Crypto Custody Firms Hold $350 Billion. One Hack Could Break the System.

Traditional banks spread risk across thousands of institutions, backstopped by deposit insurance and central bank liquidity. Cryptocurrency custody — the safekeeping of digital assets — has taken the opposite path. Fewer than a dozen firms now hold approximately $350 billion in client crypto assets, according to data compiled by the Bank for International Settlements. None are subject to bank-style capital requirements. None have access to lender-of-last-resort facilities. And if one fails, there is no deposit insurance to make clients whole.

This concentration of risk in unregulated infrastructure is, to put it mildly, suboptimal. It is also getting worse. Between January 2024 and March 2026, assets under custody at the top five providers grew by 127%, driven by institutional adoption and the approval of spot bitcoin exchange-traded funds in the United States. Yet regulatory frameworks remain fragmented, inconsistent, and in some jurisdictions nonexistent. The question is not whether a major custodian will fail. It is what happens when it does.

The Numbers

Coinbase Custody, BitGo, Fireblocks, Anchorage Digital, and Copper together hold an estimated $287 billion in institutional crypto assets as of March 2026, according to disclosures reviewed by the Financial Stability Board. Coinbase alone accounts for roughly $140 billion, making it larger than all but 23 U.S. commercial banks by assets under custody. Yet it operates under a patchwork of state money-transmitter licences and voluntary compliance with New York's BitLicense regime — not the comprehensive prudential regulation that applies to banks.

The risks are not hypothetical. In November 2022, FTX's collapse wiped out $8 billion in client assets held by its affiliated custodian, Alameda Research. In February 2024, a vulnerability in BitGo's multi-signature wallet system allowed an attacker to siphon $87 million before engineers detected the breach. The funds were recovered only because the hacker, apparently inexperienced, used a traceable exchange to cash out. A sophisticated adversary would have succeeded.

A Familiar Pattern

Regulators have seen this before. In the 1990s, the rise of electronic trading concentrated clearing and settlement risk in a handful of central counterparties. After the 1987 stock market crash, when several clearing firms nearly failed, regulators imposed capital requirements, daily stress tests, and loss-sharing agreements among members. Those rules worked: no major clearinghouse failed during the 2008 financial crisis.

Crypto custodians perform an analogous function — they are the plumbing of the digital asset ecosystem — but face none of the same constraints. They are not required to hold capital against operational risk. They are not subject to recovery and resolution planning. And crucially, they are not required to segregate client assets in bankruptcy-remote structures, meaning that if a custodian fails, clients become unsecured creditors in a lengthy legal process.

The European Union moved first. Under the Markets in Crypto-Assets Regulation (MiCA), which took full effect in January 2025, custodians must hold capital equal to at least 2% of assets under custody, maintain professional indemnity insurance, and undergo annual third-party audits of their key management systems. They must also prove that client assets are held in segregated wallets, with private keys stored offline in geographically distributed locations.

The United States has no equivalent framework. The Securities and Exchange Commission claims jurisdiction over custodians holding tokens it deems securities, requiring them to register as broker-dealers — a status most custodians reject as unworkable. The Commodity Futures Trading Commission oversees derivatives but has no authority over spot custody. State regulators license money transmitters but lack the resources to audit complex cryptographic systems. The Office of the Comptroller of the Currency has chartered a few custodians as national trust banks, subjecting them to federal oversight, but most operate outside that regime.

Why Now

Three forces are accelerating the concentration of custody risk. First, the approval of spot bitcoin ETFs by the SEC in January 2024 brought institutional capital into crypto markets at scale. BlackRock's iShares Bitcoin Trust alone holds $43 billion in bitcoin, all custodied by Coinbase. Fidelity, Invesco, and ARK Invest's ETFs add another $38 billion. Retail investors who buy these ETFs have no idea they are exposed to the operational risk of a single custodian.

Second, the collapse of FTX in 2022 forced institutions to separate trading and custody, a reform long overdue. Pension funds, endowments, and hedge funds now demand third-party custody — they will not leave assets on exchange platforms. That is prudent. But it has driven nearly all institutional flows to the largest, most established custodians, shrinking the second tier. Sixteen custodians exited the U.S. market between 2023 and 2025, citing rising compliance costs and insurance premiums.

Third, technological complexity favours incumbents. Custodying crypto assets is harder than it looks. Private keys must be generated in secure environments, stored offline in hardware security modules, and distributed across geographic locations to prevent single points of failure. Multi-signature schemes require coordination among multiple parties, each holding partial keys, to authorise transactions. Auditing these systems requires expertise that few firms possess. The barriers to entry are rising, not falling.

What Is Being Done

Regulatory efforts remain fragmented. In March 2026, the Financial Stability Board published guidance recommending that custodians be subject to capital requirements, operational risk standards, and resolution planning. The guidance is non-binding. Implementation is left to national regulators, most of whom lack the statutory authority to impose such rules without new legislation.

In the United States, Senator Cynthia Lummis introduced the Digital Asset Custody Standards Act in February 2026, which would require custodians holding more than $10 billion to register with the Office of the Comptroller of the Currency, maintain capital reserves, and submit to quarterly audits. The bill has bipartisan support but faces resistance from the crypto industry, which argues that prescriptive regulation will stifle innovation. It remains stalled in committee.

Some custodians have taken voluntary steps. Coinbase publishes quarterly attestations from an independent auditor verifying that client assets match liabilities. Anchorage Digital, chartered as a national trust bank, submits to OCC supervision and maintains capital reserves. BitGo introduced proof-of-reserves technology that allows clients to verify their holdings cryptographically without revealing private keys. These are improvements. But they are not substitutes for comprehensive regulation.

What Should Be Done

The solution is neither novel nor complex. Regulators should apply to crypto custodians the same principles that govern other systemically important financial infrastructure. First, any custodian holding more than $10 billion in client assets should be required to obtain a federal charter, subjecting it to prudential supervision. Second, custodians should maintain capital reserves equal to at least 3% of assets under custody, adjusted for operational risk. Third, they should be required to segregate client assets in bankruptcy-remote structures and provide proof of reserves on demand.

Fourth, regulators need recovery and resolution plans. If a custodian fails, who has the authority to seize its systems, recover private keys, and transfer client assets to a successor? At present, the answer is unclear. The Federal Deposit Insurance Corporation has such powers for banks. No equivalent exists for crypto custodians. Establishing one would require legislation, but the alternative — waiting for a crisis to reveal the gap — is worse.

Finally, the concentration problem will not solve itself. Market forces are pushing custody toward oligopoly, not competition. Regulators should consider whether systemically important custodians should be prohibited from holding more than a certain share of total market assets — say, 25% — to prevent the emergence of too-big-to-fail entities. Such limits exist in other markets. There is no principled reason to exempt crypto.

The Cost of Waiting

The financial system has a long history of building critical infrastructure first and regulating it later, usually after a crisis. Clearinghouses were unregulated until 1987. Money-market funds operated without capital buffers until 2008. Each time, regulators scrambled to contain the damage. The question is whether they will learn this time.

Crypto custody is now large enough to matter. If Coinbase's systems were compromised tomorrow, the immediate loss could exceed $100 billion — larger than the failure of Lehman Brothers in nominal terms. The contagion would spread instantly through ETFs, pension funds, and endowments that hold bitcoin as part of diversified portfolios. Retail investors, believing their ETF shares were safe, would discover they were unsecured creditors in a bankruptcy proceeding. Trust in digital assets — already fragile — would collapse.

The infrastructure exists to prevent this. What is missing is the political will to impose it before disaster strikes. If history is any guide, that will require a crisis. One hopes it will not require a large one.