What Happens If An Insured Custodian Is Hacked?

Updated July 13, 2026 6 min read

The word “insured” attached to a custodian sounds reassuring, but insurance in crypto custody rarely means what it means at a bank, and the gap between the two is where a lot of confusion starts after a breach.

The short answer

When an insured crypto custodian is hacked, the insurance policy usually covers only a defined slice of assets, up to a stated limit, and typically applies to specific causes like theft of private keys rather than every possible loss. Payouts are not instant — claims go through an investigation and adjustment process that can take months, and many policies cap total payouts well below the full value of assets held.

What “insured” actually covers

Custodian insurance policies are usually purchased from private insurers, not a government program, and they’re built more like a commercial crime or theft policy than deposit insurance. Coverage generally names specific triggers — external hacking, employee theft, or physical loss of private keys, for example — and excludes others, including client-side mistakes, phishing aimed at the end user rather than the custodian, and ordinary market losses. It’s worth understanding what private insurance on an exchange actually protects before assuming a policy covers a given scenario, since the details vary a great deal between providers.

Why coverage limits matter more than the word “insured”

How a claim actually plays out

After a breach, the custodian typically has to document the incident, work with the insurer’s investigators to confirm the cause fits a covered event, and only then begin the claims process. That’s a materially different timeline from what many customers imagine — funds aren’t automatically replaced the day a hack is disclosed. Investigations into how a breach occurred, whether it matches a covered peril, and how much was actually lost can stretch on for months, and if the loss exceeds the policy’s limits, remaining customers may be paid on a pro-rata basis rather than made whole.

Why this differs from bank or brokerage protection

Crypto held with a custodian doesn’t carry FDIC insurance the way a bank deposit does, and it generally doesn’t carry SIPC coverage the way assets at a securities brokerage do, even when a policy uses the word “insured.” Those government-backed programs have statutory limits and a well-defined claims process; private crime insurance for a custodian is a commercial contract between two private parties, and its terms can be far narrower than customers assume.

The bottom line

Anyone relying on a custodian’s insurance as a safety net is generally better off reading the actual policy summary, if the custodian publishes one, rather than trusting the word “insured” alone — checking whether the policy covers external hacks specifically, what the aggregate limit is relative to total assets held, and how claims have historically played out. Custody arrangements are also shaped by how private keys are actually held and secured, since who controls the keys often determines who bears a loss first. “Insured” does not mean “made whole no matter what,” and a hack at an insured custodian can still leave account holders waiting months for a partial recovery rather than an immediate, full one.