Looking to Buy a Crypto Business? Here’s What You Should Know

Purchasing a crypto company raises special issues around cybersecurity, data privacy and regulations, says one lawyer who knows.

AccessTimeIconMay 13, 2021 at 3:34 p.m. UTC
Updated May 9, 2023 at 3:19 a.m. UTC
AccessTimeIconMay 13, 2021 at 3:34 p.m. UTCUpdated May 9, 2023 at 3:19 a.m. UTC
AccessTimeIconMay 13, 2021 at 3:34 p.m. UTCUpdated May 9, 2023 at 3:19 a.m. UTC

The rapidly expanding crypto world has started to see an uptick in investments and M&A deals (and lofty valuations). Galaxy Digital acquired BitGo. Coinbase bought Routefire. Recently founded NYDIG is moving into mining through M&A. By some estimates, crypto M&A is a billion-dollar-plus business

Understanding the assets and revenue streams of target businesses is critical to capturing and realizing value in any equity investment or M&A deal – especially in crypto. Given the complexity and nuances of crypto businesses, this understanding requires a deep dive into a few key areas: cybersecurity, data privacy and regulations.  

Joe Castelluccio is a partner at Mayer Brown LLP and counsels clients on M&A, equity financings and other corporate and business matters.

While these issues are not unique to businesses in the crypto space, effective analysis and due diligence in this space is particularly complex and challenging.  


While every company in the world should be concerned about cyberattacks (for several reasons), businesses in the crypto space should be particularly focused on it. There are a host of negative effects that this kind of attack or breach can have. To name just a few:

  • Theft of data, trade secrets and/or other IP can result in a business’s “special sauce” being lost to competitors or bad actors 
  • Loss of trust can destroy future revenues and cause reputational damage that is difficult (or impossible) to repair
  • Attackers that are able to access bank account or crypto wallet information can reroute payments or currency, often to off-shore or untraceable accounts.

To guard against this, an acquirer must have a thorough understanding of the data, software and hardware that will move onto its network prior to joining together its and the target’s IT infrastructures. If the target’s systems are vulnerable, those vulnerabilities may transfer to the acquirer’s systems when they are integrated. If the acquirer cannot get a sufficient level of comfort regarding the target’s systems, other steps may be necessary (even if those steps result in delayed operational efficiency and synergies).

Even if an investor is only taking a minority equity stake in a target, there is potential for the target’s cyber risk to spread to its new owners – especially if there are business or commercial arrangements that accompany the investment.  And, of course, the physical and digital security of the digital assets themselves is critical to mitigating the risk of loss and theft.

Data collection and privacy

Another key part of due diligence in any investment or acquisition is determining what privacy policies – and restrictions – apply to a company’s data. These restrictions may thwart an efficient integration (in an acquisition) or monetization of data (in any deal), and limit the ways in which data may be used in future business plans.

A company’s right to use the data it collects is governed by the company’s privacy policies in effect at the time the data was collected and the applicable laws. This may include the laws of countries outside of a company’s home base.

An investor or acquirer cannot assume a target business’s data can be monetized without a thorough review of the policies under which the data was collected and stored. In addition, an investor or acquirer must also review the target’s compliance with its policies – in other words, how it functions day to day, not merely how it looks on paper.


The regulations that apply to cryptocurrency are numerous, overlapping, evolving and, in some cases, contradictory. In the U.S. alone, different states have taken vastly different approaches to regulating crypto.  

Colorado and Wyoming have encouraged crypto investment in their states and passed pro-crypto regulations, while New York has pursued cases and fines against crypto businesses for running afoul of its existing financial services regulations.  

While the U.S. federal government has been slow to adopt a broad regulatory position (other than selected enforcement actions, such as Ripple), the new chair of the U.S. Securities and Exchange Commission (SEC), Gary Gensler, said recently that a federal regulatory framework is needed for cryptocurrency exchanges in the U.S.  

All of this means the crypto regulatory environment will be a key concern for operators in this sector and those that look to buy into it. This will require both an understanding of the current, complicated landscape and a watchful eye on regulatory changes as they develop. 

If a crystal ball is not available, an experienced and thoughtful team of advisers is the next best thing.  

With the massive amount of attention being given to crypto by global companies, financial institutions and central banks, it’s no surprise that investment cash is flooding this space. For those investments to pay off – and prevent damaging ripple effects for investors and acquirers – it will be important to closely examine these key areas of the target business.  

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Read more about