2025年威胁格局报告：加密时代的网络犯罪

The Changing Crypto Landscape:Political Shifts and Physical Threats Crypto Kidnapping Attempts Accelerate Crypto exchanges and financial organizations are becoming increasinglylucrative targets—not just for cyber threats but also forphysical security threats—as their visibility and value continue to grow. The level of the physical risk now associated with cryptohas been highlighted by recent kidnappings and ransom attempts, leading to a rise in investors seeking protection services,including bodyguards. Risks to companies also increase when they are only potentially exposed, as discovered in the May 7,2025,LOCKBITbreach, where negotiation conversations were leaked, along with their Bitcoin wallet addresses. Compliance Failures Drive Risk Failure to establish compliance protocols for crypto services can expose financial institutions and organizations to serious legalrepercussions, including fines, sanctions and reputational damage. In recent years, crypto services have garnered attention and areputation as hubs for criminal activity, leading to stringent regulatory measures across various jurisdictions. Poor Financial Insight Has a High Cost Financial intelligence failures in the crypto industry can have disastrous real-world consequences. These include the financing ofterrorist activities and enabling organized crime groups. Past crypto breaches highlight the concerns of digital assets causingfinancial turmoil across markets. For example, the Bybit breach coincided with the price of Bitcoin plunging by 20%. Achieving Crypto Compliance:Evolving Regulatory Requirements Proving Compliance with Penetration Testing Penetration testing(pen testing) is a crucial aspect of an organization’s overall cybersecurity and compliance efforts, andserves dual purposes for crypto exchanges: first, by enhancing overall security posture and helping businesses meet compliancerequirements set by various regulatory bodies. Secondly, documented penetration tests provide tangible evidenceof an organization’s commitment to security and compliance, which may be required during regulatory audits or assessments.While no single, universal law mandates pen testing, several regulations and frameworks require or strongly encourage it. Regulations and Frameworks Requiring Penetration Testing Penetration testing is also relevant for compliance with other regulations and frameworks, such as those related to criticalinfrastructure and government systems. Penetration testing regulations for cryptocurrency businesses are primarily focused onensuring security, complying with regulations and protecting user assets. Crypto Oversight: Charting theRegulatory Landscape The U.S. and EU have two separate characteristics in relation to crypto risk; where the U.S. relies on existing securities laws andenforcement actions to address them, the EU framework is intended to provide a well-coordinated regulatory framework forcrypto assets for all EU member states. Crypto in the U.S.: Robust Security Testing Required In the U.S., January 2025 saw President Donald Trump issuing an executive order declaring crypto a nationalpriority and supporting “the responsible growth and use of digital assets, blockchain technology and related technologies acrossall sectors of the economy.” A fundamental regulatory point being addressed is whether cryptocurrency should be regulated by the SEC as a security or bytheCommodity Futures Trading Commission as a commodity. Several bills are under consideration in Congress, including theClarity for Payment Stablecoins Act and the Lummis-Gillibrand Payment Stablecoin Act. The Financial Crimes Enforcement Network (FinCEN) stipulates that exchanges must implement comprehensive security measuresthat include penetration testing as part of their compliance with the Bank Secrecy Act (BSA). Crypto exchanges that process creditcard payments must also adhere to requirement 11 of Payment Card Industry (PCI) Data Security Standard (DSS) 3.2.1, whichspecifically mandates regular penetration testing. The SEC treats many cryptocurrencies as securities and is concerned withinvestor protection. While not explicitly requiring penetration testing, it does require financial institutions to have robust securitytesting to ensure compliance. The testing could be used to identify potential vulnerabilities that could be exploited by threat actors. Crypto in the UK: Seeking a Balanced Regime In December 2024, the UK’s Financial Conduct Authority (FCA)publisheda Discussion Paper (DP) titledDP24/4: Regulating Cryptoassets—Admissions & Disclosures and Market Abuse Regime for Cryptoassets. In keeping with theFCA’s latest five-year strategy, it is keen to introduce a balanced regime which supports growth in the UK. To this end, the focusof DP 24/4 is spot cryptoassets, such as stablecoins, and what the FCA refers to as unbacked cryptoassets (e.g., bitcoin). It doesnot include those already captured under the existing list of specified investments