There’s a classic Saturday Night Live sketch where Chevy Chase and Gilda Radner pitch “Shimmer”—a product that’s both a floor wax and a dessert topping. The joke works because the product refuses to be one thing.

Crypto has exactly that problem—and unlike Shimmer, the consequences aren’t funny.

Depending on context, crypto is an investment, a payment system, a speculative asset, and a piece of critical infrastructure. Each lens is accurate, and each one produces a different risk model. The challenge—regulatory and security—is that we keep trying to treat it as only one of those things at a time.

We’ve seen pieces of this before. At the speculative end, crypto sometimes behaves like Tulip Mania or the Beanie Babies market—value driven by hype, scarcity narratives, and momentum rather than underlying fundamentals. That creates familiar risks: Manipulation, insider advantage, and inevitable collapses.

But crypto is not just a collectible bubble. It also functions as money and infrastructure, and that changes everything.

A useful early example is e-Gold, a late-1990s system that allowed users to transfer value globally using gold-backed digital units. It predated blockchain, but it raised the same issues: Borderless transfers, pseudonymity, and the absence of traditional intermediaries. Regulators struggled to categorize it and ultimately regulated its function as a money-transfer system. That approach worked—but only after significant damage and uncertainty.

Today, crypto is far larger, more complex, and deeply embedded in financial and technical ecosystems. The SEC’s 2026 guidance—Commission Statement on Certain Crypto Asset Activities, Securities Act Release No. 33-11412 (2026), reflects that reality. The Commission is no longer treating crypto as experimental. It is treating it as part of the system.

That shift is important. But for cybersecurity professionals, the more urgent issue is not classification—it is risk of loss.

Because crypto changes a fundamental assumption that underlies modern financial security: That losses can be reversed, allocated, or insured.

In traditional electronic payments, that assumption is codified in the Electronic Fund Transfer Act and its implementing rule, Regulation E, 12 C.F.R. Part 1005. 
If your debit card is stolen or your bank account is compromised, your liability is limited—often to $50 or less if reported promptly. Financial institutions must investigate unauthorized transactions and, in many cases, reimburse the customer.

That framework does more than protect consumers. It shapes the entire security ecosystem. Banks invest heavily in fraud detection, anomaly monitoring, and customer authentication because they bear the financial risk. Security is centralized, professionalized, and backed by regulatory obligations.

Crypto flips that model.

Most crypto transactions fall outside Regulation E. There is typically no “financial institution” in the statutory sense, no centralized intermediary with reimbursement obligations, and no mandated dispute resolution process. The blockchain records the transaction as valid if it is cryptographically signed—regardless of whether it was induced by fraud, coercion, or error.

The result is a radically different allocation of risk.

Losses in crypto are often final.

From a cybersecurity standpoint, that creates a perfect environment for attackers. The combination of irreversible transactions, pseudonymity, and global accessibility makes crypto uniquely attractive for both theft and monetization.

Consider the primary attack vectors.

Private key compromise remains the most direct path to loss. If an attacker obtains a user’s private key—through phishing, malware, or poor key management—they effectively control the assets. There is no secondary authentication layer imposed by the network itself. The cryptographic signature is the authorization.

Phishing and social engineering have evolved to exploit this. Instead of stealing passwords, attackers now trick users into revealing seed phrases or signing malicious transactions. Wallet interfaces can be spoofed. Approval prompts can be manipulated. The user believes they are interacting with a legitimate application; in reality, they are authorizing their own loss.

Smart contract vulnerabilities introduce another class of risk. Bugs in contract code can be exploited to drain funds, often at scale. Unlike traditional software vulnerabilities, these exploits are immediately monetizable. A flaw is not just a technical issue—it is a direct path to financial loss, often executed in minutes.

Bridges and cross-chain systems are particularly vulnerable. They concentrate large amounts of value and rely on complex logic to maintain consistency across networks. Many of the largest crypto thefts have targeted these systems, exploiting design flaws or insufficient validation mechanisms.

Ransomware adds yet another dimension. Crypto’s characteristics—speed, irreversibility, and relative anonymity—make it the preferred payment mechanism for extortion. Organizations face a stark choice: Pay in crypto or risk operational disruption. Even when law enforcement is involved, recovery is uncertain and often partial at best.

All of these risks are amplified by the absence of a Regulation E–style safety net.

In traditional finance, a successful attack often triggers a reimbursement process. In crypto, it typically results in a loss event that is borne entirely by the victim. There is no chargeback, no mandatory investigation, and no guaranteed recourse.

That changes user behavior—but not always in productive ways. Instead of relying on institutional controls, users are expected to manage their own security: safeguarding private keys, verifying transactions, understanding smart contract interactions, and recognizing sophisticated phishing attempts. In effect, every user becomes their own bank—and their own security team.

For most people, that is an unrealistic expectation.

The SEC’s 2026 guidance acknowledges that crypto is now mainstream, but it does not—and arguably cannot—fully address this risk allocation problem. Securities regulation is designed to ensure disclosure and prevent fraud in capital formation. It is not designed to handle operational security failures, key management errors, or protocol-level exploits.

That leaves a significant gap.

Some of that gap is being filled by private solutions: Custodial services, insurance products, multi-signature wallets, and improved user interfaces. But these are uneven and, in many cases, optional. They do not replicate the baseline protections that Regulation E provides in traditional finance.

From a policy perspective, the question is not whether crypto should be regulated. It already is, in fragments. The question is whether the regulatory framework will evolve to address the full spectrum of risk—particularly the risk of loss.

Because right now, crypto operates in a hybrid state.

It has the scale and integration of mainstream finance. It has the speculative dynamics of historical bubbles like tulips and Beanie Babies. And it has a security model that places extraordinary responsibility on individual users without providing commensurate protection.

That combination is unstable.

If Shimmer taught us anything, it is that trying to force a multi-function product into a single category leads to confusion. In crypto, that confusion translates into real losses—often permanent ones.

Until regulation, technology, and user protections align more closely, the reality is straightforward.

In crypto, security is not just a feature.

It is the difference between having assets—and having had them.