For nineteen years, the most common way hackers breached organisations was a stolen password. That ended in 2025. Verizon's 2026 Data Breach Investigations Report reveals that vulnerability exploitation has surpassed stolen credentials as the top breach entry point. Using software flaws (31%) has overtaken credential abuse for the first time, with AI accelerating attacks from months to hours.

The financial services sector mirrors this shift. Nearly a third (31%) of all breaches now start with vulnerability exploitation, the first time in 19 years that it has surpassed stolen credentials as the biggest point of entry. For neobanks considering an in-house crypto OTC desk, the implication is direct: crypto infrastructure is not a product feature you ship once, it's an attack surface you inherit permanently.

Most striking in the DBIR might be the statistics that show vulnerability exploitation to be the most common initial access vector for breaches last year. Meanwhile, only 26% of critical vulnerabilities were fully remediated by organisations, compared to 38% the previous year. Median resolution time increased by two weeks (43 days, up from 32 in 2024), and organisations had 50% more critical bugs to patch than last year.

This is not a patching problem that money solves. It's a velocity problem that headcount barely addresses. In 2024, more than 40,000 common vulnerabilities and exposures (CVEs) were published, marking a 38% increase from the 28,818 reported in 2023. A crypto OTC desk adds wallet infrastructure, signing systems, settlement engines, custody integrations, and real-time pricing APIs, each component introducing its own dependency trees, each dependency introducing its own vulnerabilities.

The signing systems and any wallet software must be kept up-to-date with security patches. Patches should be applied much more frequently than for other systems. This isn't guidance for optional hardening; it's the baseline expectation for anyone operating institutional crypto infrastructure. The question for neobank CTOs is whether their teams can sustain this cadence while simultaneously maintaining core banking systems, mobile applications, and compliance tooling.

The third-party dimension compounds the problem. Third-party supply chain breaches jumped 60% year-over-year, now accounting for 48% of total breaches. Even neobanks that partner rather than build are exposed to vendor risk, but building in-house means becoming that vulnerable third party, with all the infrastructure obligations that entails.

The Marquis Software Solutions breach illustrates what concentrated vendor risk looks like in practice. Marquis Software Solutions, a widely used data analytics and marketing provider for banks and credit unions, confirmed a ransomware attack that exposed sensitive customer information across more than 70 financial institutions. Attackers gained access through a SonicWall firewall vulnerability, exfiltrated data from Marquis's systems, and triggered a wave of state-level breach notifications. The breach impacted 788,000 customers of banks and credit unions. A single unpatched firewall at a single vendor created an industry-wide exposure event.

Crypto infrastructure is particularly unforgiving. The defining moment of 2025 came in February, when Bybit suffered what is widely considered the largest crypto theft ever recorded. Hackers stole approximately $1.4, $1.5 billion worth of Ethereum from the exchange's cold wallet infrastructure. Attackers exploited a vulnerability in a third-party wallet system and manipulated transaction approvals, effectively tricking authorised signers into approving malicious transfers. This attack shattered a long-held assumption in crypto, that cold wallets are inherently safe. The incident showed that even offline storage can be compromised if the surrounding infrastructure or user interface is manipulated.

The operational profile of an in-house crypto desk diverges sharply from core banking systems. Not every OTC crypto exchange operates 24/7. Some desks follow traditional banking hours, while others offer automated quoting around the clock. If you trade during volatile weekends, you need an OTC crypto exchange that never sleeps. This 24/7 requirement creates continuous exposure that traditional banking hours never imposed. Vulnerabilities disclosed on a Saturday must be patched on a Saturday, or risk exploitation before Monday's standup.

More often than not, neobanks can't afford to spend much on security or hire a full-time cybersecurity team. This is a serious problem that prevents a number of countries from licensing startups. The security staffing gap is structural, not circumstantial. Neobanks optimise engineering resources for customer-facing features, onboarding flows, and product velocity, not for the specialised security operations that crypto infrastructure demands.

Building internally means taking responsibility for every layer of the OTC desk: trading interface, pricing engine, liquidity connectivity, user permissions, reporting, uptime, security, compliance integrations, and ongoing product support. For many businesses, the bigger challenge is not launching a basic interface, but building the infrastructure required to operate reliably at institutional scale. OTC trading depends on execution quality, speed, price consistency, settlement discipline, and operational control. If these elements are not in place, the desk may struggle to serve larger clients even if demand exists.

The patching calculus is unforgiving. FinServe firms accelerated remediation in 2025, shaving 19 days off critical vulnerability remediation to achieve a 36-day average. That's the benchmark for well-resourced financial services firms with dedicated security operations. A neobank adding crypto infrastructure to an already-stretched engineering organisation is unlikely to match it.

This year's Verizon DBIR confirms what security teams are already experiencing: AI has compressed the time between vulnerability discovery and exploitation from months to hours. Companies can't defend against that reality with periodic assessments and siloed tools. To keep pace, organisations need continuous visibility into vulnerabilities, vendors, and employee AI usage, and the ability to act on that intelligence before attackers can.

The decision to build an in-house crypto OTC desk is not primarily a product strategy question. It's a security resourcing question. What systems will you add to your patching queue? What dependencies will you now monitor? What signing infrastructure will require 24/7 hardening? And critically: which existing priorities will lose engineering cycles to accommodate this new surface area?

Neobanks have built competitive advantages on lean operations and focused engineering. Crypto expansion is appealing because customers want it. But the vulnerability data suggests a different calculus: in a threat environment where unpatched software has become the primary breach vector, every system you build is a system you must defend. The question isn't whether your team can launch a crypto desk. It's whether your team can secure one, continuously, indefinitely, at velocity, while still delivering everything else your customers and regulators expect.

References

[1] Verizon 2026 Data Breach Investigations Report

[2] Verizon Press Release: 2026 DBIR finds vulnerability exploitation surpasses stolen credentials as top breach entry point

[3] Synack 2026 State of Vulnerabilities Report: Industry Insights