As Threats Evolve, BitGo Raises the Bar with Secure Mobile Architecture, Advanced Policy Controls, and Real-Time API Attestations

Key Terms

api spoofing technical

API spoofing is when an attacker pretends to be a trusted software interface by sending fake or altered requests or responses so systems accept wrong data or grant access. For investors, it matters because spoofed APIs can corrupt market data, trigger erroneous trades, expose sensitive customer or financial information, disrupt revenue streams and damage reputation and regulatory standing—like receiving counterfeit mail that makes you act on false instructions.

real-time api attestations technical

Real-time API attestations are automated, instantaneous confirmations delivered by software interfaces that verify the accuracy, origin or integrity of data as it is generated or transmitted. For investors, they act like a live, tamper-evident receipt or referee whistle that proves a piece of information—such as transaction details, performance metrics or compliance checks—is authentic and current, reducing fraud risk and speeding up decision-making.

device attestation technical

Device attestation is a secure digital check that proves a hardware device and its software are genuine and have not been tampered with, using a locked digital certificate or signature built into the device. For investors, it matters because reliable attestation reduces the risk of hacks, regulatory problems, product recalls, and loss of customer trust—similar to an ID badge or tamper-evident seal that helps ensure a product is authentic and safe to use.

biometrics technical

Biometrics are measurable physical or behavioral traits—like fingerprints, facial features, voice patterns, heart rate or gait—that uniquely identify or monitor a person, similar to how a key or signature proves identity. Investors care because biometric technology drives products and services in security, payments and health monitoring, affecting revenue opportunities, adoption trends and regulatory or privacy risks that can influence a company’s value and future growth.

on-demand video identification technical

On-demand video identification is a remote identity check where a person uses a live or recorded video call to show their face and identity documents to a trained reviewer or automated system when needed. It matters to investors because it lets companies onboard customers faster, cut fraud and manual costs, and meet regulatory requirements—like replacing an in-person ID check with a secure, scalable video call that can be audited.

address poisoning technical

Address poisoning is an attack that corrupts the mapping between names and digital locations—such as web addresses, device IDs, or cryptocurrency wallets—so traffic or payments are quietly redirected to a fraudster. For investors it matters because it can enable theft, fake disclosures, or disrupted operations by making communications, transactions or filings appear legitimate when they are not, like changing a forwarding address on your mail to siphon payments.

webhook integrations technical

Webhook integrations are automated connections that let one computer system immediately send a short notification to another when a specific event occurs, like a doorbell that rings to alert you the moment someone arrives. For investors, they matter because they speed up delivery of important updates—such as trade confirmations, regulatory notices, or earnings alerts—reducing delays, lowering operational risk, and enabling faster decisions or automated trading reactions.

NEW YORK--(BUSINESS WIRE)-- BitGo Holdings, Inc. (NYSE: BTGO) (“BitGo”), the digital asset infrastructure company, today announced a new suite of capabilities in digital asset security designed to address the ever changing threats facing institutional crypto operations. As attack vectors become more sophisticated, from deepfakes and social engineering to API spoofing and address manipulation, BitGo’s latest release reflects a structural shift in how digital asset transactions are secured.

These enhancements move protections earlier in the transaction lifecycle and across distinct layers that can be independently validated, creating a system in which a transaction must be both cryptographically valid and contextually authorized before it can be executed. BitGo secures transactions across five critical layers that include intent, device, identity, behavior, and policy.

At the intent layer, BitGo has introduced real-time API attestations that cryptographically bind transaction details to user intent prior to signing. This helps to ensure that what is executed is what the user approved, aiming to mitigate a class of attacks where destination addresses or amounts are altered outside of the user’s awareness.

At the device and identity layers, BitGo extends security beyond credentials to hardware-backed verification. The BitGo Verify app acts as a trusted execution surface, combining biometrics, device attestation, and app integrity checks to help ensure approvals originate from known, untampered devices. Hardware-bound authentication, session binding, and on-demand video identification calls introduce stronger guarantees against impersonations, including deepfakes and injected videos, shifting authentication from “who is the user” to “who, on what device, and in what environment.”

At the behavioral layer, BitGo introduces real-time transaction threat detection. The platform evaluates withdrawal activity to identify patterns such as address poisoning, flagging suspicious destinations at the moment of execution so operators can intervene before funds move. This shifts from prevention from retrospective analysis to pre-execution enforcement.

BitGo’s Policy Engine also expands governance as a core component of transaction security. Policies allow institutions to define the rules that govern how assets move, requiring approvals for large transactions, restricting withdrawals to approved addresses, or enforcing velocity limits. The Policy Engine enforces organizational rules independently of cryptographic authorization, helping to ensure that even valid transactions cannot be executed if they violate defined rules and controls. Recent enhancements to the Policy Engine include policy recommendations, duplication, and webhook integrations that allow institutions to scale security, standardize configurations, and integrate with internal risk systems.

All features and enhancements operate in conjunction with BitGo’s existing security infrastructure, extending security beyond key protection alone and ensuring that transactions are evaluated holistically. By validating transactions across intent, device, identity, behavior, and policy layers, BitGo addresses a new class of risks facing institutions, where attacks increasingly target the gaps between systems in addition to the systems themselves.

Forward-Looking Statements

Certain statements in this press release constitute “forward-looking statements” within the meaning of the federal securities laws. Words such as “may,” “might,” “will,” “should,” “believe,” “expect,” “anticipate,” “estimate,” “continue,” “predict,” “forecast,” “project,” “plan,” “intend” or similar expressions, or statements regarding intent, belief, or current expectations, are forward-looking statements. These forward-looking statements are subject to various risks and uncertainties, many of which are difficult to predict, that could cause actual results to differ materially from current expectations and assumptions from those set forth or implied by any forward-looking statements. Important factors that could cause actual results to differ materially from current expectations include, among others, the highly volatile nature of digital assets, technical issues in connection with the integration of supported digital assets and changes and upgrades to their underlying network, heightened scrutiny of our industry and operations, the theft, loss, or destruction of private keys required to access any digital assets held in custody for our own account or for our clients, errors in executing client transactions or managing our own trading activities, and the other factors discussed in the Company’s Annual Report on Form 10-K filed with the U.S. Securities and Exchange Commission (the “SEC”) on March 27, 2026, and its subsequent filings with the SEC, including subsequent periodic reports on Forms 10-Q and 8-K. Such forward-looking statements are based on facts and conditions as they exist at the time such statements are made and predictions as to future facts and conditions. While the Company believes these forward-looking statements are reasonable, readers of this press release are cautioned not to place undue reliance on any forward-looking statements. The information in this release is provided only as of the date of this release, and the Company does not undertake any obligation to update any forward-looking statement relating to matters discussed in this press release, except as may be required by applicable securities laws.

About BitGo

BitGo (NYSE: BTGO) is the digital asset infrastructure company delivering custody, wallets, staking, trading, financing, stablecoins, and settlement services from regulated cold storage. Since 2013, BitGo has focused on accelerating the transition of the financial system to a digital asset economy. BitGo maintains a global presence and multiple regulated entities, including BitGo Bank & Trust, National Association, the first federally chartered digital asset trust bank owned by a publicly traded company. Today, BitGo serves thousands of institutions, including many of the industry's top brands, financial institutions, exchanges, and platforms, and millions of investors worldwide. For more information, visit www.bitgo.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260430000122/en/

Media
press@bitgo.com

Source: BitGo Holdings, Inc.