Japan’s Financial Services Agency delivered a watershed moment for cryptocurrency security on February 10, 2026, releasing a new framework policy draft that establishes mandatory cybersecurity standards for all registered cryptocurrency exchanges operating in the country. The announcement marks a decisive shift from asset-focused security to comprehensive ecosystem defense, acknowledging that cold wallet storage alone can no longer protect against the sophisticated threats targeting the digital asset industry.
The Threat Landscape
The FSA’s policy announcement comes at a time of escalating cyber threats against cryptocurrency infrastructure. According to a comprehensive defense-in-depth report published by Fireblocks on the same day, hackers stole over $3.4 billion worth of cryptocurrency in 2025 alone, with total stolen amounts since 2020 surpassing $17 billion. North Korea’s state-sponsored hacking operations account for three-quarters of all attacks on crypto platforms, with operations nearly five times larger on average than other threat actors.
The FSA specifically observed that while offline cold wallets protect assets from direct remote hacking, modern threat actors have adapted by targeting the human and operational infrastructure supporting digital asset management. The agency acknowledged that recent high-profile breaches in 2024 exposed vulnerabilities in employee training, phishing protocols, third-party vendor management, and data integrity protections.
Core Principles
The new regulatory framework introduces mandatory Cybersecurity Self-Assessments (CSSA) for all registered crypto exchanges. The CSSA requires exchanges to systematically evaluate multiple security domains: technical infrastructure including wallet security and network architecture, human and operational risks covering employee training and phishing protocols, third-party vendor management, and data integrity protections compliant with Japan’s Personal Information Protection Act.
The framework rests on three interconnected pillars designed to create a multi-layered defense system. The self-help pillar places primary responsibility on individual exchanges, requiring all registered platforms to conduct mandatory assessments starting in fiscal year 2026 beginning April 1. The mutual assistance pillar leverages collective intelligence through industry collaboration, strengthening the security committee functions of the Japan Virtual and Crypto Assets Exchange Association (JVCEA) while encouraging exchanges to actively share threat intelligence and attack patterns across the sector.
Tooling and Setup
Under the public help pillar, the FSA will continue the international joint blockchain research on emerging threats that began in fiscal year 2025, while involving the entire crypto exchange sector in the Delta Wall joint cybersecurity exercise for financial organizations within three years of the policy’s adoption. During fiscal year 2026, the FSA plans to conduct real penetration tests on specific operators and may hire ethical hackers to attempt intrusions into live exchange systems.
These authorized attacks will identify vulnerabilities before malicious hackers can exploit them, with findings shared confidentially to help affected exchanges patch weaknesses. This approach provides objective monitoring that complements self-assessments and raises the baseline security posture across the entire Japanese crypto industry.
Ongoing Vigilance
The FSA will accept public comments until March 11, giving exchanges and security experts three weeks to provide feedback before the regulations are finalized for implementation. The three-pillar structure creates accountability at every level: exchanges bear primary responsibility for their own security, the industry shares collective intelligence to raise standards, and governmental oversight provides testing and support.
With the cryptocurrency market experiencing a correction phase in early February 2026—Bitcoin trading at approximately $68,794, roughly 40 percent below its October 2025 peak—the timing of these regulations is particularly significant. Market downturns often correlate with increased attack activity as threat actors exploit operational distractions and reduced security staffing during restructuring periods.
Final Takeaway
Japan’s FSA has recognized a fundamental truth that the global crypto industry must confront: perimeter defenses and cold storage are necessary but insufficient. The mandatory cybersecurity framework establishes a precedent that other regulators are likely to follow, pushing exchanges toward a defense-in-depth approach that addresses human factors, supply chain risks, and institutional resilience alongside traditional technical safeguards. For exchanges operating in or connected to the Japanese market, compliance preparation should begin immediately.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any security-related decisions.
Japan FSA taking the lead again. $3.4B stolen in 2025 alone and most exchanges still treat security as an afterthought. This framework is overdue.
Japan FSA has been ahead on exchange regulation since the Coincheck hack. cold wallet mandates werent enough and they know it. this framework is overdue
the north korea stat is terrifying. 75% of all crypto platform attacks and 5x larger operations than other actors. state sponsored hacking is industrial scale now
Akira T. is right, the NK stats are staggering. 75% of all attacks and 5x the scale. this isnt hacking anymore, its parallel state economy
cold wallets are necessary but not sufficient. anyone who says otherwise hasnt been paying attention to the Bybit hack