Welcome back to Continuum Risk Update. Every Friday we pull the top Asia headlines on digital-asset regulation, cyber risk, industry moves and insurance signals, with concise takeaways and practical actions for insurers and corporate risk teams.
1) Regulatory
Four APAC jurisdictions set overlapping licensing deadlines in Q2 2026
Australia, Japan, Hong Kong, and South Korea are each rolling out new digital asset licensing and compliance regimes within a 90-day window this quarter. The most consequential single deadline falls in Australia, where parliament passed the Corporations Amendment (Digital Assets Framework) Bill on 1 April. Crypto platform operators must now hold an Australian Financial Services Licence, yet only around 10% of the roughly 400 registered platforms currently hold ASIC authorisation.
South Korea proposes ownership caps that could reshape exchange consolidation
The Financial Services Commission has proposed limiting single shareholders in crypto exchanges to 15-20% ownership. The rule would transform exchanges from founder-controlled entities into quasi-public infrastructure, and is now casting regulatory uncertainty over major pending transactions including the Naver-Dunamu merger and Mirae Asset’s Korbit acquisition. Legal experts suggest a transition window of five to ten years may be granted.
2) Hacking & Physical Risks
North Korean hackers continue to dominate state-backed crypto theft
North Korea’s Lazarus Group stole $2.02 billion in cryptocurrency in 2025, a 51% year-on-year increase, achieved with 74% fewer known attacks than prior years. The shift toward fewer, larger incidents culminated in the $1.5 billion Bybit breach in February 2025 — the largest single crypto theft on record. The group exploited a third-party wallet software vulnerability during a live fund transfer, laundering at least $160 million within 48 hours via DeFi protocols and bridge services. Lazarus operates a structured 45-day laundering cycle and relies heavily on Chinese-language OTC networks across the Asia-Pacific region.
Credential theft drives 60% of financial sector breaches; AI-powered fraud scaling fast
Stolen credentials remain the most efficient entry point for financial cybercrime in Asia, accounting for approximately 60% of attacks targeting financial firms. Ransomware continues to grow, with India and Japan among the highest-volume targets in the region. AI-powered fraud tooling is now accelerating attack scale: AI-driven spear-phishing messages are being reported as nearly three times more effective than conventional phishing. Crypto scams are increasingly targeting experienced investors and retired market professionals via trust-building schemes that exploit Web3 browser access within legitimate exchange apps.
3) Industry & Markets
Korean brokerages racing to acquire crypto exchange stakes
South Korean securities firms are aggressively consolidating with crypto exchanges as tokenised securities legislation stalls. Mirae Asset Group completed a 92% acquisition of Korbit for $92 million in February 2026, securing management control and a board seat. Korea Investment and Securities is now in early-stage discussions to acquire approximately a 20% stake in Coinone, South Korea’s third-largest exchange by volume. Separately, Naver Financial and Dunamu (operator of Upbit, the dominant Korean exchange) have approved a stock-swap merger that would create one of the most powerful digital asset platforms in Asia. Coinbase has also been reported to be exploring a Coinone acquisition.
Hong Kong consolidates position as Asia’s institutional digital asset hub
Hong Kong’s regulatory approach is diverging sharply from the rest of the region. The city has expanded permissible services for licensed virtual asset trading platforms, issued its first stablecoin licences, and advanced its A-S-P-I-Re governance framework. Major banks are applying for stablecoin licences. The HashKey On-Chain Finance Summit and the Hong Kong Web3 Festival in April 2026 are bringing together institutional investors, DeFi builders, and TradFi executives including representation from Standard Chartered, EY, and OSL to discuss programmable credit and real-world asset tokenisation. OSL has signalled that 2026 will see settlement infrastructure shift decisively toward regulated stablecoins and tokenised money.
4) Insurance Spotlight
Hong Kong Insurance Authority moves to allow insurers to invest in crypto
Hong Kong is set to become the first Asian jurisdiction to establish explicit rules permitting insurance companies to allocate capital into cryptocurrencies and regulated stablecoins. The Hong Kong Insurance Authority’s proposed framework applies a 100% risk charge to direct crypto holdings, meaning insurers must reserve a dollar in capital for every dollar invested. Stablecoins carry risk charges based on the underlying fiat peg. Public consultation ran from February through April 2026, with legislative submissions to follow. Japan, by contrast, currently excludes cryptocurrencies from eligible investment assets for insurers, though a 2026 reclassification remains under discussion.
APAC cyber insurance premiums tracking 25-28% CAGR through 2030
CyberCube analysis positions Asia-Pacific as one of the fastest-growing regions globally for cyber reinsurance, driven by lower current penetration rates against a backdrop of sharply rising incident frequency. Stricter data privacy and cybersecurity regulations across Singapore, Japan, South Korea, and emerging Southeast Asian frameworks are compelling organisations to seek coverage as part of licensing and compliance strategies. The DeFi protocols and Web3 platforms segment is projected to grow at the fastest rate within the crypto insurance sub-market, as on-chain application expansion increases smart contract, oracle, and governance exploit exposure.
