Looking to Buy a Crypto Business? Here’s What You Should Know

Purchasing a crypto company raises special issues around cybersecurity, data privacy and regulations, says one lawyer who knows.

AccessTimeIconMay 13, 2021 at 3:34 p.m. UTC
Updated May 9, 2023 at 3:19 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

The rapidly expanding crypto world has started to see an uptick in investments and M&A deals (and lofty valuations). Galaxy Digital acquired BitGo. Coinbase bought Routefire. Recently founded NYDIG is moving into mining through M&A. By some estimates, crypto M&A is a billion-dollar-plus business

Understanding the assets and revenue streams of target businesses is critical to capturing and realizing value in any equity investment or M&A deal – especially in crypto. Given the complexity and nuances of crypto businesses, this understanding requires a deep dive into a few key areas: cybersecurity, data privacy and regulations.  

  • Blockchain for Europe Secretary General on State of Global Crypto Regulation
    Blockchain for Europe Secretary General on State of Global Crypto Regulation
  • Aptos' APT Token Down 52% in April After Booming March: VanEck
    Aptos' APT Token Down 52% in April After Booming March: VanEck
  • Key Events You Shouldn't Miss at Consensus 2024
    Key Events You Shouldn't Miss at Consensus 2024
  • What to Expect From Consensus 2024
    What to Expect From Consensus 2024
  • Joe Castelluccio is a partner at Mayer Brown LLP and counsels clients on M&A, equity financings and other corporate and business matters.

    While these issues are not unique to businesses in the crypto space, effective analysis and due diligence in this space is particularly complex and challenging.  


    While every company in the world should be concerned about cyberattacks (for several reasons), businesses in the crypto space should be particularly focused on it. There are a host of negative effects that this kind of attack or breach can have. To name just a few:

    • Theft of data, trade secrets and/or other IP can result in a business’s “special sauce” being lost to competitors or bad actors 
    • Loss of trust can destroy future revenues and cause reputational damage that is difficult (or impossible) to repair
    • Attackers that are able to access bank account or crypto wallet information can reroute payments or currency, often to off-shore or untraceable accounts.

    To guard against this, an acquirer must have a thorough understanding of the data, software and hardware that will move onto its network prior to joining together its and the target’s IT infrastructures. If the target’s systems are vulnerable, those vulnerabilities may transfer to the acquirer’s systems when they are integrated. If the acquirer cannot get a sufficient level of comfort regarding the target’s systems, other steps may be necessary (even if those steps result in delayed operational efficiency and synergies).

    Even if an investor is only taking a minority equity stake in a target, there is potential for the target’s cyber risk to spread to its new owners – especially if there are business or commercial arrangements that accompany the investment.  And, of course, the physical and digital security of the digital assets themselves is critical to mitigating the risk of loss and theft.

    Data collection and privacy

    Another key part of due diligence in any investment or acquisition is determining what privacy policies – and restrictions – apply to a company’s data. These restrictions may thwart an efficient integration (in an acquisition) or monetization of data (in any deal), and limit the ways in which data may be used in future business plans.

    A company’s right to use the data it collects is governed by the company’s privacy policies in effect at the time the data was collected and the applicable laws. This may include the laws of countries outside of a company’s home base.

    An investor or acquirer cannot assume a target business’s data can be monetized without a thorough review of the policies under which the data was collected and stored. In addition, an investor or acquirer must also review the target’s compliance with its policies – in other words, how it functions day to day, not merely how it looks on paper.


    The regulations that apply to cryptocurrency are numerous, overlapping, evolving and, in some cases, contradictory. In the U.S. alone, different states have taken vastly different approaches to regulating crypto.  

    Colorado and Wyoming have encouraged crypto investment in their states and passed pro-crypto regulations, while New York has pursued cases and fines against crypto businesses for running afoul of its existing financial services regulations.  

    While the U.S. federal government has been slow to adopt a broad regulatory position (other than selected enforcement actions, such as Ripple), the new chair of the U.S. Securities and Exchange Commission (SEC), Gary Gensler, said recently that a federal regulatory framework is needed for cryptocurrency exchanges in the U.S.  

    All of this means the crypto regulatory environment will be a key concern for operators in this sector and those that look to buy into it. This will require both an understanding of the current, complicated landscape and a watchful eye on regulatory changes as they develop. 

    If a crystal ball is not available, an experienced and thoughtful team of advisers is the next best thing.  

    With the massive amount of attention being given to crypto by global companies, financial institutions and central banks, it’s no surprise that investment cash is flooding this space. For those investments to pay off – and prevent damaging ripple effects for investors and acquirers – it will be important to closely examine these key areas of the target business.  


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.

    Read more about