If you operate a digital asset business, you've been flying without the radar that traditional financial institutions have had for years. That's about to change. The U.S. Treasury is expanding its cyber threat intelligence sharing program to include crypto sector participants—the same warnings about nation-state hackers and emerging threats that banks and broker-dealers have received for years.
What This Actually Means
Treasury's threat intelligence sharing has historically been reserved for traditional financial institutions. Banks get real-time alerts about specific threat actors, attack vectors, and vulnerabilities being exploited in the wild. “This initiative reflects the principles of the GENIUS Act by promoting responsible innovation grounded in strong cybersecurity and operational resilience,” said Tyler Williams, Counselor to the Secretary for Digital Assets.
Receive future blog posts by email.
This expansion closes that gap. Digital asset firms will now have access to the same classified and sensitive threat information that informs the cybersecurity posture of the largest financial institutions.
The Compliance Implications
When Treasury shares threat intelligence, it expects action. Receiving these warnings creates an implicit obligation to respond appropriately. If you receive a specific threat alert and do nothing, and then get breached, you'll face uncomfortable questions from regulators about why you ignored actionable intelligence.
This means your firm needs:
- A documented process for receiving and acting on threat intelligence — Who reviews it? How quickly? What's the escalation path?
- Updated incident response procedures — Your IR plan should reference Treasury intelligence as an input
- Board-level reporting mechanisms — Directors need to know when material threats are identified
- Retention and documentation — You'll want records showing how you responded to each alert
Why Now?
The timing isn't coincidental. North Korean hackers stole over $1.5 billion in crypto assets in 2025 alone. The Lazarus Group and related APTs have made digital asset platforms their primary target. Treasury has watched these attacks happen while crypto firms operated outside the intelligence-sharing infrastructure that might have helped prevent them.
This is Treasury acknowledging that digital asset firms are part of the financial system, and need to be defended like it. Eligible U.S. digital asset firms and industry organizations that meet Treasury’s criteria will be able to receive, at no cost, the same actionable cybersecurity information Treasury regularly shares with traditional U.S. financial institutions.
What You Need to Do
Start by identifying who at your firm will serve as the point of contact for Treasury communications. This should be your CISO or, at a minimum, a senior person in your Technology organization.
Review your cybersecurity policies. Do they contemplate government threat intelligence as an input? Most crypto firm policies I've seen don't. That needs to change before the first alert arrives.
Finally, treat this as an opportunity. You're about to get the same intel banks use to spot and stop real attacks. Don't let it sit in an inbox; put it to work.
Subscribe to Regulated Intelligence Brief
Get new compliance intelligence delivered to your inbox.
Key Takeaways
Will receiving Treasury threat intel create new regulatory obligations for crypto firms?
Not directly—there's no new rule being promulgated here. But receiving actionable threat intelligence and failing to respond appropriately could be viewed as a cybersecurity program deficiency in an exam or enforcement context. Document your response process.
How does this affect state-licensed crypto firms versus federally regulated ones?
The expansion appears to cover the crypto sector broadly, not just federally regulated entities. State-licensed money transmitters and other digital asset businesses should expect to be included. Contact Treasury or your state regulator for specific enrollment procedures.
The content in this blog is for informational purposes only and does not constitute legal advice, regulatory guidance, or an offer to sell or solicit securities. GiGCXOs is not a law firm. Compliance program requirements vary based on business model, customer base, and regulatory classification.