Security for Cryptocurrency and Digital Asset Executives | CloseProtectionHire

The intersection of rapidly accumulated and publicly verifiable wealth with a relatively new security awareness culture makes cryptocurrency and digital asset executives one of the higher-risk groups for kidnap for ransom, targeted theft, and physical attack among the global population of high-net-worth individuals.

This article addresses the threat profile specific to crypto founders, exchange operators, DeFi protocol developers, and individuals with publicly identified substantial digital asset holdings.

The Threat Landscape

The cryptocurrency sector has produced a specific threat environment with features that distinguish it from traditional HNWI security considerations.

Publicly verifiable wealth. Blockchain transactions are, by design, transparent and permanent. Blockchain analytics firms – Chainalysis, Arkham Intelligence, Nansen, Glassnode – provide tools that link wallet addresses to named individuals, track transaction flows, and estimate holdings in real time. Material published in media coverage, conference presentations, or social media that associates a named individual with a wallet address or portfolio size can be used by anyone with these tools to produce a current wealth estimate. This is not a theoretical capability: it is used by journalists, researchers, investors, and – increasingly – by criminals conducting pre-attack target selection.

Liquid and rapidly transferable wealth. A ransom paid in cryptocurrency can be moved across jurisdictions, mixed using coin-mixing services, and converted to other assets within hours. This makes crypto ransom attractive to organised criminal groups who would otherwise face risk in receiving and moving fiat currency. The rapid transfer also means that law enforcement asset recovery – while possible in some cases through blockchain tracing – faces a time constraint that does not apply to traditional bank wire intercept.

A sector without established security culture. The traditional financial services sector has decades of established security practice for HNWI – private bankers and wealth managers routinely address personal security as part of client services. The cryptocurrency sector developed rapidly among a population of founders and developers whose professional culture does not include security awareness as a baseline expectation. Many high-net-worth crypto individuals have not had the security briefings and residential reviews that would be routine for equivalent wealth in private equity or hedge funds.

Documented Cases

Dean Skurka, WonderFi Technologies – Toronto, June 2024. The CEO of WonderFi Technologies, a TSX-listed Canadian cryptocurrency company, was kidnapped from a Toronto street. His captors demanded and received a ransom of CAD 1 million. He was released unharmed. The case received significant attention because it occurred in Toronto – not a P1 city – and because it involved a publicly listed company CEO. The perpetrators had conducted pre-attack research on the target’s identity and public profile. The case was resolved quickly, which security professionals note often indicates the target’s organisation had a ransom protocol, or that the kidnappers set the demand at a level they were confident would be paid.

David Balland, Ledger – France, January 2025. The co-founder of Ledger, the French hardware wallet company, was kidnapped from his home in a rural area of France. His wife was also taken. The attackers severed one of Balland’s fingers during the incident – a form of physical coercion intended to accelerate payment. He was rescued following a police operation. The incident is notable because Ledger is a physical security product company, and its co-founder’s home address was apparently identifiable. It demonstrates that the threat applies to individuals whose public connection to crypto wealth may be less prominent than an exchange CEO but who are still identifiable through company registrations, conference appearances, and media coverage.

Lazarus Group – ongoing digital-physical hybrid operations. The Democratic People’s Republic of Korea (DPRK) operates Lazarus Group as a state-sponsored cyber and intelligence unit with an explicit mandate to steal cryptocurrency to fund the North Korean state and its weapons programme. The UN Panel of Experts on DPRK reported USD 3 billion in attributed Lazarus Group crypto theft between 2017 and 2024. The February 2025 Bybit hack – attributed to Lazarus Group – resulted in approximately USD 1.5 billion in Ethereum being stolen. Lazarus Group’s operational method includes targeted social engineering of exchange employees, technology developers, and service providers through fake job offers, professional networking approaches on LinkedIn, and phishing campaigns. The physical security implication is that employees and service providers with access to exchange infrastructure are targets for social engineering operations that originate in digital channels but require individual human action.

OSINT Wealth Exposure

The first step in a targeted attack against a crypto individual is target identification. Understanding what information is publicly available and what exposure it creates is the starting point for a security assessment.

Sources of wealth exposure:

• Blockchain analytics correlation – any public wallet address linked to a named individual can be tracked
• Media coverage: founder profiles, fundraising announcements, token sale participation reports
• Conference and event appearances: speaking at Consensus, Token2049, or similar events establishes public profile and often includes discussion of holdings or portfolio size
• Social media: wealth signals in imagery (property, vehicles, travel, accessories) provide calibration even when explicit figures are not stated
• Company filings: director or beneficial ownership registrations at Companies House, SEC filings for listed entities, or equivalent in other jurisdictions
• Tax authority filings where public: some jurisdictions publish certain taxpayer data

Reducing exposure:

• Consistent use of separate wallets for public transactions (donations, conference payments) and personal holdings, with no cross-chain links
• Review of all public-facing media and conference content for inadvertent portfolio references
• Strict social media discipline: no wealth signal imagery, no location tagging of primary residence, no travel announcements in advance
• Regular OSINT sweep of your own public profile, conducted by a specialist (what a determined threat actor would find through public sources)

Physical Security Framework

The appropriate physical security response depends on the assessed threat level, which is determined by wealth visibility, public profile, and any specific intelligence.

Residential security. The home is the most predictable location for a crypto executive with a public profile. A residential security review should assess: perimeter access control (automatic gates, intercom with video, adequate lighting), CCTV coverage (minimum 28-day retention per ICO CCTV Code 2023 if UK-based), intruder alarm connected to a monitored response centre, panic alarm capability, and vehicle parking security (avoid parking in public view where registration can be noted). For individuals with elevated threat level, a safe room with communications, a residential security officer, or live-in guard capability may be warranted.

Routine variation. Pre-attack surveillance is a prerequisite for most kidnap operations. The single most effective countermeasure is denying a predictable pattern. Vary departure and arrival times, routes, and venues. The goal is to increase the surveillance burden on a potential threat actor to the point where the operation becomes too resource-intensive.

Vehicle security. For high-profile individuals, a close protection trained driver operating a vetted vehicle is the primary personal security measure for commuting. The vehicle should be appropriate to the threat level (hardened vehicles are available but are rarely the right choice for most crypto executives – the operational overhead and visibility is rarely justified). A driver trained in route planning, evasive driving, and threat recognition is more valuable than an armoured car with an untrained driver.

Communications security. Encrypted communications for sensitive discussions: Signal for messaging, ProtonMail for email, a separate device for high-sensitivity communications. Avoid discussing holdings, transaction plans, or security arrangements on unencrypted platforms. For executives who travel to high-surveillance markets (China, Russia, Gulf states), a clean device protocol is mandatory.

Threat receipt protocol. Every organisation with a high-profile executive should have a pre-planned response to receiving a threat: who receives the communication, who is notified (legal, security, CEO), and what the immediate response is. Improvised responses to credible threats produce the worst outcomes. If a threat is received: do not delete it, preserve the digital evidence, notify the police, retain specialist security support immediately.

Employee Security Awareness

As the Lazarus Group operations demonstrate, the most effective attack vector against crypto organisations is often not the executive but the organisation’s employees.

Every employee with access to exchange infrastructure, treasury systems, or developer credentials is a potential social engineering target. Security awareness training for crypto organisations should specifically address:

• Recognising fake job offer approaches on LinkedIn and professional networks (a primary Lazarus Group methodology)
• Never providing credentials, private keys, or system access in response to any external request, regardless of apparent source
• Reporting unusual contact from individuals presenting as industry professionals, journalists, or potential investors
• Device security: no personal device use on production networks, separate devices for sensitive operations

The NCSC Cyber Security for CEOs guidance (2024) and the FBI/MI6/BfV joint advisory on PRC economic espionage (January 2023) both address the social engineering dimension of targeted digital threats against financial sector organisations.

For the personal security framework relevant to individuals with significant liquid wealth, including crypto holdings, see our security for family offices guide. For the insider threat dimension of digital asset organisations – where employees with privileged access are targets for external social engineering and are also potential insider actors – see our insider threat and corporate security guide. For the physical coercion and $5 wrench attack risk facing individuals who hold significant cryptocurrency or digital asset wealth personally – including on-chain OSINT exposure, duress wallet architecture, and residential security – see our guide to physical security for cryptocurrency and digital asset holders.