Executive Summary:
Crypto custodian risk is the non-market risk that a custodian becomes unable to return client assets as a result of financial failure, cyber incidents, or fraud. By modeling default probabilities, investors can systematically benchmark custodians and calibrate risk limits. Knowing custodian risk allows for better risk modeling and pricing.
What Is Crypto Custodian Risk?
Custodian risk is the chance that a company holding your digital assets will lose them through bankruptcy, hacking, fraud, or operational breakdown.
When you send crypto to a custodian, you hand over control of your private keys; the custodian now controls your assets. If the company fails, your holdings are at risk regardless of market conditions.
This is different from price risk. Bitcoin could double in value, but if your custodian collapses, you might recover pennies on the dollar.
Why Custodian Risk Matters in Digital Assets
Custodians control private keys and asset movement. When they fail, the damage is typically total and immediate.
FTX (2022): The exchange claimed customer assets were segregated and safe. In reality, deposits were commingled with trading arm Alameda Research and used for undisclosed bets. When withdrawals spiked, FTX couldn't meet them. Bankruptcy followed within days, leaving an $8 billion shortfall. John Ray III, the restructuring specialist who also handled Enron, called it "a complete failure of corporate controls."
Mt. Gox (2014): At its peak, the Tokyo exchange handled over 70% of global bitcoin volume. Weak security allowed hackers to drain funds for years undetected. When it collapsed, 850,000 bitcoin were missing. Creditors waited over a decade for partial repayment.
Agio Ratings has documented over 25 significant exchange defaults in the past few years alone.
The Primary Risks Faced by Crypto Custodians
Insolvency and bankruptcy. A custodian that spends or loses more than it holds will eventually fail. In 2023, Nevada state regulators found the custodian Prime Trust lacked sufficient assets to meet customer obligations and used customer funds to purchase crypto to cover withdrawals. This asset shortfall led a court to place the company into receivership as it approached insolvency.
Liquidity shortfalls. Even solvent custodians can fail if they can't meet sudden withdrawal demand. If assets are locked in illiquid positions or lent out, there may not be enough on hand during a crisis.
Security breaches. In February 2025, Bybit lost approximately $1.5 billion in Ethereum after attackers exploited a weakness in its cold wallet process. The FBI attributed the attack to North Korean state-sponsored hackers. Bybit survived because it had sufficient reserves. Many custodians wouldn't have.
Governance failures. Poor controls, lack of oversight, and concentrated decision-making increase risk. FTX was managed by a small group of inexperienced executives with no independent board and no institutional representation.
How Do You Measure Crypto Custodian Risk?
Custodian risk can be measured using probability-of-default models that combine financial strength, security posture, governance quality, and on-chain behavior into a single comparable metric.
In crypto, custodian risk is counterparty risk. When you deposit assets with an exchange or custody provider, you take on exposure to that company's ability to remain solvent, secure, and operational. This is the same dynamic that exists in traditional finance when a bank or broker holds your assets. The difference is that crypto counterparty risk is harder to assess because most custodians don't publish audited financials or operate under strict regulatory oversight.
Measuring crypto counterparty exposure requires combining traditional credit analysis with blockchain-native data. The sections below explain why conventional approaches fall short and how probability-of-default models fill the gap.
The Challenge of Measuring Custodian Risk
Traditional financial metrics don't transfer cleanly to crypto. Banks file audited statements, face capital requirements, and submit to regulatory exams. Most crypto custodians operate offshore with voluntary, inconsistent disclosures.
Proof-of-reserves has emerged as a transparency measure, but it has serious limits:
- It's a snapshot, not continuous monitoring. A custodian could borrow funds for the audit and return them afterward.
- It typically ignores liabilities. A custodian might hold $1 billion in assets but owe $2 billion. The reserves look solid; the company is insolvent.
- It doesn't capture off-chain obligations or ongoing financial health.
The U.S. Public Company Accounting Oversight Board has warned that proof-of-reserves reports "do not provide any meaningful assurance to investors or the public."
Crypto also introduces risk signals that don't exist in traditional finance—on-chain transaction patterns, wallet flows, and network stress indicators that sometimes surface problems before any financial statement would.
How Custodian Risk Can Be Quantified
The solution is to measure risk the way credit analysts have for decades: through probability of default.
Probability of default (PD) expresses the likelihood a company will fail to meet obligations over a specific time horizon. A custodian with a 2% one-year PD has roughly a 2-in-100 chance of defaulting in the next twelve months. One with a 15% PD is significantly riskier.
Why PD works:
PD lets you rank custodians against each other using a single number. You can aggregate exposure across multiple custodians, stress-test scenarios, and estimate potential losses. Insurers can set premiums based on it. Lenders can adjust rates. Investors can demand compensation for quantified risk.
Traditional rating agencies like Moody's and S&P have used probability-of-default frameworks for decades. Letter grades—AAA, BB, CCC—correspond to historical default frequencies.
Crypto needs the same rigor.
How Agio Ratings Measures Digital Asset Custodian Risk
Agio Ratings applies a rigorous default rating methodology specifically to crypto custodians. Founded in 2022, the company was built to fill the gap left by traditional rating agencies with limited digital asset coverage.
Agio Ratings’ custodian ratings evaluate five risk factors:
1. Regulatory licensing and jurisdiction quality. Stronger oversight, capital requirements, and enforcement regimes reduce risk. A custodian under MiCA in Europe or the GENIUS Act in the U.S. faces more scrutiny than one in an unregulated offshore jurisdiction.
2. Security certifications and incident history. Previous hacks, certifications held (SOC 2, ISO 27001), and key management practices.
3. Operational track record. Company age, management experience, governance structure all count toward the operational track record.
4. Indicators of balance sheet strength and liquidity. Capital to absorb losses and capacity to meet withdrawal spikes.
5. On-chain behavioral and flow data. Transaction patterns, wallet flows, network centrality. Unusual outflows or concentration patterns can signal stress before it becomes public.
These factors combine into a calibrated probability of default that can be compared across custodians and tracked over time. Agio Ratings currently rates 26 custodians across five segments, from exchange-linked custody to traditional finance-backed solutions.
How to Reduce Crypto Custodian Risk
If you hold crypto through a custodian, you have counterparty exposure. Here's how to manage it:
Compare custodians by risk, not reputation. Brand recognition and trading volume don't equal safety. Marketing budgets tell you nothing about solvency.
Diversifying into stronger custodians. Adding riskier custodians in the name of diversification can worsen outcomes rather than reduce risk. Spreading assets across poorly governed or undercapitalized custodians increases exposure to operational failure and misconduct.
Use quantitative risk ratings. Gut feel and social media sentiment are not risk management. Probability-of-default ratings give you a number for setting limits, comparing options, and making defensible decisions.
Monitor continuously, not just at onboarding. Markets move fast. A custodian that looked fine last quarter may show warning signs today. Real-time alerts for anomalous behavior matter more than annual reviews.
Think in stress scenarios. What happens if the market drops 50% in a week? What if a major hack triggers panic withdrawals across the industry? Custodians stable in calm markets may not survive a crisis.
How Allocators, Insurers, and Risk Managers Evaluate Custodian Risk
Institutional players face additional requirements beyond individual investor concerns.
Fund allocators need to justify custody choices to LPs and regulators. Documented risk assessment using independent ratings creates an audit trail that "we picked the biggest exchange" cannot provide.
Insurers underwriting crypto custody policies need to price risk accurately. PD-based ratings allow segmentation of applicants, premium setting, and loss reserve management. Relm Insurance has partnered with Agio Ratings to power its exchange default product.
Banks entering crypto trading, lending, or stablecoin services need counterparty frameworks satisfying internal risk committees and regulators. Agio Ratings is in discussions with major U.S. and European banks for this purpose.
Risk managers at trading firms need ongoing monitoring. The difference between point-in-time diligence and continuous tracking can be the difference between exiting before a collapse and being trapped in bankruptcy proceedings.
How Agio Ratings Supports Risk-Informed Decision Making
Agio Ratings provides independent custodian ratings built on probability-of-default methodology, currently covering over 25 custodians across five categories.
Trading firms use the ratings to set exposure limits based on quantified risk rather than reputation. The platform's monitoring tools track on-chain signals in near real-time, flagging anomalous patterns that may indicate stress.
Insurers use probability of default based ratings for underwriting and reserve calculations. Relm Insurance partnered with Agio Ratings to power its crypto exchange default product.
Banks entering crypto markets use Agio Ratings’ frameworks to satisfy internal risk committees and regulators. The company is in discussions with major U.S. and European institutions preparing for digital asset market entry.
Compliance teams use the ratings to document custody decisions and create audit trails for regulatory discussions.
A risk simulator converts default probabilities across a portfolio into loss distributions, allowing firms to stress-test exposure.
Agio Ratings’ models flagged FTX as high-risk four months before bankruptcy and correctly assessed that Bybit had sufficient reserves to survive its $1.5 billion hack.
Request a demo to see how Agio Ratings’ custodian ratings can support your risk framework.
