting does not cover. Effective defense must cover all three layers in an integrated way, because real attacks chain them together: phishing steals access, which extracts a key, which signs a malicious transaction — siloed security breaks precisely at the seams.
The five core threats of the sector
- ✓Theft of hot wallets and private keys — the most direct and definitive vector, usually via a compromised employee or a poorly protected key.
- ✓Smart contract compromise — reentrancy, access control, excessive approvals, and bridge bugs draining treasury contracts.
- ✓Phishing and attacks on key employees — social engineering against those with access to signing, deployment, or withdrawal-approval systems.
- ✓Vulnerabilities in Web3 integrations — bridges, oracles, third-party contracts, and libraries that become a door to the funds.
- ✓Attacks on the trading API — abuse of customers' API keys, authorization flaws, order manipulation, and balance exfiltration.
Is cryptocurrency exchanges data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Anatomy of a hot wallet drain starting from a leaked key
The scenario every exchange fears most follows a recognizable pattern. Understanding this anatomy is the first step toward breaking it. The attack rarely begins on the blockchain — it begins with a person or a poorly guarded secret.
Phase 1 — Initial access and reconnaissance
The attacker gains a foothold: a convincing phishing email to a platform engineer, a CI/CD token leaked in a repository, a compromised dependency in the supply chain, or a reused credential found in a public breach. With access, they map where the keys live and which processes use them to sign withdrawal transactions, moving laterally without triggering alerts because their behavior still mimics that of the legitimate employee.
Phase 2 — Key extraction
The target is the hot wallet's cryptographic material. It may sit in an environment variable, in a misconfigured secret manager, in the memory of a signing process, or be accessible through an internal service without segmentation. If there is no HSM or MPC, the entire key can be copied — and from there the attacker has full signing power, indistinguishable from the exchange itself.
Why MPC and HSM change the game
With an HSM, the key never leaves the hardware: the server sends the transaction to the HSM to sign and receives back only the signature. With MPC, the key does not even exist in full anywhere — fragments distributed across independent parties collaborate to sign without ever reconstructing the secret. In both cases, copying 'the key' becomes impossible, and silent theft becomes unfeasible.
Phase 3 — The drain and the blockchain clock
Holding the ability to sign, the attacker empties the hot wallet in one or several transactions to addresses under their control. If there are withdrawal limits, destination allowlists, and anomaly detection, they hit walls and generate alerts. If there are none, the wallet is emptied in seconds and the funds immediately begin to disperse — fragmented, run through mixers, converted into stablecoins, or moved across bridges to other networks, making tracing harder. Every minute between the drain and containment is funds moved farther out of reach: incident response at an exchange is not an hours-long process, it is a window of minutes in which freezing withdrawals, engaging partners, and starting on-chain tracing determines how much is recovered.
The blockchain clock
It is precisely for this window of minutes that Decripte's containment SLA of up to 1 hour was designed: on-chain detection chained to immediate action, so that the drain is interrupted and traced before the funds leave reach through a bridge or a mixer.
How Decripte structures custody defense
Hardening an exchange is not a product, it is an architecture. Decripte structures custody security around one principle: no single compromise should be able to move material funds. Everything unfolds from that principle.
Hot/cold segregation with a minimal operational ratio
Most of the treasury sits in cold storage, physically offline and inaccessible to the network. Hot wallets carry only what is needed for operational liquidity, with controlled replenishment. This way, even the worst case — the total emptying of a hot wallet — is limited to a fraction of the treasury, not the whole.
Multisig and MPC to eliminate the sole signer
Material transfers require multiple independent approvals (multisig) or distributed signing via MPC. Stealing one key is no longer enough: it requires compromising multiple parties, in distinct locations and under distinct controls, simultaneously. The cost of the attack rises by orders of magnitude. On top of this come withdrawal limits, timelocks for new destinations, and allowlists, which turn an instant drain into a series of frictions that generate alerts and provide time to respond.
Custody pillars that Decripte deploys
- ✓Hot/cold segregation with the majority of the treasury offline in cold storage.
- ✓HSM or MPC so that keys never exist in full at a single point.
- ✓Multisig with a signing quorum and separation of duties among operators.
- ✓Withdrawal limits, timelocks, and a destination allowlist with quarantine for new addresses.
- ✓Real-time anomaly detection over the flow of withdrawal transactions.
- ✓An audited secrets vault, with no keys in environment variables, code, or logs.
On top of this architecture, Decripte's 24x7 SOC continuously observes both the infrastructure and the on-chain behavior of the wallets, so that any movement outside the norm triggers a response before it becomes a loss.
Smart contract auditing and Web3 security
Code that handles on-chain value does not permit a 'fix it in production' posture. Once deployed, the contract is immutable and the bug is exploitable by anyone in the world, at any time. The audit must happen beforehand — and be specific to the classes of flaws that traditional web pentesting cannot see.
Vulnerability classes we audit
Reentrancy (external calls that reenter the contract before state is updated), broken access control (critical functions without role protection), excessive approval logic (infinite allowances that become a withdrawal door), oracle and price manipulation, initialization flaws in upgradeable proxies, and the risks specific to bridges — historically the most exploited point of the ecosystem, because they concentrate value and complex cross-chain validation logic.
Third-party integrations are a trust boundary
Every external contract the exchange interacts with — a token, a staking protocol, a bridge — is code you do not control handling your funds. Decripte treats each Web3 integration as a trust boundary that requires review, exposure limits, and monitoring, not as a dependency trusted by default.
Pentesting and review aligned with OWASP
The application and API layer is tested following recognized methodologies, including the OWASP Top 10 and the OWASP API Security Top 10, with special attention to object-level authorization (customers' API keys accessing others' balances), exposure of administrative functions, and business-logic abuse in the matching engine. The contract layer receives in-depth manual review complemented by static analysis specialized in Solidity and the EVM.
What would an incident in cryptocurrency exchanges cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Continuous on-chain monitoring and 24x7 SOC
Prevention reduces the probability; monitoring reduces the time to discovery. In a sector where the useful response window is measured in minutes, detecting late is almost equivalent to not detecting. That is why an exchange's monitoring has to be twofold: inside the infrastructure and outside it, on the blockchain itself.
The inside view — SOC over infrastructure and API
Log correlation, endpoint telemetry, the behavior of privileged employees, access patterns to signing systems, and anomalous traffic on the trading API. The goal is to catch the attacker at layer 1, before they reach the keys — in the phishing, in the lateral movement, in the attempt to access the secrets vault.
The outside view — on-chain monitoring of the wallets
Decripte observes in real time the behavior of the exchange's addresses on the blockchain: unexpected outflows, non-allowlisted destinations, fragmentation typical of laundering, interactions with mixer contracts or suspicious bridges. A drain triggers an alert the instant the transaction appears in the mempool or is confirmed, activating the containment playbook. This monitoring also feeds threat intelligence: known malicious addresses and campaign patterns of financial APT groups are incorporated into the detection rules.
Detection that triggers containment
The value of on-chain monitoring is not just seeing the fraud — it is chaining detection to action. The instant an anomalous outflow is identified, the playbook freezes withdrawals, notifies partner exchanges, and starts tracing the funds. Detection without automated response loses the window; that is why SOC and Incident Response operate in an integrated way at Decripte.
Compliance, regulation, and the PSAV regime in Brazil
Security and compliance go hand in hand at an exchange. The Crypto Legal Framework (Law 14.478/2022) established the regime for Virtual Asset Service Providers and assigned the Central Bank the authority to regulate and supervise the sector in Brazil. This brings requirements for governance, risk management, asset segregation, and controls that connect directly to the security architecture.
The users' personal data — collected in KYC, anti-money-laundering, and operational processes — is subject to the LGPD, enforced by the ANPD. A breach of an exchange's customer database combines sensitive data, financial data, and asset exposure, requiring notification to the ANPD and to data subjects within a reasonable timeframe when there is relevant risk. Decripte structures data protection controls in an integrated way with technical security.
Compliance fronts relevant to exchanges
- ✓LGPD / ANPD — protection of users' KYC and financial data, with an incident notification plan.
- ✓Crypto Legal Framework (Law 14.478/2022) and Central Bank regulation of PSAVs — governance and risk management.
- ✓ISO 27001 — an information security management system as the backbone of governance.
- ✓PCI-DSS — when there is card processing at the fiat on-/off-ramps.
- ✓SOC 2 — demonstration of controls to institutional partners and banks.
Decripte helps the exchange translate these requirements into concrete, auditable technical controls, avoiding the common gap between 'being compliant on paper' and 'being secure in practice'. Well-executed compliance is a byproduct of a solid security architecture, not a parallel checklist.
Why Decripte for exchange security
What sets apart the defense of an exchange is not an isolated tool, but the integration of capabilities rarely found together: deep understanding of custody and cryptography, specific expertise in Web3 and smart contracts, a SOC that simultaneously monitors infrastructure and blockchain, and an incident response team able to operate within the window of minutes the sector imposes.
Defense in depth across the three layers
Decripte covers the entire exchange: pentesting and SOC at the infrastructure and API layer, custody architecture with HSM/MPC/multisig at the key layer, and contract auditing with Web3 monitoring at the on-chain layer. When the attack chains all three, the defense must be chained as well — and that is what we offer.
Start with a free Threat Management assessment at decripte.com.br/intelligence-center to see your current exposure with no commitment. To build out the full defense, sign up at decripte.io/start or talk to our team at /contato. In the event of an ongoing incident, Decripte's Incident Response operates with a containment SLA of up to 1 hour — because in your operation, every minute is treasury.
Anatomy of a real case: the emptying of a hot wallet starting from a leaked key
Real, de-identified example
A real, anonymized example (without identifying the client). A mid-sized exchange, with relevant daily volume and treasury distributed between operational hot wallets and cold storage, operates a hot wallet whose private key is kept in an internal secret manager accessible by a signing service. There is no HSM or MPC on that specific wallet, withdrawals have no timelock for new destinations, and on-chain monitoring is limited to dashboards checked manually during business hours. A platform engineer with access to the signing service is targeted by a spear phishing campaign. This scenario illustrates how Decripte operates — from detection to hardening — in a typical incident for the sector.
Initial access (day 0)
A key engineer receives a spear phishing email impersonating an internal CI/CD tool and enters their credentials on a fake page. The attacker captures the session, bypasses MFA via notification fatigue, and gains access to the development environment with visibility into the signing service. Over several days, they conduct silent reconnaissance, mapping where the hot wallet's key is loaded and which processes use it — without triggering any alert, because the behavior still looks like the engineer's own.
Detection (early morning of day 4)
The attacker extracts the key material from the secret manager and, in the early morning, signs a transfer draining the hot wallet to an address under their control. Decripte's continuous on-chain monitoring — active 24x7, unlike the exchange's manual dashboards — detects in the mempool a material-value outflow to a destination outside the allowlist, with a pattern inconsistent with normal operations. The alert triggers the incident playbook in under two minutes after the transaction appears.
Containment (first hour)
Decripte's Incident Response team triggers the immediate freeze of all platform withdrawals, isolates the compromised signing service, revokes the affected engineer's sessions and credentials, and routes the remaining hot wallet to a secure address under multisig. In parallel, it notifies partner exchanges and stablecoin issuers with the attacker's addresses, requesting the freezing of any funds that reach those cash-out points. Containment closes within the SLA of up to 1 hour.
On-chain tracing
Decripte's forensic analysts trace the funds in real time while the attacker tries to fragment them, convert them into stablecoins, and move them across a bridge to another network. The transaction graph is mapped, the intermediary addresses cataloged, and part of the value is frozen at stablecoin issuers and partner exchanges before it can be cashed out. The indicators are shared with the competent authorities and with the sector's threat intelligence.
Eradication
The root-cause analysis confirms the vector: phishing leading to key extraction in usable form, without HSM/MPC, without timelock, and without an effective allowlist. Decripte removes the unauthorized access, rebuilds the compromised environment from a trusted baseline, rotates all potentially exposed secrets, and removes the leaked key from circulation, migrating custody to a new scheme.
Recovery and hardening
Custody is restructured: hot wallets now operate under MPC, the majority of the treasury is moved to cold storage with multisig, and withdrawals gain limits, a timelock for new destinations, and an allowlist with quarantine. The 24x7 SOC takes over integrated monitoring of infrastructure and on-chain activity. Key employees undergo anti-phishing training and phishing-resistant MFA (hardware keys). Auditing of contracts and Web3 integrations is incorporated into the deploy cycle.
Lessons learned
The incident consolidates durable principles: no key should exist in full at a single point; no material withdrawal should occur without friction and review; monitoring must be 24x7 and on-chain, not manual; and the human link is as critical as the technical one. The exchange comes out with an architecture where a single compromise no longer drains the treasury — exactly the objective that was missing before the incident.
Outcome with Decripte
In this real, anonymized example, detection within minutes and containment within 1 hour limited the loss to the fraction that was in the operational hot wallet — the treasury in cold storage remained untouched — and on-chain tracing froze part of the funds before cash-out. More important than the partial recovery, the exchange emerged from the incident with a custody architecture where the same attack would no longer work: keys under MPC, multisig on the treasury, withdrawals with friction, and a 24x7 SOC continuously monitoring infrastructure and blockchain. It is this outcome — containing the immediate damage and hardening against recurrence — that Decripte delivers in the sector.
Don’t wait for the incident. Start hardening cryptocurrency exchanges today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to an incident at an exchange
Incident response at an exchange is a race against the blockchain's finality clock. Decripte's playbook is designed for the sector's window of minutes, integrating SOC, Incident Response, and on-chain tracing.
- Immediate detection and triage — 24x7 monitoring of infrastructure and on-chain activity identifies the anomaly (an out-of-pattern wallet outflow, unauthorized access to signing systems) and classifies the severity within minutes, triggering the playbook automatically.
- Emergency containment — freezing all platform withdrawals, isolating the compromised signing systems, revoking affected sessions and credentials, and routing the remaining funds to secure custody under multisig, within the SLA of up to 1 hour.
- Engaging partners and cash-out points — immediate notification to partner exchanges, stablecoin issuers, and liquidity providers with the attacker's addresses, to freeze funds at the exit points before they are laundered.
- On-chain forensic tracing — real-time mapping of the transaction graph, address attribution, identification of the mixers and bridges used, and preservation of evidence for authorities and for partial fund recovery.
- Eradication and root-cause analysis — identifying the initial vector (phishing, exposed key, contract flaw), removing the attacker's access, rebuilding compromised environments from a trusted baseline, and rotating all exposed secrets.
- Secure recovery — restoring withdrawal operations in a controlled manner only after custody has been restructured (MPC/multisig, limits, timelocks, allowlists), ensuring the same vector is no longer open.
- Regulatory and data-subject notification — support in communicating with the ANPD and users when personal data is involved (LGPD), and with the PSAV regime obligations before the Central Bank, in the proper timeframe and format.
- Lessons learned and hardening — an executive and technical report, with permanent hardening of the architecture and tuning of the SOC's detection rules for the observed tactic.
How Decripte structures the security of an exchange
Hardening is a layered architecture, not an isolated product. Decripte structures the defense around one central principle: no single compromise should be able to move material funds.
Resilient custody architecture
Hot/cold segregation with the majority of the treasury offline, HSM or MPC so that keys never exist in full at a single point, multisig with a signing quorum, and limits/timelocks/allowlists on withdrawals. The goal is that stealing one key is no longer enough to drain funds.
Web3 security and contract auditing
In-depth review of smart contracts and integrations (reentrancy, access control, excessive approvals, bridges, and oracles) before each deploy, treating every third-party contract as a trust boundary that requires limits and monitoring.
Pentesting and platform hardening
Offensive testing of the infrastructure, trading API, and portals aligned with the OWASP Top 10 and OWASP API Security Top 10, focused on object-level authorization, exposure of administrative functions, and business-logic abuse in the matching engine.
24x7 SOC with on-chain monitoring
Continuous, simultaneous observation of the infrastructure (logs, endpoints, privileged-user behavior, API) and the blockchain (anomalous outflows, suspicious destinations, laundering patterns), with detection chained to automated containment.
Protecting the human link
Anti-phishing training for key employees, phishing-resistant MFA (hardware keys), separation of duties, and least-privilege across all access to signing and deployment systems — because the initial vector is almost always human.
Governance, compliance, and incident readiness
Alignment with LGPD/ANPD, ISO 27001, and the Central Bank's PSAV regime (Law 14.478/2022), with tested incident response plans, withdrawal-freeze runbooks, and pre-established channels with partner exchanges and authorities.
Recommended plans for Cryptocurrency Exchanges
Web3 Security
Auditing of smart contracts and integrations (bridges, oracles, approval contracts) and continuous on-chain monitoring of the wallets — the layer that traditional pentesting does not cover and that concentrates the largest heists in the crypto ecosystem.
See plan →24x7 SOC
Simultaneous monitoring of infrastructure, trading API, and on-chain wallet behavior, around the clock, to detect a drain or unauthorized access to signing systems within the window of minutes the sector demands.
See plan →Incident Response
Emergency containment with an SLA of up to 1 hour — freezing withdrawals, engaging partner exchanges, and on-chain tracing of the funds — essential in a sector where the transaction is irreversible and every minute is treasury moved out of reach.
See plan →Pentesting
Offensive testing of the platform, API, and integrations aligned with OWASP, simulating the attacker's real path (from phishing to key extraction) to close the vectors before a financial APT group exploits them.
See plan →Frequently asked questions
If an attacker steals our hot wallet key, can the funds be recovered?
Partially, and the window is narrow. Because on-chain transactions are irreversible, there is no chargeback at the protocol level. What you do is freeze withdrawals immediately, engage partner exchanges and stablecoin issuers with the attacker's addresses to lock the funds at cash-out points, and trace on-chain before laundering. The faster the containment — hence the SLA of up to 1 hour — the larger the recoverable fraction. The real defense, however, is preventive: with MPC, multisig, and cold storage, stealing one key is no longer enough to drain the treasury.
What is the difference between HSM and MPC for protecting our keys?
With an HSM (hardware security module), the key never leaves the device: the system sends the transaction to be signed and receives back only the signature. With MPC (multi-party computation), the key never exists in full anywhere — distributed fragments collaborate to sign without reconstructing the secret. Both eliminate the 'copy the key' scenario. MPC tends to be more flexible for quorum policies and operational distribution; many exchanges combine the two. Decripte helps design the scheme suited to your volume and operating model.
Does an ordinary pentest cover our smart contracts?
No. Traditional pentesting focuses on infrastructure, API, and web application. Smart contracts require specialized auditing for their own classes of flaws — reentrancy, broken access control, excessive approvals, oracle manipulation, and bridge risks — done with in-depth manual review and static analysis of Solidity/EVM. Because contracts are immutable after deploy, this audit must happen before going to production. Decripte's Web3 Security plan covers precisely this layer.
Does on-chain monitoring really detect a theft in time?
Yes, when it is continuous and chained to the response. 24x7 on-chain monitoring observes the exchange's wallets on the blockchain and fires an alert the instant an anomalous outflow appears in the mempool or is confirmed — destination outside the allowlist, inconsistent value, fragmentation pattern. The gain is not just seeing the fraud: it is triggering the playbook of withdrawal freezing and tracing within minutes. Dashboards checked manually during business hours do not provide that window; automated monitoring integrated with the SOC does.
What regulatory obligations apply to an exchange in Brazil?
Two main fronts. The Crypto Legal Framework (Law 14.478/2022) established the regime for Virtual Asset Service Providers and gave the Central Bank the authority to regulate and supervise the sector, with requirements for governance and risk management. The users' personal data (KYC, anti-money-laundering) is subject to the LGPD, enforced by the ANPD, including the duty to notify incidents with relevant risk. Decripte translates these requirements into auditable technical controls.
Do attacks on exchanges begin on the blockchain or with our team?
Almost always with the team. In most major heists, the point of entry was a key employee compromised through phishing or social engineering, not an exotic blockchain bug. The attacker uses that access to reach the keys and only then acts on-chain. That is why defending the human link — anti-phishing training, phishing-resistant MFA with hardware keys, separation of duties, and least privilege on signing systems — is as critical as the technical architecture.
We already have cold storage. Is that enough?
Cold storage protects the majority of the treasury, but operations need hot wallets for liquidity, and that is where the risk lives. Enough also means: HSM/MPC on the hot wallets, multisig with a quorum, withdrawal limits and timelocks, a destination allowlist, 24x7 on-chain monitoring, and auditing of Web3 integrations. Cold storage is an essential pillar, but on its own it does not prevent the emptying of a hot wallet starting from a leaked key — which is the most common vector. The defense is the complete architecture.
How do we start without a large upfront commitment?
Start with the free Threat Management assessment at decripte.com.br/intelligence-center, which shows your current exposure at no cost or commitment. From the results, you can prioritize — typically Web3 Security, 24x7 SOC, and Incident Response for the sector. To sign up, go to decripte.io/start or talk to the team at /contato. If there is an ongoing incident right now, Incident Response operates with containment within 1 hour.
Sector terms
- Hot wallet vs. cold storage
- A hot wallet is a wallet connected to the internet, used for the exchange's operational liquidity — convenient but exposed. Cold storage is the offline custody of the majority of the treasury, inaccessible to the network and therefore far harder to drain remotely.
- MPC (Multi-Party Computation)
- A cryptographic technique in which the private key never exists in full in a single place: fragments distributed across independent parties collaborate to sign a transaction without ever reconstructing the complete secret, eliminating theft by copying the key.
- Multisig
- A scheme in which a transaction is only valid with multiple independent signatures (for example, 3 of 5 signers). Stealing a single key is no longer enough to move funds, drastically raising the cost of an attack.
- PSAV (Virtual Asset Service Provider)
- A category defined by the Crypto Legal Framework (Law 14.478/2022) for companies that provide services with virtual assets, such as exchanges, subject to regulation and supervision by the Central Bank in Brazil.
- Reentrancy
- A class of smart contract vulnerability where an external call reenters the contract before its internal state is updated, allowing, for example, funds to be withdrawn repeatedly. It is one of the most classic and most exploited flaws in Solidity contracts.
- Withdrawal allowlist
- A list of previously approved destination addresses to which the exchange permits sending funds. New destinations or those off the list are blocked or placed in quarantine, turning an instant drain into a friction that generates an alert.
Decripte protects and responds to incidents in cryptocurrency exchanges.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
