FPG Crypto Prime Broker Breached: $15-20 Million Stolen in Sophisticated Cyber Attack

The institutional cryptocurrency broker Floating Point Group (FPG) has fallen victim to a devastating cyber attack that resulted in the theft of between $15 million and $20 million in digital assets. The breach, which occurred on June 11, 2023, was disclosed to customers on June 14, sending shockwaves through the institutional crypto trading community and raising serious questions about the security posture of even SOC 2-certified platforms.

The Exploit Mechanics

While the full technical details of the attack remain under investigation, the breach was significant enough to force FPG to immediately suspend all platform activity. The company described the incident as a “cyber security event” and confirmed that the stolen amount ranged between $15 million and $20 million in cryptocurrencies. What makes this attack particularly concerning is that FPG had previously earned SOC 2 certification for its cybersecurity controls — a rigorous auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates an organization’s security, availability, processing integrity, confidentiality, and privacy.

The fact that an institution with SOC 2 compliance was successfully breached underscores a growing reality in the crypto security landscape: certifications alone do not guarantee immunity from sophisticated attack vectors. Threat actors continue to evolve their methods, often exploiting gaps that traditional audit frameworks may not fully address. Bitcoin was trading at approximately $26,327 at the time of the breach, with Ethereum hovering around $1,717, meaning the stolen funds represented a substantial sum in the context of a mid-size institutional broker.

Affected Systems

FPG operated as a prime brokerage serving institutional clients in the cryptocurrency markets. The platform provided critical infrastructure for professional traders and institutional investors who needed reliable execution, custody integration, and risk management tools. The attack forced a complete halt to all services, meaning clients could not access their positions, execute trades, or manage their portfolios during a critical market period.

The timing of the breach was particularly damaging, as it coincided with heightened regulatory scrutiny across the crypto industry. The U.S. Securities and Exchange Commission had recently filed lawsuits against both Binance and Coinbase, and market sentiment was already fragile. The FPG incident added another layer of uncertainty for institutional participants who were already questioning the operational resilience of crypto service providers.

The Mitigation Strategy

In response to the attack, FPG took several immediate steps. The company engaged law enforcement at the highest levels, confirming it was working directly with the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and blockchain analytics firm Chainalysis to trace and potentially recover the stolen funds. The involvement of multiple federal agencies suggests the attack may have had cross-jurisdictional implications or involved sophisticated money laundering techniques.

FPG also committed to keeping its clients informed through regular updates, though the full scope of the attack and the specific attack vector have not been publicly disclosed. The company emphasized its cooperation with regulators throughout the investigation process.

Lessons Learned

The FPG breach offers several critical lessons for the cryptocurrency industry. First, SOC 2 certification, while valuable, should be viewed as a baseline rather than a ceiling for security standards. Organizations must continuously invest in threat detection, incident response capabilities, and real-time monitoring beyond what any static audit can capture. Second, the incident highlights the systemic risk inherent in centralized crypto infrastructure — when a single platform fails, all of its clients are simultaneously affected.

Third, the speed at which FPG detected and disclosed the breach appears to have been relatively swift, with the attack occurring on June 11 and disclosure following on June 14. This three-day window, while not ideal, represents a faster response than many crypto breaches where months have passed before detection. The prompt engagement of federal authorities and blockchain analytics firms may improve the chances of fund recovery.

User Action Required

For institutional investors and traders who used FPG’s platform, the immediate priority is to monitor official communications from the company regarding the fund recovery process. Clients should document all positions, balances, and transactions that were active at the time of the breach. Additionally, any API keys, credentials, or integration points connected to FPG should be rotated immediately as a precaution against potential credential compromise.

More broadly, institutions operating in the crypto space should use this incident as a catalyst to re-evaluate their counterparty risk management frameworks. Diversifying across multiple prime brokers, maintaining independent custody solutions, and implementing real-time security monitoring are no longer optional — they are essential components of responsible institutional participation in digital asset markets.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Readers should conduct their own research before making any investment decisions.