The Real Threat to Crypto Isn't Your Private Keys Anymore—It's Your API Credentials

Execution risk in crypto is the new custody risk. Live credentials, not just private keys, are now the main attack surface.

Written by Ido Sofer, founder and CEO at Sodot.

The Custody Problem Has Evolved

The crypto industry excels at innovation, but security tells a different story. For years, we obsessed over a single vulnerability: private key theft. The industry responded predictably—cold storage, air-gapped systems, MPC protocols. Smart moves. Then came transaction security and policy controls to prevent malicious fund transfers while keeping keys intact.

But here's the problem: custody itself has fundamentally changed, and the industry hasn't caught up.

"Custody" no longer means protecting dormant private keys in a vault. Modern crypto trading firms operate across exchanges, staking platforms, liquidity venues, and infrastructure providers—each requiring API keys, validator credentials, deployment secrets, and system-level access that can move capital directly or indirectly. These credentials live in secret managers designed to return full keys to any authenticated process. Convenient for operations. Structurally catastrophic for security.

If your execution environment gets compromised—by external attackers, coerced employees, or malicious dependencies—your full credentials go with it. Capital moves in milliseconds. Exposure happens in real time. The battlefield has shifted from cold storage to the hot trading layer.

Why the Execution Layer Became the Weak Link

Execution risk has emerged as the single biggest vector for large-scale crypto exploits. Recent major breaches, including the Bybit hack, prove the pattern: attackers bypass on-chain security mechanisms entirely. They target the soft underbelly—API keys, server credentials, and off-chain secrets needed for trading, code deployment, staking, and custodial actions. The hack begins off-chain. The damage appears on-chain.

Asset managers, trading firms, custodians, and payment companies integrate with dozens of CEXs, DEXs, liquidity providers, and vendors simultaneously. Each connection introduces new credentials, access controls, and operational dependencies. This sprawl spans development, ops, trading, risk, and security teams—creating complexity that compounds faster than most organizations can manage.

The painful truth: maintaining consistent security policies across multi-vendor access is largely manual, resulting in inevitable gaps and configuration drift.