In the high-stakes world of digital assets, where fortunes are made and lost in moments, the specter of the billion-dollar hack looms large. With an estimated $2.36 billion lost to security incidents to date, the industry is perpetually on high alert. Yet, the greatest threats may not be the sophisticated, protocol-breaking exploits as seen in films and fictions. Instead, they are often silent failures in the most fundamental aspects of security hygiene.

A fireside chat at REDeFiNE TOMORROW 2025 tackled these critical vulnerabilities head-on. The session “Guarding Crypto: Security in the Digital Asset World,” featured insights from two industry veterans: Adam Healy, CEO of the security firm Station70, and Jannem Yong, Head of IT & Security at SBI Digital Markets. Their discussion stripped away the hype to reveal a critical vulnerability at the heart of the ecosystem: the persistent gap between advanced technology and basic, disciplined security practices.

The Billion-Dollar Blind Spot

While a forensic analysis of major breaches might lead one to suspect broken encryption or compromised smart contracts, Healy argued the reality is far more mundane. “A lot of those [breaches] are going to be traced back to what I just call core, 101-level security hygiene,” he stated.

He distilled this essential foundation into what he termed the three pillars of institutional security:

1. Strong, Hardware-Based Multi-Factor Authentication (MFA): Moving beyond less secure SMS or app-based 2FA to phishing-resistant hardware keys for all employees.
2. Robust Device Trust: Ensuring that only known, vetted, and secured devices can access sensitive corporate systems.
3. Comprehensive Cloud Security Controls: Implementing strict network egress controls and a “default-deny” architecture to prevent unauthorized data exfiltration.

The problem, Healy noted, is that while many firms do one or two of these moderately well, “very few companies are actually doing all three of those things really well.” This failure to master the fundamentals leaves the door wide open for attackers to bypass even the most advanced defenses using tried-and-true methods like phishing and social engineering.

The Human Factor: Misaligned Incentives and Missing Expertise

The discussion quickly turned to why these basic failures persist. The answer lies in human and organizational structure. Healy identified a critical flaw in the reporting lines of many organizations: a Chief Information Security Officer (CISO) reporting to a Chief Technology Officer (CTO).

“You can't govern your boss," Healy said bluntly. This structure creates an inherent conflict of interest. A CTO's primary goal is often business velocity and shipping products, while a CISO's is to implement controls that, by definition, can slow things down. This dynamic often means security takes a back seat.

This issue is compounded at the highest level. "I've spoken with dozens of boards... and I think there's really a void of good, pragmatic security knowledge,” Healy observed. Without board-level expertise to understand and champion security trade-offs, security remains a cost center to be minimized rather than a core business function critical for survival. This mirrors a broader cybersecurity trend: even in the most technical fields, human factors and organizational politics remain the weakest link.

The Supply Chain Threat and “Security Theater”

Beyond internal hygiene, the crypto ecosystem is critically exposed to third-party risk. Healy pulled no punches, describing the industry's standard due diligence—sending 300-question spreadsheets and checking for a SOC 2 report—as “ludicrous” and “total security theater.”

He painted a stark picture of the supply chain risk by stating, “I've only ever met one organization in the entire world that audits every single line of third-party code they introduce into their environment.” With every company relying on a vast web of unaudited third-party libraries and SaaS products, the potential attack surface is immense and largely invisible.

The Dangerous Neglect of Disaster Recovery

Perhaps the most overlooked area, and one with catastrophic consequences, is disaster recovery (DR). Healy recounted multiple real-world incidents, such as those involving Prime Trust and StakeHound, where firms lost access to tens, or even hundreds of millions of dollars in assets. The causes were shockingly simple: corrupted keys, lost hard drives, or a single employee forgetting a passcode.

“I'm talking to a fund that has north of $100 million under management... and their answer to disaster recovery is, ‘Yeah, our CTO's got a USB drive in a safe,’” Healy shared. This ad-hoc approach is akin to gambling with client funds. When dealing with bearer instruments, where possession of the key is possession of the asset, a robust, tested, and resilient DR plan is not a luxury—it's an absolute necessity.

Building the Fail-Safe

In response to these challenges, Healy detailed the solutions his firm, Station70, has engineered. Their flagship institutional product, “Bunker,” provides zero-knowledge disaster recovery built for the unique risks of the digital asset world.

The technical architecture is designed for ultimate security:

• It uses a combination of HSMs (Hardware Security Modules), AWS Nitro Enclaves, and hardware tokens (YubiKeys) to protect key backups.
• Clients establish their own customer-managed quorum thresholds (e.g., 3-of-5 or 5-of-7 approvals required), ensuring no single individual can access the backups.
• Critically, backup packages remain encrypted end-to-end. Station70 never has access to the plaintext keys, eliminating a central point of failure.

This platform integrates with leading wallet providers like Fireblocks, Fortify, and Utilla, providing a cryptographically separate and independent fail-safe.

During the chat, Healy also announced a groundbreaking new feature within Bunker: SWAT (Secure Wallet Account Transfer). This tool enables the zero-knowledge migration of a firm's entire key infrastructure from one wallet provider to another in approximately five minutes. In the event of a provider outage or a data breach, SWAT gives institutions the ability to regain control and move assets to secure addresses before attackers can act.

Addressing the complex regulatory landscape, Bunker is built to be deployed in any jurisdiction, with Singapore being a key example. It can generate cryptographic verification reports for auditors and regulators, proving the integrity and availability of backups without ever exposing the sensitive key material itself.

Looking ahead, Station70 is expanding its vision. A retail-focused version of their technology, “Foundation,” is set to launch in late July/early August, bringing the same zero-knowledge principles to individual users. Furthermore, a new identity product is slated for a beta release in Q4, cementing the company's position as a multi-product security provider for the entire digital asset ecosystem.

Build for a Million-Dollar Bitcoin

As the conversation concluded, Healy offered a powerful thesis for the industry's future. “There's a much higher probability that Bitcoin goes from where it is today to a million than it is from where it is today to zero,” he posited. To realize that potential, the industry must mature. It needs builders focused on fundamental infrastructure and robust security, not just the “shiny object of today.”

The final takeaway is an urgent call to action. The next catastrophic crypto breach is unlikely to come from broken encryption. It will almost certainly stem from a successful phishing email, a weak or compromised 2FA, or a vulnerable third-party vendor. In a world of immutable, bearer assets worth millions, mastering the basics and investing in an institutional-grade backup and recovery strategy isn't just good practice—it's the only way to guard the future.