The US Treasury will share the same cyber-threat intelligence it distributes to traditional banks with qualifying crypto exchanges, custodians and wallet providers, in an admission that digital assets are now inside the perimeter of core financial infrastructure.
The US Department of the Treasury will begin sharing its bank-grade cybersecurity intelligence with qualifying crypto firms at no cost, in what amounts to an official acknowledgement that digital asset platforms are now treated as part of the country's core financial infrastructure rather than a separate, lightly regulated sector bolted on to the side of it. The announcement, made on 9 April, comes eight days after an estimated $285 million was drained from Solana-based derivatives venue Drift Protocol in a North Korean social-engineering operation that took roughly six months to set up.
Under the new arrangement, US digital asset firms and industry groups that meet agency criteria can plug into the same threat-sharing pipeline that already feeds traditional financial institutions. Participants will receive early warning on active campaigns, indicators of compromise, and written guidance tailored to the distinct attack surfaces of exchanges, wallet providers and custodians. The service is being routed through Treasury's existing critical-infrastructure channels, which means the information itself will not be re-engineered for crypto — it will be the same feed that Citigroup and Morgan Stanley have had for years.
"Cyber threats targeting digital asset platforms are growing in frequency and sophistication," said Cory Wilson, Treasury's deputy assistant secretary for cybersecurity, in a statement announcing the programme. That is not a revelation to anyone in the industry; it has been true since the Mt Gox era. What is new is the policy posture: until this week, Treasury's cybersecurity information-sharing programme was, by design, a closed club for firms operating under prudential banking supervision. Now a qualifying centralised exchange and a federally chartered bank can receive the same threat indicators on the same morning.
The practical effect will take months to measure. Crypto firms already subscribe to commercial feeds from Chainalysis, TRM Labs and a handful of private intelligence vendors. What Treasury adds is twofold: proprietary indicators generated by US government visibility into adversary infrastructure, and the forward-leaning North Korean attribution work that commercial vendors are often reluctant to publish in raw form. For exchanges sitting on billions of dollars of customer assets, the gap between "we heard rumours" and "Treasury sent us IOCs at 7am" can be the difference between a routine patch cycle and a frantic incident response.
Drift is the uncomfortable backdrop to the announcement. The protocol was not brought down by a zero-day or a smart contract bug. Attackers spent nearly six months building rapport with contributors while posing as a quantitative trading firm, then exploited Solana's durable-nonces feature to trick Security Council members into pre-signing dormant transactions that silently transferred admin control when triggered. The stolen funds — routed through Circle's Cross-Chain Transfer Protocol within hours — have not been recovered. The attack has been attributed with medium confidence to UNC4736, the same DPRK-aligned cluster also tracked as AppleJeus, Citrine Sleet and Gleaming Pisces.
A threat-sharing feed would not have stopped the Drift social engineering campaign in its early stages. But it might have flagged the infrastructure the attackers used to stage the operation, or the on-chain fingerprints of CVT — the fabricated collateral token the group wash-traded into existence on 12 March — had US agencies been tracking that cluster and willing to share. That is the defence Treasury is trying to build: not a shield against individual exploits, but a mechanism for stopping campaigns from maturing inside infrastructure that clears hundreds of billions of dollars a day in stablecoin transfers.
The programme arrives in a week saturated with security anxiety. Anthropic's controlled release of its Mythos offensive-security model prompted an urgent meeting between Treasury Secretary Scott Bessent, Fed Chair Jerome Powell and the heads of five major Wall Street banks earlier this week over fears that model-assisted adversaries will find software vulnerabilities faster than human defenders can patch them. The Drift post-mortem was published three days ago. FinCEN and OFAC rolled out the first GENIUS Act AML rulemaking for stablecoin issuers the day before that. Treasury is, in effect, telling the crypto industry that regulation and threat-sharing are two faces of the same policy: if you want the upside of being treated like a bank, you get the downside too.
Not every firm will want to join. Participation requires meeting agency criteria that have not yet been spelled out in detail, and several people who have spoken to Treasury in the last forty-eight hours describe a vetting process that will include beneficial-ownership disclosures, security-maturity reviews and willingness to share breach data back up the pipeline. For firms domiciled outside the US or run by founders allergic to federal contact, that trade-off may be uncomfortable. For the large exchanges, custodians and stablecoin issuers that have spent the past three years lobbying for regulatory parity with banks, refusing the offer would look absurd.
The most telling line in the announcement was not from Wilson but from the framing itself. Treasury described the digital asset sector as "an increasingly important arm of the financial system." Five years ago that phrase would have been aspirational marketing. This week it is federal cybersecurity policy.
