Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - BKKT

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors - Risks Related to Our Business, Finances and Operations”.

Revenue Model

We primarily generate transaction revenue from digital asset buy/sell transactions, where we charge a fee on both legs of the transaction.

Growth Strategy

We go to market using a platform strategy, driven by our clients. We partner with leading companies and expect to grow customers on our platform through those relationships, in addition to our direct institutional clients. These clients include Swan Bitcoin, Nexo, Blockchain.com, Blockwire, Oobit and Longbridge.

As part of this approach, we have developed our platform to be flexible and scalable to accommodate how different clients may want to implement our solutions. Depending on each client’s specific needs and objectives, that client can choose to add one, some or all of our capabilities, and can also choose the manner in which those capabilities are enabled. Clients can choose to fully or partially embed our capabilities directly through Bakkt-hosted user interfaces.

We believe our growth will come from adding clients and correspondingly, their customers, and increasing transaction activity as well as strategic acquisitions.

Our growth strategies include the following:

•Adding clients. We are focused on continuing to build strong client relationships. We believe acquiring customers through our clients is an efficient and scalable way to grow our business. BFS has significantly expanded our digital asset client base into a number of new and rapidly growing client verticals, such as fintechs, trading and brokerage platforms.

•Adding customers. We are focused on activating our existing clients and supporting our clients in marketing campaigns to drive new customer acquisition and engagement of existing customers.

•Expanding our offering. We launched entity support and refined our core capabilities. We enhanced the KYC/AML workflows and engines through our cooperation agreement with DTR utilizing their modernized and highly compliant tech stack.

Over time, we expect to continue to invest in our business to provide best-in-class products and services. Some of those longer-term planned enhancements include:

•Digital asset enhancements. We expect to expand our digital asset capabilities to products and services that we believe will appeal to both our clients and customers. By increasing the acceptance of digital asset investing in the

-23-

professional retail trading space, we believe that these additional products can further increase interest in digital assets generally among retail consumers, which will ultimately benefit our platform. For example, our proposed acquisition of DTR and the launch of a new trading platform with advanced capabilities.

•Evaluate additional strategic acquisitions. We will continue to be opportunistic and evaluate strategic acquisitions that have compelling benefits for our business.

How We Are Different

The markets in which we operate are highly competitive, rapidly changing and highly innovative. We believe that we are well-positioned given our unique ability to provide all of our capabilities under one platform, combined with our institutional-grade, secure and licensed infrastructure. We continue to improve and refine these offerings through our deployment of AI within approved risk and AI frameworks. This market is growing and changing rapidly, so we expect that we will continue to see increased competition with new entrants into the space or existing competitors expanding their product offerings.

We believe that our business model provides us with significant competitive advantages, including:

•Multi-faceted approach to security and compliance. We enable responsible and secure access to digital assets for our clients. Our compliance measures, controls and risk management practices are at the core of how we operate. As a public company, we are subject to significant and comprehensive regulations. Across our entities, we possess a BitLicense from NYDFS and state money transmitter licenses in all jurisdictions that we believe are required for us to operate our business. We have policies and programs that govern crypto-related activity, such as a cyber security program, information security policy, global AML policy, and U.S. Bank Secrecy Act (“BSA”)/Office of Foreign Assets Control (“OFAC”) of the U.S. Department of the Treasury program. These measures are all designed to protect our clients and stockholders.

•Client-led strategy. We build in tandem with our clients, viewing them as long-term partners rather than just platform users. Our strategy is rooted in a deep understanding of our partners’ unique objectives, allowing us to continually refine our offerings and deploy innovative, institutional-grade solutions. This collaborative feedback loop ensures that as the digital asset landscape evolves, our platform and our clients stay ahead of the competition and at the forefront of the digital economy.

•Institutional-grade platform. Bakkt’s platform is purpose-built for the digital asset economy. We combine native support for diverse asset classes with rigorous regulatory controls and enterprise-level scalability. By providing a safe, reliable bridge for retail engagement today, we’ve created a future-proof platform ready to launch next-generation institutional products and services.

•Trusted and scalable capabilities. Our approach, built to scale with technology, privacy, security and compliance at its core, is informed by our team's decades of collective experience. Our platform moves a significant amount of volume across asset classes every day. We believe these pillars provide confidence to customers and clients that participate in our ecosystem.

Sales and Marketing

Our go-to-market strategy follows a 'B2B2C' model, acquiring customers primarily through deep-seated enterprise partnerships. By building scalable relationships we drive efficient user growth and provide our clients with the tools to

-24-

deepen customer engagement. Rather than navigating a separate Bakkt interface, digital asset users interact with our capabilities entirely within our clients’ native interface, ensuring a frictionless and brand-consistent journey.

We utilize multiple B2B channels, such as Bakkt-owned domains (e.g., our website and blog and its social media platforms) and direct marketing to potential clients, such as email marketing and targeted digital advertisements. To accelerate this pipeline, we maintain a high-touch presence at key industry conferences and global summits, utilizing these forums to solidify thought leadership and engage directly with decision-makers from prospective institutional partners. We leverage strategic partnerships with existing clients and third parties to broaden our reach.

Technology

Our core platforms are engineered in-house by a technical team with deep expertise in digital assets and financial technology. As a technology-first company, we are dedicated to building and maintaining our own proprietary systems to ensure maximum performance and control. We selectively integrate best-in-class providers only when doing so accelerates our roadmap or enhances specific non-core utilities, allowing our engineering resources to remain focused on our primary architectural advantages.

We leverage a modern, cloud-native stack to deliver bespoke and off-the-shelf infrastructure for institutional clients. To ensure ecosystem integrity, our platform integrates robust, in-house governed KYC, AML, and anti-fraud controls to combat financial crime.

API-First Integration & Performance

Our architecture is designed for seamless integration into existing financial workflows, anchored by two primary pillars:

•Institutional-Grade Trading & Liquidity: A high-performance execution engine built for speed and scale. We deliver equities-grade performance to ensure deep liquidity and reliable execution for the purchase and sale of digital assets.

•Stablecoin Payment Rails: We power modern payment experiences by leveraging stablecoins for near-instant settlement and cross-border value transfer. Our infrastructure allows clients to bypass legacy banking delays, offering 24/7 programmable payment solutions.

Cybersecurity

Each of our products is architected, deployed, and managed through a common controls environment designed to protect our customers' confidential information using a combination of administrative, physical, and technical controls. Additionally, we regularly utilize independent external parties to assess and provide added assurance that our products are designed appropriately and operating effectively.

-25-

Regulation

International, federal and state laws and regulations apply to many key aspects of our business. We operate in a regulatory environment that is rapidly evolving and increasing in scope. Legislative and regulatory authorities at the federal and state level have taken, and may continue to take, actions to modify existing laws or adopt new laws or regulations related to digital assets and related activities. For more information, please see our risk factors described in “Item 1A. Risk Factors Risks Related to Crypto and Risks Related to Regulation, Taxation and Laws”.

Regulation of Our Money Transmission Business. BFS maintains money transmitter licenses in each U.S. jurisdiction in which such licenses are required for its activities and operates pursuant to applicable statutory and regulatory frameworks in jurisdictions where a money transmitter license is not presently required for the digital asset activities it conducts. BFS also is registered as a money services business” with the Financial Crimes Enforcement Network of the U.S. Department of the Treasury (“FinCEN”).

These licenses and registrations subject BFS to extensive regulatory oversight including record-keeping and reporting obligations, bonding and minimum capital requirements, limitations on the investment and safeguarding of customer funds, and periodic examinations by state and federal regulatory agencies. Applicable licensing regimes also impose requirements relating to changes of control, and the regulatory review or approval of controlling shareholders, directors, and senior management. Regulatory requirements may change over time, and BFS may be required to obtain additional licenses or approvals in the future.

Regulation of Our Virtual Currency Business.

BFS holds a virtual currency license (“BitLicense”) issued by the New York Department of Financial Services (“NYDFS”), which subjects BFS to NYDFS oversight with respect to virtual currency business activities conducted in New York State and with New York residents. BFS also holds a Louisiana virtual currency business activity license, which subjects BFS to oversight by the Louisiana Office of Financial Institutions with respect to its virtual currency business activity conducted in Louisiana and with Louisiana residents.

In October 2023, the Governor of California signed into law the Digital Financial Assets Law (“DFAL”), which establishes a licensing framework administered by the California Department of Financial Protection and Innovation (“DFPI”) for entities engaged in digital financial asset business activity in California. We continue to monitor guidance, rulemaking, and interpretive statements issued by the DFPI regarding the scope and application of the DFAL.

-26-

The laws and regulatory framework applicable to digital assets and related services remain subject to interpretation and change. For instance, the SEC has indicated in various enforcement actions and other public statements that certain digital assets may constitute securities under U.S. federal securities laws. Although certain enforcement actions have reportedly been closed without further action,the SEC has not adopted comprehensive rules specifically addressing the regulatory classification of digital assets. Although the SEC has yet to issue guidance, it has put forth analytical frameworks and relevant factors to consider in this analysis, and has recently established a Crypto Task Force, which may reflect evolving regulatory priorities or increased regulatory focus in the area. As a result, our digital asset-related services offered through our platform may become subject to additional registration requirements, regulatory scrutiny, enforcement actions, or other regulatory developments, which could require us to modify, suspend, or discontinue certain products or services or incur additional compliance costs. .

Privacy and Information Cybersecurity Regulations. Aspects of our operations or business are subject to laws and regulation in the United States and in foreign jurisdictions relating to privacy, data protection and cybersecurity. Accordingly, we publish our privacy policies and terms of service, which describe our practices concerning the use, protection, transmission, and disclosure of information. As our business continues to expand in the United States and beyond, and as laws and regulations continue to be passed and their interpretations continue to evolve in numerous jurisdictions, additional laws and regulations may become relevant to us.

Regulatory authorities around the world are considering numerous legislative and regulatory proposals concerning privacy, data protection and cybersecurity. In addition, the interpretation and application of these laws and regulations in the United States and elsewhere are often uncertain and in a state of flux. As our business continues to develop and expand, we continue to monitor the additional rules and regulations that may become relevant. For additional information regarding these laws and regulations and related risks, please see “Risk Factors Risks Related to Regulation, Taxation, and Laws Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.”

Consumer Protection Regulation.

For example, under federal and state financial privacy laws and regulations, we must provide notice to consumers of our policies on sharing non-public information with third parties, among other requirements. In addition, under the Electronic Fund Transfer Act (“EFTA”) and its implementing regulations, we are required to disclose the terms of, and any fees applicable to, our electronic fund transfer services to consumers prior to their use of the service, and comply with applicable error resolution, consumer liability and related disclosure.

We have implemented a comprehensive AML compliance program designed to prevent our platform from being used to facilitate money laundering, terrorist financing, and other illicit activity.

Our AML compliance program is comprised of policies, procedures, reporting protocols, and internal controls, including including reporting requirements for suspicious transactions, the designation of a compliance officer, employee

-27-

training, and periodic independent testing and review of the program. Failure to comply with applicable AML, sanctions, and counter-terrorist financing requirements may result in regulatory investigations, administrative enforcement actions, monetary penalties, civil or criminal liability, or other sanctions.

Indirect Regulatory Requirements. We maintain relationships with certain clients, including banks and other financial institutions in the United States, that are regulated by state, local and federal agencies. In addition, the federal banking agencies have issued supervisory guidance applicable to banks with respect to their relationships with third parties. This guidance may apply to us and our bank clients in connection with the overall relationship, including with respect to strategies and objectives, financial condition, risk management, information security and systems, operational resilience, audit rights, and performance standards.

Escheatment and Unclaimed Property Regulations. Unclaimed property laws, as may be applicable, require us to report and to remit certain government authorities the property of others held by us that has been unclaimed for a specified period of time. We have policies and procedures designed to help us comply with these laws.

Intellectual Property

The protection of our intellectual property and all corresponding rights throughout the world, including our trademarks, service marks, trade dress, logos, trade names, domain names, goodwill, patents, copyrights, works of authorship (whether or not copyrightable), software and trade secrets, know-how, and proprietary and other confidential information, together with all applications, registrations, renewals, extensions, improvements and counterparts in connection with any of the foregoing, is important to the success of our business. We seek to protect our intellectual property rights by filing applications in various patent, trademark and other government offices, and relying on applicable laws and regulations in the U.S. and internationally, as well as a variety of administrative procedures. We have sought to register our core brands as domain names and as trademarks and service marks in the U.S. and a large number of other jurisdictions. We also have in place an active program to continue to secure, police and enforce trademarks, service marks, trade dress, logos, trade names, and domain names that correspond to our brands in markets of interest. We have filed patent applications in the U.S. covering certain aspects of our proprietary technology and new innovations. We also rely on contractual restrictions to protect our proprietary rights where appropriate when offering or procuring products and services. We have routinely entered into confidentiality and invention disclosure and assignment agreements with our employees and contractors, and non-disclosure agreements with external parties with whom we conduct business to control access to, and use and disclosure of, our proprietary information.

Human Capital

We recognize that the future of digital financial infrastructure is not built solely on code, but on the specialized expertise and collaboration of our employees. We believe in cultivating an entrepreneurial culture, built on the pillars of transparency, ownership, and accountability. We also engage contractors, consultants and professionals throughout the globe, as needed to support our operations.

Available Information

Our website is http://www.bakkt.com, and our investor relations website is located at https://investors.bakkt.com, where we make available, free of charge, our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and Current

-28-

Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), as well as proxy statements, as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC.

We use our investor relations website to post important information for investors, including news releases, analyst presentations, and supplemental financial information, and as a means of disclosing material non-public information and for complying with our disclosure obligations under Regulation FD. We use these channels as well as social media to communicate with the public about our company. It is possible that the information we post on social media could be deemed to be material information. Accordingly, investors should monitor our investor relations website as well as the social media channels listed on our investor relations website. The information on our website or any other website is not incorporated by reference into this Form 10-K.

-29-

Item 1A. Risk Factors

Investing in our securities involves a high degree of risk. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and accompanying notes, before making a decision to invest in our securities. Our business, financial condition, results of operations or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material. If any of the risks actually occur, our business, financial condition, results of operations or prospects could be adversely affected. In that event, the trading price of our securities could decline, and you could lose part or all of your investment.

Risk Factor Summary

Our business is subject to numerous risks and uncertainties that you should consider before investing in our securities. These risks are described more fully below and include, but are not limited to, risks relating to the following:

Risks Related to Our Business, Finances and Operations

• We may be unable to realize the anticipated benefits of investments and strategic transactions in connection with our international expansion strategy.

• Our business model is newly developed and may encounter additional risks and challenges as it grows.

Further, we may not achieve or sustain profitability in the future.

• If we are unable to attract, retain or grow our relationships with our existing clients, our business, financial condition, results of operations and future prospects would be materially and adversely affected. Moreover, sales efforts to large clients involve risks that may not be present or that are present to a lesser extent with respect to sales to smaller organizations.

•Acquisitions, strategic investments, partnerships, or alliances may be difficult to identify. We may not realize the anticipated benefits of past or future investments, strategic transactions or acquisitions, including our proposed acquisition of DTR, and integration of these acquisitions may pose integration challenges, divert the attention of management, disrupt our business, dilute stockholder value or otherwise adversely affect our business, financial condition and results of operations

Risks Related to Our Investment Policy

•A significant decrease in the market value of our digital asset holdings could adversely affect our ability to satisfy financial obligations, including any debt financings.

•Our financial results and the market price of our securities may be affected by fluctuations in the price of digital assets, including Bitcoin, which are highly volatile assets.

•Investing in digital assets increases our exposure to risks associated with those assets, including Bitcoin.

-30-

Risks Related to Digital Assets

• Disruptions in the digital asset market subject us to additional risks, including the risk that banks may not provide banking services to us.

• There may be a perception among regulators and others that crypto is used to facilitate illegal activity such as fraud, money laundering, tax evasion and ransomware scams.

• Digital asset custodial solutions and related technology, including our systems and custodial arrangements, are subject to risks related to a loss of funds due to theft digital assets, employee or vendor sabotage, security and cybersecurity risks, system failures and other operational issues the loss, destruction or other compromise of our private keys and a lack of sufficient insurance.

• Digital assets do not have extensive historical precedent and distributed ledger technology continues to rapidly evolve.

Risks Related to Regulation, Taxation and Laws

• A U.S. federal government shutdown or other disruption in U.S. federal government operations could adversely affect us.

• Regulatory regimes governing blockchain technologies and digital assets are uncertain and may change rapidly.

• We are subject to significant litigation risk and risk of regulatory liability and penalties. Any current or future litigation against us could be costly and time-consuming to defend.

Risks Related to Information Technology and Data

• Actual or perceived cyberattacks, security incidents or breaches could result in serious harm to our reputation, business and financial condition.

Risks Related to Risk Management and Financial Reporting

• If we are unable to maintain effective internal controls over financial reporting, we may be unable to produce timely and accurate financial statements, which could have a material effect on our business.

Risks Related to Our Securities

• We may issue additional shares of common stock or other equity securities, which would dilute stockholders’ ownership interest in us and may reduce the market price of our securities.

-31-

Risks Related to Our Business, Finances and Operations

We may be unable to realize the anticipated benefits of investments and strategic transactions in connection with our international expansion strategy.

As we increase the breadth and depth of our product offering and seek to expand internationally, there can be no assurance that we will be able to realize the anticipated benefits of these and other past or future investments and strategic transactions. If our investments do not perform, those investments could become impaired and we may lose any or all of our investment. In addition, there can be no assurance that our international partners, in particular those that we do not control, such as MHT, will adopt our products, services or technology, which could impact our growth prospects.

We have also announced other investments and strategic transactions in Asia, including our election to subscribe to warrants to be issued by Transchem Ltd. in India (subject to applicable approvals and other conditions), and there can be no assurance that any such investments or strategic transactions will be consummated on the expected terms or timeline, or at all, or that we will realize the anticipated benefits thereof.

Our business model is newly developed and may encounter additional risks and challenges as it grows.

Our vision is that our clients will utilize our platform as the go-to solution enabling customers to transact in digital assets. Most of the assets that we have incorporated and intend to incorporate into our platform in the future are already being handled by incumbent providers. There can be no assurance that our platform will gain the acceptance of clients or customers or generate the anticipated synergies. It is difficult to predict the preferences and requirements of clients or customers, and our platform, design and technology may not appeal to such clients or customers, or may be incompatible with new or emerging forms of digital assets or related technologies. Failure to achieve acceptance would impede our ability to develop and sustain a commercial business.

Our success depends on bringing on clients and on the transaction volume from customers. If we are not able to bring new clients onto the platform, many of whom will pay us subscription fees for our platform services, our revenue and liquidity could be negatively impacted.

The attractiveness of our platform depends upon, among other things:

• the number and variety of assets and other capabilities in which customers can transact through our platform;

• our reputation, as well as clients’ and customers’ experience and satisfaction with, and trust and perception of, our platform;

• technological innovation;

• regulatory compliance and data security; and

• services and products offered by competitors.

Moreover, clients may choose to contract with other providers of services that are competitive with ours. If we fail to retain existing clients, attract new clients, or continually expand usage and transaction volume on our

-32-

platform, our business, financial condition, results of operations and prospects will be materially and adversely affected.

We will have both increased financial and reputational risks if there is a failure to launch one or more features, or if the launch of a new feature is unsuccessful. Also, there can be no assurance that we will receive support from clients to launch features as planned or that we will operate as anticipated. For example, we plan to expand our platform to offer stablecoin-based payment service in connection with our acquisition of DTR. While we believe such expanded offerings will be beneficial in our attempts to attract and retain clients and to increase transaction volumes and assets under custody, the interest level of our clients and their customers in these offerings may be less than we expect or market adoption may be slower than we anticipate, any of which may be adverse to our business and prospects.

We must continually invest in our platform to meet our customers’ evolving needs and to grow our business. Any failure by us to successfully execute on the development of our platform would have an adverse effect on our business, results of operations and financial condition.

Our platform is in the early stages of release and will be further refined and developed, and certain areas of our platform are still under development and largely untested on a commercial scale. We are working to expand our service offerings, including, for example, utilizing BakktX technology for an institutionally-focused ECN. There can be no assurance that the additional functionalities and features currently planned for our platform will be successfully developed in a timely fashion or at all. The addition of functionalities to our platform may require regulatory approvals, may increase our regulatory obligations and the degree of regulatory scrutiny we face, and may make regulatory compliance more complex and burdensome. We will have both increased financial and reputational risks if there is a failure to launch one or more functionalities, or if the launch of a new functionality is unsuccessful. Also, there can be no assurance that we will receive the necessary regulatory approvals or support from clients to launch features as planned or that we will operate as anticipated. Any problems or delays that we encounter with the development or operation of our platform, including technical, legal and regulatory problems, could have a material adverse effect on our business, financial condition and results of operations.

We have a limited operating history and a history of operating losses, which makes it difficult to forecast our future results of operations. Further, we may not achieve or sustain profitability in the future.

You should not rely on the revenue growth of any prior quarterly or annual period as an indication of our future performance. As a result of our limited operating history, our ability to accurately forecast our future results of operations is limited and subject to a number of uncertainties, including our ability to plan for and model future growth. Prior to the acquisition of Bakkt Financial Solutions I, LLC (“BFS”, formerly Bakkt Crypto Solutions, LLC), in April 2023, our historical revenue was achieved largely as the result of a white-labeled loyalty redemption product offered by the Bakkt Loyalty Solutions business, a business which we sold in the year ended December 31, 2025, and therefore should not be considered indicative of our future performance.

Even if we experience strong revenue growth, in future periods our revenue or revenue growth could decline for a number of reasons, including slowing demand for our platform, cyclicality in digital asset trading activity,

-33-

increased competition, changes to technology, a decrease in the growth of our overall market, or our failure, for any reason, to take advantage of growth opportunities. If our assumptions regarding these risks and uncertainties and our future revenue growth are incorrect or change, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations, and our business could suffer.

Furthermore, we intend to continue to invest significant resources to further develop our platform. If we are unable to achieve the revenue growth that we expect from these investments, further reduce our operating expenses, or achieve profitability, it would have an adverse effect on our financial condition and results of operations, and the value of our business and our securities may significantly decrease.

Substantially all of our net revenues each quarter come from transactions that occur during that quarter, which has resulted in, and may continue to result in, significant fluctuations in our operating results.

Our quarterly results, including revenue, expenses, consumer metrics and other key metrics, are derived from transactions that occur during that quarter. Accordingly, our quarterly results have fluctuated and are likely to continue to fluctuate significantly due to a variety of factors, some of which are outside of our control. It is difficult for us to forecast accurately the level or source of our revenues, earnings and expenses, and the results for any one quarter are not necessarily an indication of future performance or expenses. Moreover, because of these fluctuations, our quarterly results may not fully reflect the underlying performance of our business. If our revenue, expenses, or key metrics in future quarters fall short of the expectations of our investors and financial analysts, the price of our securities could be adversely affected.

Other factors that may cause fluctuations in our quarterly results include:

• our ability to attract and retain clients and generate transaction volume from customers;

• market sentiment regarding digital assets;

• our ability to negotiate agreements with vendors, partners and service providers on terms that are favorable to us, if at all;

• transaction volume and mix;

• rates of repeat transaction and fluctuations in usage of our platform, including seasonality;

• the amount and timing of our expenses related to acquiring clients and customers and the maintenance and expansion of our business, operations and infrastructure;

• changes to our relationships with our clients;

• general economic, industry and market conditions;

• competitive dynamics in the industry in which we operate;

• network outages, cyberattacks, or other actual or perceived security incidents or breaches or data privacy violations;

• changes in laws and regulations that impact our business;

-34-

• the amount and timing of stock-based compensation expenses;

• the cost and outcomes of existing or potential claims or litigation; and

• the timing of expenses related to the development or acquisition of technologies or businesses and potential future charges for impairment of goodwill from acquired technologies or businesses.

If we are unable to attract, retain or grow our relationships with our existing clients, our business, financial condition, results of operations and future prospects would be materially and adversely affected. Moreover, sales efforts to large clients involve risks that may not be present or that are present to a lesser extent with respect to sales to smaller organizations.

For our platform to be successful, we must continue our existing partnerships, and successfully develop new partnerships, with clients. Our ability to retain and grow our relationships with our clients depends on the willingness of those clients to establish a commercial relationship with us. If clients with whom we develop partnerships fail to market or do not effectively market our platform to their customers, or customers fail to adopt our platform through these marketing efforts in such numbers as we have projected, our customer acquisition costs may increase and our business, financial condition and results of operations may be adversely affected.

Sales to large clients involve risks that may not be present or that are present to a lesser extent with sales to smaller organizations, such as longer sales cycles, more complex requirements and substantial upfront sales costs. For example, large clients may require considerable time to evaluate and test our platform prior to making a decision, or may request pricing models that may decrease our potential margins. Several factors influence the length and variability of our sales cycle, including the need to educate potential clients about the uses and benefits of our platform, the discretionary nature of purchasing and budget cycles, and the competitive nature of evaluation and purchasing approval processes. In order for our sales efforts to large organizations to be successful, we often must be able to engage with senior officers of the organization. As a result, the length of our sales cycle, from identification of the opportunity to deal closure, may vary significantly for each client, with sales to large enterprises typically taking longer to complete. If we fail to effectively manage the risks associated with sales cycles and sales to large clients, our business, financial condition and results of operations may be adversely affected.

Moreover, when we execute an agreement with a client, we are still dependent on that client to deploy our platform. Larger clients, in particular, often delay deployment for a lengthy period of time after executing an agreement. Even when clients begin their integration into our platform, they do so on a limited basis while frequently requiring that we provide implementation services, which may include customization and controls that limit the functionality of our platform, and negotiate pricing discounts, which increases our upfront investment in the sales effort with no guarantee that sales to these clients will justify our upfront investment, which can be substantial. If a client delays deployment for lengthy periods of time, our consumer and revenue growth may not achieve expectations and our business, financial condition and results of operations may be adversely affected.

Our agreements with our clients have terms that range from approximately one to three years, and in some cases, our existing clients can generally terminate these agreements without cause upon 30 to 90 days’ prior written notice. In addition, many of those agreements also provide for the right of the client to terminate the agreement, or for us to pay financial penalties, in the event that we breach certain service level agreements with respect to the operation of our platform.

From time to time, certain terms of our client agreements remain subject to further discussion and refinement before they can be implemented, including the potential products and services to bring to market. Our ability to realize the intended benefits of these partnerships will depend on our ability to finalize such agreements, for such products and services, and to do so on terms sufficiently favorable to us. While we continue to negotiate

-35-

client agreement terms, we may be unable to agree to terms with such clients on commercially advantageous terms or at all, which may adversely affect our business and prospects.

Furthermore, our ability to retain existing, or obtain new, clients and customers may be impacted to the extent that clients choose not to partner with us, or customers choose not to transact or to engage in fewer transactions on our platform, in each case, because we do not currently offer or plan to cease offering certain digital assets. For example, Webull, which represented approximately 74% and 73% of our Crypto services revenue in the years ended December 31, 2024 and 2023, respectively, did not renew its agreement with us after the term of the agreement ended on June 14, 2025. Our clients may terminate or reduce their use of our services, including their transaction volumes, for any number of reasons, including if they are not satisfied with our services, the value proposition of our services or platform, or our ability to meet their needs and expectations. If clients do not engage with us, or if customers choose not to transact or make fewer transactions on our platform, our revenues will be adversely impacted.

We face substantial and increasingly intense competition worldwide in the industries in which we operate.

Many of the areas in which we compete evolve rapidly with changing and disruptive technologies, shifting consumer needs, and frequent introductions of new products and services. Competition also may intensify as businesses enter into business combinations and partnerships, and established companies in other segments expand to become competitive with different aspects of our business.

We compete primarily on the basis of the following:

• ability to attract, retain and engage clients (and in turn, customers) on our platform;

• ability to demonstrate to clients that they may achieve incremental revenue and attract new customers by using and offering our services to their customers;

• confidence in the safety, security, privacy and control of customer information on our platform;

• ability to develop products and services across multiple commerce channels, including digital assets and stablecoin-based payment services (to the extent we peruse such services); and

• system reliability, regulatory compliance and data security.

We partner with many businesses and consider the ability to continue establishing these partnerships important to our business.

Some of our current and potential competitors have larger customer bases, broader geographic scope, volume, scale, resources and market share than we do, which may provide them significant competitive advantages. Some competitors may also be subject to less burdensome licensing, anti-money laundering, counter-terrorist financing and other regulatory requirements. They may devote greater resources to the development, promotion and sale of products and services, and offer lower prices or more effectively offer their own innovative programs, products and services.

-36-

We also compete against a large number of decentralized and noncustodial platforms. On these platforms, customers can interact directly with a market-making smart contract or on-chain trading mechanism to exchange one type of digital asset for another without any centralized intermediary. These platforms are typically not as easy to use as our platform, and some lack the speed and liquidity of centralized platforms, but various innovative models and incentives have been designed to bridge the gap. In addition, such platforms have low startup and entry costs as market entrants often remain unregulated and have minimal operating and regulatory costs. If the demand for decentralized platforms grows and we are unable to compete with these decentralized and noncustodial platforms, our business may be adversely affected.

If we are not able to differentiate our products and services from those of our competitors, drive value for our clients and customers, or effectively and efficiently align our resources with our goals and objectives, we may not be able to compete effectively in the market.

To the extent we pursue our Investment Policy, we will also compete against a number of companies operating both within the United States and abroad that focus on Bitcoin-based or other digital asset-based services. The range of options to gain exposure to Bitcoin may expand in the future. Investors may choose to gain such exposure through ETPs, companies with significant Bitcoin holdings or other similar strategies, rather than shares of our common stock, including if they believe that ETPs offer a ‘pure play’ exposure to Bitcoin that is generally not subject to federal income tax at the entity level as we may be, or the other risks that may affect other parts of our business. Based on how we are viewed in the market relative to ETPs and other vehicles which offer economic exposure to Bitcoin, such as Bitcoin futures Exchange Traded Funds (“ETFs”), leveraged Bitcoin futures ETFs and similar vehicles offered on international exchanges, any premium or discount in our common stock relative to the value of our Bitcoin holdings may increase or decrease in different market conditions. If investors choose to gain such exposure through ETPs, companies with significant Bitcoin holdings or other similar strategies, rather than shares of our common stock, our business, operating results, and financial condition may be adversely affected.

If our platform does not meet our service level commitments, our revenue and reputation may be negatively impacted.

We typically commit, through service level agreements or otherwise, to maintaining a minimum service levels with respect to our platform’s functionality, availability and response time. If we are unable to meet these commitments, we may be obligated to provide clients with remedies set forth below. A failure to meet service level commitments, even for a relatively short duration, could cause us to be contractually obligated to issue credits or refunds to a large number of affected clients and customers, or could result in the dissatisfaction or loss of clients and customers. Affected participants could also choose to pursue other legal remedies that may be available to them.

In addition, we rely on public cloud providers, such as Microsoft Azure and Google Cloud, and any availability interruption in the public cloud could result in us not meeting our service-level commitments. In some cases, we may not have a contractual right with our public cloud providers that compensates us for any losses due to availability interruptions in the public cloud.

Any of the above circumstances or events may impact our revenues, harm our reputation, impair our ability to develop our platform and grow our base of clients and customers, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, financial condition and results of operations.

We face operational, legal and other risks related to our reliance on third party vendors, over which we have no control.

We face operational risk because we rely on third party vendors to provide us with financial, technology and other services and to facilitate certain of our business activities, including, for example, marketing services, fulfillment services, cloud-based computer and data storage and other IT solutions and payment processing.

-37-

These third parties may be subject to financial, legal, regulatory and labor issues, cyberattacks, security incidents, privacy breaches, service terminations, disruptions or interruptions, or other problems, which may impose additional costs or requirements on us or prevent these third parties from providing services to us or our customers on our behalf, which could harm our business. Additionally, the Consumer Financial Protection Bureau (“CFPB”) and other regulators have issued guidance stating that institutions under their supervision may be held responsible for the actions of the companies with which they contract. Accordingly, we could be adversely impacted to the extent our vendors fail to comply with the legal requirements applicable to the particular products or services being offered.

In some cases, vendors are the sole source, or one of a limited number of sources, of the services they provide to us. For example, there are a limited number of service providers that can provide the credit needed to facilitate high-volume institutional trading on ECNs, such as the BakktX ECN we plan to launch. As such, to the extent we look to add central clearing counterparty services to BakktX, we may be limited in the number of available counterparties. We may be unable to procure alternatives from other vendors in a timely and efficient manner on acceptable terms, or at all. We are also solely reliant on our agreement with our cloud computing web services provider for the provision of cloud infrastructure services to support our platform. Most of our vendor agreements are terminable by the vendor with little or no notice, and if our current vendors were to terminate their agreements with us or otherwise stop providing services to us on acceptable terms, we may be unable to procure alternatives from other vendors in a timely and efficient manner and on acceptable terms, or at all. If any vendor fails to provide the services we require, fails to meet contractual requirements (including compliance with applicable laws and regulations), fails to maintain adequate data privacy controls and electronic security systems, or suffers a cyberattack or other security incident or breach, we could be subject to CFPB, Federal Trade Commission, SEC, and other regulatory enforcement actions, claims from third parties, including our customers, incur significant costs to resolve any issues or suffer economic and reputational harm, any of which could have an adverse effect on our business.

If we cannot keep pace with rapid technological developments to provide new and innovative products and services, the use of our products and services may not develop, and, consequently, our business would suffer.

As a result, we expect new services and technologies to continue to emerge and evolve, and we cannot predict the effects of technological changes on our business. In addition to our own initiatives and innovations, we rely in part on third parties for the development of and access to new or evolving technologies. These third parties may restrict or prevent our access to, or utilization of, those technologies, as well as their platforms or products. In addition, we may not be able to accurately predict which technological developments or innovations will become widely adopted and how those technologies may be regulated. We expect that new services and technologies applicable to the industries in which we operate will continue to emerge and may be superior to, or render obsolete, the technologies we currently use in our products and services. Developing and incorporating new technologies into our products and services may require substantial expenditures, take considerable time, and ultimately may not be successful. In addition, our ability to adopt new products and services and to develop new technologies may be inhibited by industry-wide standards, payments networks, changes to laws and regulations, resistance to change from clients or customers, third-party intellectual property rights, or other factors. Our success will depend on our ability to develop and incorporate new technologies and adapt to technological changes and evolving industry standards. If we are unable to do so in a timely or cost-effective manner, our business could be harmed.

On March 17, 2025, we entered into an agreement for the sale of Bakkt Trust. Pursuant to the terms of the Bakkt Trust purchase agreement, we may be subject to liabilities such as legal claims, including but not limited to third-party liability and other tort claims, claims for breach of contract, employment-related claims, regulatory or other compliance with law issues, tax liabilities, or liabilities we agree to retain pursuant to the Bakkt Trust purchase

-38-

agreement. If any of these liabilities are not adequately covered by insurance or an enforceable indemnity or similar agreement from a creditworthy counterparty, we may be responsible for significant out-of-pocket expenditures. Further, in connection with the Bakkt Trust purchase agreement, we may incur liabilities for breaches of representations and warranties or failure to comply with operating covenants under such agreement. Additionally, we may have to indemnify the counterparty to the Bakkt Trust purchase agreement for certain liabilities or operations of Bakkt Trust. These liabilities, if they materialize, could materially and adversely affect our business, financial position, results of operations or cash flows.

Furthermore, we may not realize the expected benefits from the Bakkt Trust sale. For example, we expect certain operational efficiencies, cost reductions and releases of regulatory capital to follow any such disposition. If any of those or other expected benefits fail to materialize at the levels we expect or at all, our business, financial position, results of operations and available cash may be adversely affected.

In addition, in connection with the sale of our loyalty and travel redemption business on October 1, 2025, we may remain subject to ongoing obligations and risks, including under transition services arrangements, post-closing purchase price or working capital adjustments, indemnification obligations, escrow arrangements and any notes or other consideration received in the transaction, any of which could adversely affect our business, financial condition and results of operations.

Acquisitions, strategic investments, partnerships, or alliances may be difficult to identify.

We have in the past and may in the future seek to acquire or invest in businesses, joint ventures, partnerships, alliances and platform technologies that we believe could complement or expand our platform, enhance our technology, or otherwise offer growth opportunities.

For example, on January 11, 2026, we entered into a share purchase agreement to acquire DTR, subject to the satisfaction or waiver of customary closing conditions, including stockholder and regulatory approvals and the absence of any order or law prohibiting consummation of the transaction. In addition, in specified circumstances, we may be required to pay a termination fee if the agreement is terminated.

These risks include the following, among others:

• difficulty in assimilating the operations, systems, and personnel of the acquired business;

• difficulty in effectively integrating the acquired technologies or products with our current products and technologies;

• difficulty in maintaining controls, procedures and policies during the transition and integration;

• disruption of our ongoing business and distraction of our management and employees from other opportunities and challenges due to integration issues;

-39-

• difficulty integrating the acquired business’s accounting, management information and other administrative systems;

• inability to retain key technical and managerial personnel of the acquired business;

• inability to retain key customers, vendors and other business clients of the acquired business;

• inability to achieve the financial and strategic goals for the acquired and combined businesses;

• incurring acquisition-related costs or amortization costs for acquired intangible assets that could impact our results of operations;

• regulatory changes that affect the value of the businesses we acquire or our plans for integration of those businesses, or that expose us to additional regulation or litigation in connection with the acquired businesses;

• significant post-acquisition investments which may lower the actual benefits realized through the acquisition;

• potential failure of the due diligence process to identify significant issues with product quality, legal, and financial liabilities among other things; and

• potential inability to assert that internal controls over financial reporting are effective.

In particular, the acquisition of DTR presents risks to our business, and may pose integration, operational, regulatory and other challenges. In addition, because Mr. Naheta is our Chief Executive Officer, President and a member of our Board and directly or indirectly wholly owns DTR, the transaction presents related party and conflict-of-interest risks notwithstanding the processes adopted by our Board, including the risk of stockholder litigation or regulatory scrutiny, adverse publicity, and the risk that management’s decisions regarding negotiations, integration priorities, or the allocation of resources could be perceived as influenced by competing interests, any of which could adversely affect our business, financial condition and results of operations.

Our failure to address these risks, or other problems encountered in connection with our past or future investments, strategic transactions, or acquisitions, could cause us to fail to realize the anticipated benefits of these acquisitions or investments, cause us to incur unanticipated liabilities, and harm our business generally. Future acquisitions could also result in dilutive issuances of our equity securities, the incurrence of debt, contingent liabilities, amortization expenses, incremental expenses or the write-off of goodwill, any of which could harm our financial condition or results of operations, and the trading price of our common stock could decline. For example, under the share purchase agreement for the acquisition of DTR, we expect to issue shares of our Class A common stock representing 31.5% of our Class A common stock on a fully diluted basis as of immediately prior to the closing (subject to certain adjustments).

We may require additional capital to support the growth of our business, and such capital might not be available on acceptable terms, if at all.

We have funded our operations since inception primarily through equity financings and payments received from our platform. We cannot be certain when or if our operations will generate sufficient cash to fully fund our ongoing operations or the growth of our business. We intend to continue to make investments to support our business, which may require us to engage in equity or debt financings to secure additional funds. For example, on February 27, 2026, we issued and sold in a registered direct offering an aggregate of 3,024,799 shares of our common stock and pre-funded warrants to purchase an aggregate of 2,475,201 shares of common stock for

-40-

aggregate net proceeds of approximately $48.125 million. On January 16, 2026, we established an “at-the-market” program pursuant to which we may sell, from time to time, up to an aggregate sales price of $300,000,000 of our A common stock. As at the date of this Annual Report on Form 10-K, we have sold 1,990,434 shares under the program for aggregate net proceeds of approximately $20.832 million. On July 28, 2025, we issued and sold in an underwritten confidentially marketed public offering an aggregate of 6,753,627 shares of our common stock and pre-funded warrants to purchase an aggregate of 746,373 shares of our common stock for aggregate net proceeds of approximately $69 million.

Additional financing may not be available on terms favorable to us, if at all. If adequate funds are not available on acceptable terms, we may be unable to invest in future growth opportunities, which could harm our business, financial condition, or results of operations. Furthermore, if we issue additional equity securities, stockholders will experience dilution, and the new equity securities could have rights senior to those of our existing securities. Our decision to issue securities in the future will depend on numerous considerations, including factors beyond our control, thus we cannot predict or estimate the amount, timing, or nature of any future issuances of debt or equity securities. As a result, our stockholders bear the risk of future issuances of debt or equity securities reducing the value of our securities and diluting their interests.

In the past, we have identified conditions and events that raised substantial doubt about our ability to continue as a going concern and it is possible that we may identify conditions and events in the future that raise substantial doubt about our ability to continue as a going concern.

We previously identified conditions and events that raised substantial doubt about our ability to continue as a going concern in connection with the filing of our Quarterly Report on Form 10-Q for the quarterly period ending September 30, 2023. In connection with the filing of subsequent amendments thereto, we disclosed that, without additional equity financing, we could not conclude that we could maintain our operations for a period of at least 12 months from the dates of such filings. If we are unable to replace lost revenue, achieve anticipated cost reductions, and/or obtain additional financing on acceptable terms, our liquidity could be insufficient to fund our operations and could raise substantial doubt about our ability to continue as a going concern. If we cannot continue as a viable entity, our stockholders will likely lose most or all of their investment in us.

Accordingly, we cannot conclude it is probable we will be able to increase revenues substantially beyond levels that we have attained in the past in order to generate sustainable operating profit and sufficient cash flows to continue doing business without raising additional capital in the near future.

We hold our cash and cash equivalents that we use to meet our working capital and operating expense needs in deposit accounts that could be adversely affected if the financial institutions holding such funds fail.

We hold our cash and cash equivalents that we use to meet our working capital and operating expense needs in deposit accounts at multiple financial institutions. The balances held in these accounts typically exceed the Federal Deposit Insurance Corporation deposit insurance limit. If a financial institution in which we hold such funds

-41-

fails or is subject to significant adverse conditions in the financial or credit markets, we could be subject to a risk of loss of all or a portion of such uninsured funds or be subject to a delay in accessing all or a portion of such uninsured funds. Any such loss or lack of, or delay in, access to these funds could adversely impact our liquidity and our ability to meet our ongoing working capital and operating expense obligations.

We also maintain investment accounts with other financial institutions in which we hold our investments and, if access to these investments were to be impaired, we may not be able to open new operating accounts, sell investments or transfer funds from our investment accounts to new operating accounts on a timely basis sufficient to meet our operating expense obligations. In addition, if further liquidity and financial stability concerns arise with respect to banks and financial institutions, the ability of our clients or their customers to access existing cash, cash equivalents or investments or to access existing, or enter into new, banking arrangements or facilities, may be adversely impacted, which could in turn impact such parties’ ability to pay their obligations to us or to our clients, or to enter into new commercial arrangements with us.

The loss of the services of our senior management could adversely affect our business.

The experience of our senior management is a valuable asset to us. If we are unable to retain members of our core senior management team, we could experience uncertainty and significant delays or difficulty in the achievement of our development and strategic objectives and our business, financial condition and results of operations could be materially and adversely harmed. Our management team has significant experience, is responsible for many of our core competencies, and would be difficult to replace. Competition for senior executives in these businesses is intense, and we may not be able to attract and retain qualified personnel to replace or succeed members of our senior management team or other key personnel. Failure to retain talented senior leadership could have a material adverse effect on our business.

Changes in our executive management team resulting from the hiring or departure of executives, or our leadership structure, could disrupt our business, and could impact our ability to preserve our culture, which could negatively affect our ability to recruit and retain personnel.

Our business will suffer if we fail to attract and retain highly skilled employees.

Our future success will depend on our ability to identify, hire, develop, motivate and retain highly qualified personnel for all areas of our organization, particularly information technology and sales. Hiring qualified and experienced personnel in this specialized technology space is difficult due to the high level of competition and scarcity of experience. Many of the companies with which we compete for experienced employees have greater resources than we do and may be able to offer more attractive terms of employment. In addition, we invest significant time and expense in training employees, which increases their value to competitors that may seek to recruit them. We may not be able to attract, develop and maintain the skilled workforce necessary to operate our business and labor expenses may increase as a result of a shortage in the supply of qualified personnel, which would negatively impact our business. Further, we may suffer shortages with respect to certain categories of personnel due to reductions in force, attrition, inability to hire qualified and experienced personnel, or any combination of the foregoing, which may negatively impact our operational performance. For example, if we suffer shortages with respect to certain of our customer service personnel, our ability to maintain compliance with our service level commitments to clients may be impacted, resulting in financial penalties and, potentially, damage to or loss of those client relationships. Shortages with respect to certain of our compliance personnel may limit our ability to comply with evolving and uncertain laws and other regulations. For additional information, see “—Risks Related to Regulation, Taxation and Laws.” Shortages with respect to certain of our accounting personnel may limit our ability

-42-

to maintain internal control over financial reporting. For more information, see “—Risks Related to Risk Management and Financial Reporting.”

Our revenue is impacted, to a significant extent, by the general economy.

Our business and our clients’ businesses are sensitive to macroeconomic conditions. Economic factors such as interest rates, tariffs, inflation, changes in monetary and related policies, market volatility (including as a result of geopolitical issues, such as the wars in Ukraine and the Middle East), consumer confidence, and unemployment rates are among the most significant factors that impact consumer spending behavior. In particular, the high levels of inflation experienced in the United States could negatively impact our business by increasing our costs and reducing consumer activities necessarily to our revenue generation.

Our ability to generate subscription and service revenue and transaction revenue depends, in part, on customers continuing to access and utilize our platform. Our clients’ businesses may decrease or fail to increase as a result of factors outside of their control, such as the macroeconomic conditions referenced above, or business conditions affecting a particular client, industry vertical, or region. Weak economic conditions also could extend the length of our clients’ sales cycle and cause consumers to delay making (or not make) purchases. Some of our clients have experienced a decrease in sales, supply chain disruptions, inventory shortages, and other adverse effects. A decline in activity by consumers of our clients’ products and services for any reason may correspondingly result in lower revenue generated by our platform.

If we experience rapid growth, it may place significant demands on our operational, administrative and financial resources and it may be difficult to sustain such growth.

We have a relatively limited operating history even at our current scale, and our projected growth in future periods exposes us to increased risks, uncertainties, expenses and difficulties. If we are unable to appropriately scale our operations to support such growth, our business, results of operations, financial condition and future prospects would be materially and adversely affected.

If we experience rapid growth, we could face significant challenges in:

• maintaining and developing relationships with existing and new clients;

• securing funding to maintain our operations and future growth;

• maintaining adequate financial, business and risk controls;

• implementing new or updated information and financial risk controls and procedures;

• navigating complex and evolving regulatory and competitive environments;

• attracting, integrating and retaining an appropriate number of qualified, skilled employees;

• training, managing and appropriately sizing our workforce and other components of our business on a timely and cost-effective basis;

-43-

• expanding within existing markets;

• entering new markets and introducing new solutions;

• continuing to develop, maintain, protect and scale our platform;

• effectively using limited personnel and technology resources; and

• maintaining the security of our platform and the confidentiality of the information, including personally identifiable information, provided and utilized across our platform.

We may not be able to properly manage and scale our expanding operations effectively, and any failure to do so could adversely affect our ability to generate revenue and control our expenses, which could in turn materially and adversely affect our business, financial condition, results of operations and future prospects.

Future material impairments in the value of our long-lived assets, including goodwill, have in the past negatively affected, and could in the future negatively affect, our operating results.

We regularly review our long-lived assets, including our goodwill and other intangible assets, for impairment. Goodwill and other intangible assets are subject to impairment review on an annual basis and whenever potential impairment indicators are present. Changes in market conditions or other changes in the future outlook of value may lead to impairment charges in the future. Future events or decisions may lead to asset impairments and/or related charges. Certain non-cash impairments may result from a change in our strategic goals, business direction or other factors relating to the overall business environment. Material impairment charges could negatively affect our results of operations.

For example, during the fiscal year ended December 31, 2023, we recognized $60.5 million of goodwill and intangible assets impairments relating to the sustained decline in our market capitalization and failure to achieve our projected revenue growth. For more information on the valuation and impairment of long-lived assets, refer to Note 5, Business Combination and Acquisition, in our audited consolidated financial statements included in this Form 10-K.

Environmental, social and governance factors may impose additional costs and expose us to new risks.

There is focus from certain investors, regulators, employees, users and other stakeholders concerning corporate responsibility, specifically related to environmental, social, and governance matters (“ESG”) and related assurances and disclosures. Compliance with recently adopted and potential upcoming ESG requirements, including California’s climate-related bills, may require the dedication of significant time and resources by us. If we are unable to comply with new laws and regulations or changes to existing legal or regulatory requirements concerning ESG matters, or if we fail to meet investor, industry, or stakeholder expectations and standards relating to ESG matters, our reputation may be harmed, customers may choose to refrain from using our products and services, we may be subject to fines, penalties, regulatory or other enforcement actions, and our business, operating results, and financial condition could be adversely affected.

Risks Related to Our Investment Policy

-44-

A significant decrease in the market value of our digital asset holdings could adversely affect our ability to satisfy financial obligations, including any debt financings.

To the extent we implement our Investment Policy, we may incur indebtedness and other fixed charges. If our businesses do not generate cash flow in future periods sufficient to satisfy our financial obligations, including our debt, we intend to fund our obligations using cash flow generated by equity or debt financing. Our ability to obtain equity or debt financing may in turn depend on, among other factors, the value of our Bitcoin holdings, investor sentiment and the general public perception of Bitcoin, as well as our strategy and our value proposition. Accordingly, a significant decline in the market value of our Bitcoin holdings or a negative shift in these other factors may create liquidity and credit risks, as such a decline or such shifts may adversely impact our ability to secure sufficient equity or debt financing to satisfy our financial obligations. Our inability to secure additional equity or debt financing in a timely manner, on favorable terms or at all, or to sell our Bitcoin in amounts and at prices sufficient to satisfy our financial obligations, including our debt service obligations, could cause us to default under such obligations. Any default on our indebtedness may have a material adverse effect on our operating results, financial condition and future prospects.

To the extent we pursue our Investment Policy, we expect digital assets to comprise a significant portion of our total assets. The concentration of our digital asset holdings would be expected to limit the risk mitigation that we could take advantage of by purchasing a more diversified portfolio of treasury assets, and the absence of diversification enhances the risks inherent in investments permitted by our Investment Policy.

While we may, from time to time, use any future Bitcoin holdings to fund the purchase of cash equivalents, Bitcoin and other digital assets may not be as readily available or reliable a source of liquidity as traditional cash and cash equivalents. Historically, Bitcoin markets have been characterized by more price volatility, less liquidity, and lower trading volumes compared to sovereign currencies markets, as well as relative anonymity, a developing regulatory landscape, susceptibility to market abuse and manipulation, and various other risks inherent in its entirely electronic, virtual form and decentralized network. During times of market instability, we may not be able to sell our digital assets at reasonable prices or at all. As a result, our digital asset holdings may not be able to serve as a source of liquidity for us to the same extent as cash and cash equivalents. If we pursue our Investment Policy and are unable to sell our digital assets, or if we are forced to sell our digital assets at a significant loss, in order to meet our working capital requirements, our business and financial condition could be negatively impacted.

Our financial results and the market price of our securities may be affected by fluctuations in the price of digital assets, including Bitcoin, which are highly volatile assets.

To the extent we pursue our Investment Policy, our operating results will be dependent on the trading price of and supply and demand for the digital assets we hold, including Bitcoin. Due to the rapidly evolving nature of digital assets and their volatile price, which has experienced and continues to experience significant volatility, we expect that our operating results will fluctuate significantly as a result of a variety of factors, many of which are unpredictable and in certain instances are outside of our control, including: market conditions of, and overall sentiment towards Bitcoin, including negative publicity, media or social media coverage, or sentiment due to events in or relating to, or perception of, Bitcoin or the broader digital assets industry; trading activities of highly active retail and institutional users; significant dispositions of Bitcoin by large holders; actual or perceived manipulation of the spot or derivative markets for Bitcoin or spot Bitcoin exchange-traded products (“ETPs”); macroeconomic conditions, including interest rates, inflation, and central banking policies; changes in national and international economic and political conditions; changes in the legislative or regulatory environment or actions by U.S. or non-

-45-

U.S. governments or regulators regarding digital assets, including cryptocurrency, or companies that hold digital assets; enforcement and judicial actions that adversely affect digital assets industry participants; competition from other digital assets; a decrease in the price of other digital assets; and disruptions, failures, unavailability, or interruptions in service of trading venues for digital assets. As a result of these factors, it is difficult for us to forecast growth trends accurately and our business and future prospects are difficult to evaluate, particularly in the short term.

In addition, the future trading prices in our securities may reflect market dynamics that are not connected to valuation methods commonly associated with operating companies in similar industries or with companies engaged predominantly in passive investments in Bitcoin or other commodities, such as exchange-traded funds. We cannot predict how these dynamics may evolve over time, or whether or how long they may last.

Investing in digital assets increases our exposure to risks associated with those assets, including Bitcoin.

To the extent we pursue our Investment Policy, including through our announced international expansion initiatives in Asia (including in Japan and India), we will be exposed to various risks associated with digital assets, including the following: Bitcoin does not pay interest, dividends or other returns and we can only generate cash from our Bitcoin holdings if we sell them or implement strategies to create income streams or otherwise generate cash by using those holdings; our lack of control over decentralized or third-party blockchains, networks, and custodians that may experience downtime, cyberattacks, critical failures, errors, bugs, corrupted files, data losses, or other similar software failures, outages, breaches and losses, including those due to third-party actions; breaches of security or privacy; further reductions in mining rewards of Bitcoin or increases in the costs associated with Bitcoin mining; transaction congestion and fees associated with processing transactions on the Bitcoin networks; developments in mathematics or technology or new applications of current knowledge that could result in the cryptography used by the Bitcoin blockchains becoming insecure or ineffective; pressures on trading platforms and infrastructure that can lead to inadvertent suspension of services across parts of the platforms or the entire platforms, which may cause outages; and differences in prices of digital assets between exchanges.

The broader digital assets industry, including the technology associated with digital assets, the rate of adoption and development of, and use cases for, digital assets, market perception of digital assets, and the legal, regulatory, and accounting treatment of digital assets are constantly developing and changing, and there may be additional risks in the future that are not possible to predict.

We may not have direct control over our digital assets held through a third-party custodian.

To the extent we pursue our Investment Policy, we expect that our Bitcoin and digital assets may be held by a third-party custodian, and the safety of those assets is dependent on the custodian's security practices and operational integrity, which may lead to the loss of our digital assets as a result of the insolvency of the custodian, theft by employees or insiders of the custodian or if the custodian's security measures are compromised, including as a result of cyberattacks. A successful security breach or cyberattack could result in a partial or total loss of our Bitcoin in a manner that may not be covered by insurance or indemnity provisions of the custody agreement with a custodian who holds our Bitcoin. Such a loss could have a material adverse effect on our financial condition and results of operations.

Our ability to time the price of our purchases of Bitcoin and other digital assets pursuant to our Investment Policy will be limited.

-46-

In the future, we may acquire additional Bitcoin and other digital assets in accordance with our Investment Policy. Bitcoin is a highly volatile asset. Volatility may continue in the future and historical trends could reverse dramatically. As a result, there can be no assurance that we will be able to purchase Bitcoin at favorable prices or avoid losses associated with declines in the value of Bitcoin. Our ability to time such purchases to coincide with favorable market conditions may be limited.

To the extent we pursue our Investment Policy, our operating results may also be subject to significant fluctuations because we may be required to account for our digital assets at fair value.

In December 2023, the FASB issued ASU 2023-08, which upon our adoption will require us to measure in-scope digital assets (including any Bitcoin holdings) at fair value in our statement of financial position, and to recognize gains and losses from changes in the fair value of such assets in net income each reporting period. ASU 2023-08 will also require us to provide certain interim and annual disclosures with respect to our digital asset holdings. Due in particular to the volatility in the price of Bitcoin, we expect the adoption of ASU 2023-08 to have a material impact on our financial results, to increase the volatility of our financial results, and to affect the carrying value of any digital assets on our balance sheet, and it could have adverse tax consequences, which in turn could have a material adverse effect on our financial results and the market price of our securities.

Risks Related to Digital Assets

Volatility and disruptions in the digital asset market may subject us to additional risks.

For example, in 2022, each of Celsius Networks, Voyager, Three Arrows Capital and FTX declared bankruptcy. In November 2023, the U.S. Department of the Treasury, DOJ and CFTC all announced enforcement actions against Binance, requiring payments of over $4.3 billion in criminal forfeiture, penalties, and fines.

In response to these events, the digital assets markets experienced extreme price volatility and several entities in the digital assets industry were negatively affected, undermining confidence in the digital assets markets. Any of these events could reduce customer

-47-

demand for our products and services and have an adverse impact on our business. Furthermore, because we use a B2B2C go-to-market strategy, to the extent clients perceive digital assets as a risky sector or one they do not wish to associate with, that would have a material adverse effect on our business. Banks may not provide banking services, or may cut off banking services, to businesses that provide digital asset-related services, which could dampen liquidity in the market and damage the public perception of digital assets.

Digital asset trading venues may experience greater fraud, security failures or operational problems than trading venues for more established asset classes, which could result in significant price fluctuations of digital assets, including Bitcoin.

Digital asset trading venues are relatively new and, in many cases, unregulated. Furthermore, there are many digital asset trading venues which do not provide the public with significant information regarding their ownership structure, management teams, corporate practices and regulatory compliance. As a result, the marketplace may lose confidence in digital asset trading venues, including prominent exchanges that handle a significant volume of Bitcoin trading and/or are subject to regulatory oversight, in the event one or more digital asset trading venues cease or pause for a prolonged period the trading of any digital assets, or experience fraud, significant volumes of withdrawal, security failures or operational problems.

Any such negative perception of our reputation could harm our business.

Threats to our operations come from external factors such as governments, organized crime, hackers, and other third parties such as outsourced or infrastructure-support providers and application developers, or may originate internally from an employee or service provider to whom we have granted access to our systems.

Digital asset transactions are generally irrevocable, and stolen or incorrectly transferred digital assets may be irretrievable. Once a transaction has been verified and recorded in a block that is added to the distributed ledger,

-48-

an incorrect transfer of digital assets generally will not be reversible, and we may not be able to obtain compensation for any such transfer or theft. Such events would have a material adverse effect on our ability to continue as a going concern.

Digital assets are only controllable by the possessor of private keys relating to the distributed ledger through which the digital asset is held. While the distributed ledgers require a public key relating to a digital asset to be published when used in a transaction, private keys must be safeguarded and kept private in order to prevent a third party from accessing the digital asset. To the extent our private keys are lost, destroyed, or otherwise compromised and no backups of the private keys are accessible, we will be unable to access the digital assets held through the distributed ledger.

Unlike bank accounts or accounts at some other financial institutions, in the event of loss or loss of utility value, there is no public insurer to offer recourse to us or to any consumer and the misappropriated digital asset may not be easily traced to the bad actor.

This could require us to develop and incorporate new technologies to integrate with the new fork, which may require substantial expenditures and take considerable time, if it can be done at all. Until such time as we develop and incorporate such new technologies, consumers may not be able to access new forks or the assets available on new forks. Because digital asset networks are dependent upon the internet, a disruption of the internet or a digital asset network, such as the Bitcoin Network, would affect the ability to transfer digital assets. The realization of one or more of the foregoing risks may have a material adverse effect on our business.

-49-

We may encounter technical issues in connection with the integration of supported digital assets and changes and upgrades to their underlying networks, which could adversely affect our business.

In addition, integration may introduce software errors or weaknesses into our platform, including our existing infrastructure. Even if integration is initially successful, any number of technical changes, software upgrades, soft or hard forks, cybersecurity incidents, bugs, errors, defects or other changes to the underlying blockchain network may occur from time to time, causing incompatibility, technical issues, disruptions, or security weaknesses to our platform. If we are unable to identify, troubleshoot and resolve any such issues successfully, we may no longer be able to support such digital assets, our customers’ assets may be frozen or lost, the security hot, warm, or cold wallets established at our direction by third-party vendors may be compromised, and our platform and technical infrastructure may be affected, all of which could adversely impact our business.

The blockchains on which ownership of digital assets is recorded are dependent on the efforts of third parties acting in their capacity as the blockchain transaction miners or validators, and if these third parties fail to successfully perform these functions, the operation of the blockchains that record ownership of digital assets could be compromised.

Blockchain miners or validators maintain the record of ownership of digital assets. If these entities suffer from cyberattacks or other security incidents (whether from hacking, which involves efforts to gain unauthorized access to information or systems, or to cause intentional malfunctions or loss or corruption of data, software, hardware or other computer equipment, the inadvertent transmission of computer viruses, ransomware or other malware, other forms of malicious attacks, malfeasance or negligent acts of its personnel, or via other means, including phishing attacks and other forms of social engineering), or for financial or other reasons cease to perform these functions, the functioning of the blockchains on which the ownership of a digital assest asset is recorded and the valuation based may be jeopardized.

In addition, over the past several years, digital asset mining operations have evolved from individual users mining with computer processors, graphics processing units and first-generation application specific integrated circuit (“ASIC”) machines to “professionalized” mining operations using proprietary hardware or sophisticated machines. If the profit margins of digital asset mining operations are not sufficiently high, digital asset miners are more likely to immediately sell tokens earned by mining, resulting in an increase in liquid supply of that digital asset, which would generally tend to reduce that digital asset’s market price.

Excessive redemptions or withdrawals, or a suspension of redemptions or withdrawals, of digital asset assets could adversely impact our business.

We have procedures to process redemptions and withdrawals promptly in accordance with the terms of the applicable user agreements. We could experience process-related withdrawal or redemption delays if there were to be a significant and unexpected volume of withdrawal or redemption requests, including in the case of economic disruptions that trigger significant concerns about the stability of the markets. For example, following our disclosure regarding our ability to continue as a going concern in February 2024, one of our clients closed out of its customer positions. To the extent we have process-related delays, even if the delays are brief or due to blockchain network congestion or heightened redemption activity, and even if the delays are within the terms of an applicable user agreement or otherwise communicated by us, we may nonetheless experience, among other things, increased customer complaints, damage to our brand and reputation and additional regulatory scrutiny, any of which could adversely affect our business.

Risks Related to Regulation, Taxation and Laws

-50-

A U.S. federal government shutdown or other disruption in U.S. federal government operations could adversely affect us.

Disagreement over the U.S. federal budget has caused the U.S. federal government to shut down in the past and could result in future shutdowns. Although Congress has in the past relied on continuing resolutions and other short-term funding measures, there is no assurance that future appropriations legislation will be timely enacted or that future shutdowns will be avoided. To the extent a future downtown occurs or is prolonged, shutdown-driven regulatory delays, including at the SEC, could delay key legislative and regulatory initiatives, consultations with regulators and our ability to raise capital. These conditions may also lead to increased volatility and tighter liquidity in the markets, which may decrease transaction volumes, and negatively affect customer sentiment. Any of the foregoing, particularly if any future shutdown is prolonged or occurs repeatedly, could adversely affect our business, financial condition and results of operations.

Our business is subject to extensive government regulation, oversight, licensure and approvals. Our failure to comply with extensive, complex, uncertain, overlapping and frequently changing rules, regulations and legal interpretations could materially harm our business.

Our business is subject to laws, rules, regulations, policies and legal interpretations in the markets in which we operate, including, but not limited to, those governing money transmission, digital asset business activity, consumer protection, anti-money laundering, counter-terrorist financing, privacy and data protection, cybersecurity, economic and trade sanctions, commodities, derivatives, and securities. These laws and regulations are subject to uncertainty and change, and any policy or regulatory changes could affect our business significantly, particularly if we are unable to adapt quickly. See “—Risks Related to Digital Assets—Regulatory regimes governing blockchain technologies and digital asset are evolving and uncertain, and new legislation, regulations, guidance and enforcement actions have in the past required, and may in the future require, us to alter our business practices.”

We have been, and expect to continue to be, required to apply for and maintain various licenses, certifications and regulatory approvals in jurisdictions where we provide our services, including due to changes in applicable laws and regulations or the interpretation of such laws and regulations. There can be no assurance that we will elect to pursue, or be able to obtain, any such licenses, certifications and approvals. In addition, there are substantial costs and potential product changes involved in maintaining and renewing such licenses, certifications and approvals. We expect federal regulation to continue to evolve. This could result in new registration or licensing requirements subjecting us to additional oversight.

As we expand our international business activities, both as to the products and services offered and into jurisdictions within and beyond the United States, we have become increasingly obligated to comply with new laws and regulations, including those of any additional countries and markets in which we operate, and we may be subject to increased regulatory oversight and enforcement and more restrictive rules and regulations. Laws outside of the United States often impose different, more specific, or even conflicting obligations on companies, as well as broader liability. For example, certain transactions that may be permissible in a local jurisdiction may be prohibited by regulations of U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) or U.S. anti-money laundering or counter-terrorist financing regulations. Our ability to manage our business and conduct our operations internationally will require considerable management attention and resources, particularly as we have no operating history outside the United States and limited experience with international regulatory environments and market

-51-

practices. Our failure to successfully manage regulatory risks could harm our international operations and have an adverse effect on our business, operating results, and financial condition.

As we expand our activities, we become increasingly obligated to comply with the laws, rules, regulations, policies and legal interpretations of both the jurisdictions in which we operate and those into which we offer services on a cross-border basis. To the extent a customer accesses our services outside of jurisdictions where we have obtained required governmental licenses and authorization, we face a risk of becoming subject to regulations in that local jurisdiction. A regulator’s conclusion that we are servicing customers in its jurisdiction without being appropriately licensed, registered or authorized could result in fines or other enforcement actions.

Additionally, through our relationships with clients that are banks, we are subject to risk management standard for third-party relationships in accordance with federal bank regulatory guidance and to examinations by the federal banking regulators should these regulators exercise their authorities under applicable law. Should we, these banks, or prospective clients that are banks be unable to satisfy these standards, that failure would materially and adversely affect our business, operating results, and financial condition.

In general, any failure or perceived failure to comply with existing or new laws, regulations, or orders of any regulatory authority (including changes to or expansion of the interpretation of those laws, regulations, or orders) may subject us to liability, significant fines, penalties, criminal and civil lawsuits, forfeiture of significant assets and enforcement actions in one or more jurisdictions, result in additional compliance and licensure requirements, increase regulatory scrutiny of our business, restrict our operations and force us to change our business practices, make product or operational changes, including ceasing our operations in certain jurisdictions, or delaying planned product launches or improvements. Any of the foregoing could, individually or in the aggregate, harm our reputation, damage our brand and business, impose substantial costs and adversely affect our financial condition and results of operations. The complexity of U.S. federal and state regulatory and enforcement regimes, coupled with the scope of our operations and the evolving regulatory environment, could result in a single event giving rise to a large number of overlapping investigations and legal and regulatory proceedings by multiple authorities. Moreover, we cannot provide any assurance that our employees, contractors, or agents will not violate such laws and regulations.

President Trump has issued an executive order to increase federal government support of the digital asset industry, and the SEC has established a new Digital Asset Task Force to develop a framework for SEC policies governing digital assets. In addition, more regulatory certainty or less enforcement could encourage more entrants into the market, which could increase competition for our customers. Our competitors may alternatively

-52-

anticipate a more permissive regulatory environment and, as a result, offer new products or services that we deem to exceed the scope of what is permitted under current regulation, which could put us at a competitive disadvantage.

The failures of risk management and other control functions at other companies that played a role in the 2022 and 2023 events have accelerated, and continue to accelerate, an existing regulatory trend toward stricter oversight of digital asset platforms and the digital asset industry. Legislation, regulations and enforcement actions applicable to digital assets in the United States include, but are not limited to the following:

• In 2023, the SEC initiated lawsuits against certain digital asset exchanges, including Bittrex, Coinbase, Binance, and Kraken alleging among other things that those entities operated as unregistered national securities exchanges, unregistered broker-dealers and unregistered clearing agencies and alleging that certain digital assets available on their platforms are securities. In February and March 2025, the SEC reportedly dropped several enforcement cases involving these types of actions, including that against Coinbase.

• The CFTC staff has publicly taken the position that certain digital assets are commodities, and as such, exchange-traded derivatives involving bitcoin are subject to the CFTC’s jurisdiction and enforcement powers. This has been reflected in certain CFTC enforcement actions, including those against Coinflip, Inc. and certain informal CFTC guidance, such as the LabCFTC’s Primer on Virtual Currencies.

• In July 2023, a court in the Southern District of New York held that Ripple Labs, Inc.’s (“Ripple”) sales of XRP to sophisticated investors pursuant to written contracts did constitute the unregistered offer and sale of investment contracts while sales of XRP to purchasers through blind bid/ask transactions on digital asset exchanges did not constitute the sale of unregistered securities. In 2024, Ripple was assessed a $125 million civil penalty. These rulings are under appeal and the future of the litigation is uncertain.

• On July 31, 2023, a different court in the Southern District of New York held that the SEC had asserted a plausible claim that certain inter-related digital assets offered by Terraform Labs qualified as investment contracts.

• In September 2023, the CFTC issued orders and simultaneously filed and settled charges against Opyn, Inc., ZeroEx, Inc., and Deridex, Inc.

Congress considered bills that would create new federal frameworks for digital assets, including the Financial Innovation and Technology for the 21st Century Act (“FIT 21”), which in 2024 was passed by the House of Representatives but stalled in the Senate and has not been enacted yet, and legislative and regulatory efforts to establish a U.S. digital asset framework continue.

-53-

• Certain state regulators, such as NYDFS, have created or are in the process of creating new regulatory frameworks with respect to digital assets. For example, in 2015, the State of New York adopted the “BitLicense,” the first U.S. regulatory framework for licensing participants in digital asset business activity. In addition, Louisiana adopted a virtual currency regulation, effective as of January 1, 2023, which requires operators of virtual currency businesses to obtain a virtual currency license in order to conduct business in Louisiana. We operate in Louisiana under such license. Other states, such as Texas, have published guidance on how their existing regulatory regimes governing money transmitters apply to virtual currencies. Some states, such as New Hampshire, North Carolina and Washington, have amended their state’s statutes to clarify the treatment of virtual currencies within existing licensing regimes, while others have interpreted their existing statutes as requiring a money transmitter license to conduct certain virtual currency business activities.

• FinCEN has released guidance regarding how it considers its regulations to apply to digital asset businesses.

• The IRS released guidance treating digital assets as property that is not currency for U.S. federal income tax purposes.

• In October 2023, the governor of California signed into law the DFAL, which establishes a required licensing framework administered by the DFPI for entities engaged in digital financial asset business activity in the state of California. The Company expects that its business will require licensure under the DFAL and will therefore take steps to obtain necessary licenses prior to the enactment’s effective date of July 1, 2026. The Company notes that the DFAL provides that the DFPI may issue a conditional license to companies, such as our subsidiaries, that maintain licenses to conduct virtual currency business activity in New York or hold a charter as a New York limited purpose trust company with approval to conduct a virtual currency business under New York law. The Company will continue to monitor and review guidance from the DFPI clarifying the enactment’s scope and interpretation.

• In 2024, the IRS issued final regulations and other guidance on tax reporting requirements for cryptocurrency brokers, which generally expanded the scope of companies that are required to report basis, adjusted basis, gross proceeds and amounts realized from sales of covered digital assets.

•In early 2025, U.S. policymakers and regulators announced initiatives to reassess the regulatory framework for digital assets, including through the creation of a federal working group and an SEC crypto task force.

In particular, the new presidential and congressional administrations may be more likely to change the direction of policy, perhaps significantly. See “Risks Related to Digital Assets—Regulations governing digital assets and blockchain may change rapidly, which may force us to change our business quickly to adapt and may change the competitive landscape.” In addition, regulators may establish self-regulatory bodies to set guidelines regarding digital assets, which could have similar effects on new policies adopted by government bodies. To the extent regulators issue guidance, uncertainties may remain regarding the application of such guidance, and any informal guidance may not be an official policy, rule or regulation, may be subject to change and is not necessarily binding on the applicable regulators. Enforcement actions may also be

-54-

contested in litigation, which could take years to resolve, or dropped by the new administration, which can also lead to an uncertain regulatory environment.

It is difficult to predict how or whether regulatory agencies may apply existing or new regulation with respect to this technology and its applications, and whether regulators will bring enforcement actions on specific issues. Further, U.S. bankruptcy courts have recently been faced with a number of questions of first impression that may determine the status of digital assets in bankruptcy, and the rights and obligations of platforms that custody digital assets for their customers. The law in this area continues to develop.

In addition, new laws, regulations, guidance, or approaches to enforcement that permit a broader range of transactions and activities or are otherwise designed to support the digital asset market could encourage additional entrants into the market and foster more competition. These developments may also force us to adapt our business quickly, and our success and profitability may depend on our ability to do so effectively. Any of the foregoing could significantly adversely impact our business. In addition, competitors may anticipate a more permissive regulatory environment and offer new products or services that exceed the scope of what is currently permitted, and such competitors could attract and retain clients and transaction volume from us while potentially escaping regulatory scrutiny, which could put us at a competitive disadvantage.

Our failure to comply with existing or future laws, rules and regulations could subject us to fines, civil liability, mandatory injunctions that change how we operate or cessation of operations. We may be forced to implement new measures to reduce our exposure to this liability, which may require us to expend substantial resources or to discontinue certain products or services, which would negatively affect our business. Any costs incurred to prevent or mitigate this potential liability could result in reputational harm and affect our financial condition and cash flows, thereby harming our business and results of operations. Relatedly, any loss of license or failure to secure a license that we need may cause a disruption to our business and operations.

See also “—Risks Related to Regulation, Taxation and Laws—A digital asset’s status as a “security” in any relevant jurisdiction may be subject to a high degree of uncertainty, and if crypto assets on our platform are later determined to be securities, we may be subject to regulatory scrutiny, investigations, fines, and other penalties, which may adversely affect our business, operating results, and financial condition.”

A digital asset’s status as a “security” in any relevant jurisdiction may be subject to a high degree of uncertainty, and if digital assets on our platform are later determined to be securities, we may be subject to regulatory scrutiny, investigations, fines, and other penalties, which may adversely affect our business, operating results, and financial condition.

-55-

The SEC and its staff have historically taken the position that certain digital assets or transactions in them fall within the definition of a “security” under the U.S. federal securities laws, and it is possible the SEC may take this position with respect to assets that may be transacted on our platform. Certain legal tests for determining whether any given asset is a security currently may require highly complex and fact-driven analyses, and the outcome of any court or regulator’s assessment can be difficult to predict. In the past, the SEC, as well as other regulators, was increasingly focused on the regulation of digital assets and activities, and that focus impacted our business. Some of these actions have been and may in the future be dismissed or paused in light of changes in the regulatory approach of the SEC regarding digital assets. Among the digital assets identified as securities in these actions are assets that are listed on BFS’ digital asset’s platform. The litigation remains under appeal.”

The classification of an asset as a security under applicable law has wide-ranging implications for the regulatory obligations that flow from the offer, sale, trading and clearing of such assets. For example, an asset that is a security in the United States may generally only be offered or sold in the United States pursuant to a registration statement filed with the SEC or in an offering that qualifies for an exemption from registration. Persons that effect transactions in assets that are classified as securities in the United States may be subject to registration with the SEC and states in which they offer and sell securities as a “broker” or “dealer” and subject to the corresponding rules and regulations of the SEC, relevant states and self-regulatory organizations, including FINRA. Platforms that bring together buyers and sellers of assets that are classified as securities in the United States constitute securities exchanges and will be either required to register as such with the SEC, or to operate pursuant to an exemption, as an alternative trading system (“ATS”).

Because our platform is not yet registered or licensed with the SEC or foreign authorities as a broker-dealer, national securities exchange, or ATS (or foreign equivalents), and we do not seek to register or rely on an exemption from such registration or license to facilitate the offer and sale of digital assets on our platform, we currently only permit transactions in digital assets that we have determined are not securities.

Regardless of our conclusions, we could be subject to legal or regulatory action in the event the SEC, a state or foreign regulatory authority, or a court, were to determine that a digital asset currently offered, sold or traded on our platform is a “security” under applicable laws. Moreover, although we expect our risk assessment policies and procedures to regularly evolve to take into account developments in case law, facts and developments in technology, regulatory clarity and changes in market acceptance and adoption of

-56-

these digital assets, these developments and changes may occur more rapidly than we are able to change our related policies and procedures.

A determination by the SEC, a foreign regulatory authority, or a court that an asset that we support for trading on our platform constitutes a security may also result in a determination that we should remove such asset from our platform, as well as other assets that have similar characteristics to such asset deemed to be a security. In addition, we could be subject to judicial or administrative sanctions for failing to offer or sell the asset in compliance with the registration requirements, or for acting as a broker, dealer, or national securities exchange without appropriate registration. Although our platform functions differently from those alleged to have functioned as unregistered clearing agencies in actions brought by the SEC to date, we could face a similar action if the SEC and its staff take a different position with respect to our activities. An action for failure to register as a broker, dealer, national securities exchange, or clearing agency when such registration was required could result in injunctions, cease and desist orders, as well as civil monetary penalties, fines and disgorgement, criminal liability and reputational harm. Customers that traded such supported assets on our platform and suffered trading losses could also seek to rescind a transaction that we facilitated on the basis that it was conducted in violation of applicable law, which could subject us to significant liability.

Furthermore, if we remove any assets from trading on our platform, our decision may be unpopular with our customers and may reduce our ability to attract and retain customers, especially if such assets remain traded on unregulated exchanges, which includes many of our competitors.

Finally, it is possible that the SEC’s approach to whether particular digital assets are securities will change, perhaps significantly. If so, that could change the scope of the digital assets that may be traded on our platform, and we may be required to adapt quickly. This could also allow and encourage new entrants into the market, which would increase competition and potentially detract from our market share and therefore our trading volume. This could also affect our market share and negatively impact our business.

We are subject to significant litigation risk and risk of regulatory liability and penalties. Any current or future litigation or regulatory proceedings against us could be costly and time-consuming to defend.

We are from time to time subject to legal proceedings and claims as well as regulatory proceedings that arise in the ordinary course of business, such as securities class action litigation or other shareholder litigation, claims brought by our clients or customers in connection with commercial disputes, or employment claims made by our current or former employees, and patent litigation. In addition, prior to our acquisition of Bakkt Crypto, Bakkt Crypto received requests from the SEC for documents and information about certain aspects of its business, including the operation of its trading platform, processes for listing assets, the classification of certain listed assets, and relationships with customers and service providers, among other topics. We timely responded to the SEC’s requests and on March 3, 2025, the SEC concluded its inquiry and, based on the information it had at such time, the SEC advised us that it did not intend to recommend an enforcement action against Bakkt Crypto.

-57-

Many aspects of our business involve substantial litigation risks, including potential liability from disputes over terms of a trade, the claim that a system failure or delay caused monetary losses to a customer, that we entered into an unauthorized transaction, that we provided materially false or misleading statements in connection with a transaction or that we failed to effectively fulfill our regulatory oversight responsibilities. We may be subject to disputes regarding the quality of customer order execution, the settlement of customer orders or other matters relating to our services.

Litigation, even claims without merit, could result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, financial condition and results of operations. Insurance may not cover such claims, may not provide sufficient payments to cover all the costs to resolve one or more such claims, and may not continue to be available on terms acceptable to us (including premium increases or the imposition of large deductible or co-insurance requirements). A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position and results of operations. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms, or that our insurers will not deny coverage as to any future claim.

For more information about the regulatory risks to which our business is subject, see “—A digital asset’s status as a “security” in any relevant jurisdiction may be subject to a high degree of uncertainty, and if digital assets on our platform are later determined to be securities, we may be subject to regulatory scrutiny, investigations, fines, and other penalties, which may adversely affect our business, operating results, and financial condition,” “—Regulatory regimes governing blockchain technologies and crypto are evolving and uncertain, and new legislation, regulations, guidance and enforcement actions have in the past required, and may in the future require, us to alter our business practices” and “—Our business is subject to extensive government regulation, oversight, licensure and approvals. Our failure to comply with extensive, complex, uncertain, overlapping and frequently changing rules, regulations and legal interpretations could materially harm our business.”

Adverse resolution of any lawsuit or claim or regulatory proceeding against us, or any regulatory investigation involving us, could have a material adverse effect on our business and our reputation. To the extent we are found to have failed to fulfill our regulatory obligations, we could lose our authorizations or licenses or become subject to conditions that could make future operations more costly and impair our profitability. Such events could also result in consumer dissatisfaction and a decline in consumers’ willingness to use our platform.

We may have to constrain our business activities to avoid being deemed an investment company under the Investment Company Act.

In general, a company that is or holds itself out as being engaged primarily in the business of investing, reinvesting, or trading in securities may be deemed to be an investment company under the Investment Company Act. The Investment Company Act contains substantive legal requirements that regulate the manner in which “investment companies” are permitted to conduct their business activities. We believe we have conducted, and intend to continue to conduct, our business in a manner that does not result in us being characterized as an investment company. To avoid being deemed an investment company, we may decide not to broaden our offerings, which could require us to forgo attractive opportunities. If we are deemed to be an investment company under the Investment Company Act, we would be required to institute burdensome compliance requirements and our activities would be restricted, which would adversely affect our business, financial condition and results of operations. In addition, we may be forced to make changes to our management team if we are required to register as an investment company under the Investment Company Act. Furthermore, to the

-58-

extent we pursue our Investment Policy, we are not subject to, and do not otherwise voluntarily comply with, the extensive regulations applicable to investment companies and investment advisers under U.S. federal and state law. Consequently, our shareholders do not have the regulatory protections provided to shareholders in registered and regulated investment companies, which, for example, require investment companies to have a certain percentage of disinterested directors and regulate the relationship between the investment company and certain of its affiliates.

There can be no assurance that our employees or agents will not violate such laws and regulations.

Anti-money laundering laws and regulations generally prohibit, among other things, our involvement in transferring the proceeds of criminal activities. The USA PATRIOT Act requires us to, among other things, develop, implement and maintain an anti-money laundering program, report suspicious activities and transactions to FinCEN, comply with certain reporting and recordkeeping requirements, and collect and maintain information about customers. Under OFAC’s economic sanctions program, we are prohibited from financial transactions and other dealings with certain countries and geographies and with persons and entities included in OFAC sanctions lists, including its list of Specially Designated Nationals and Blocked Persons.

There can be no assurance that our employees or agents will not violate such anti-money laundering and counter-terrorist financing laws and regulations, and economic and trade sanctions programs. A failure by us or our employees or agents to comply with such laws and regulations and subsequent judgment or settlement against us under these laws could subject us to criminal and/or civil liability, monetary penalties, damages and/or have a significant reputational impact, and a result in a material adverse effect to our business and operations.

Failure to comply with anti-bribery and anti-corruption laws and similar laws could subject us to penalties and other adverse consequences.

We are subject to the U.S. Foreign Corrupt Practices Act of 1977 (the “FCPA”), the U.S. domestic bribery statute contained in 18 U.S.C. § 201, and possibly other anti-bribery and anti-corruption laws in countries outside of the United States where we conduct our activities. Anti-corruption and anti-bribery laws are enforced aggressively and are interpreted broadly to generally prohibit companies, their employees, agents, representatives, clients, and third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public or private sector.

We may leverage third parties to sell our products and conduct our business abroad. We, our employees, agents, representatives, clients and third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these employees, agents, representatives, clients or third-party intermediaries even if we do not explicitly authorize such activities. We cannot assure you that all of our employees, agents, representatives, clients or third-party intermediaries will not take actions in violation of applicable law for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase.

-59-

These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. While we have implemented policies and procedures designed to ensure compliance with these laws and regulations, there can be no assurance that none of our employees, agents, representatives, clients or third-party intermediaries will not violate our policies or applicable laws and regulations, for which we may be ultimately held responsible.

Any allegations or violation of the FCPA or other applicable anti-bribery and anti-corruption laws could result in whistleblower complaints, sanctions, settlements, prosecution, enforcement actions, fines, damages, adverse media coverage, investigations, loss of export privileges, severe criminal or civil sanctions, or suspension or debarment from government contracts, all of which may have an adverse effect on our reputation, business, results of operations, and prospects. Responding to any investigation or action will likely result in a materially significant diversion of management’s attention and resources and significant defense costs and other professional fees.

We are subject to federal and state consumer protection laws and regulations in the jurisdictions in which we operate, which may result in liability or expense, including potential private rights of action, if we do not comply, or it is alleged that we do not to comply, with such laws.

We are subject to federal and state consumer protection laws and regulations in the jurisdictions in which we operate. These regulations require us to provide advance disclosure of changes to our services, follow specified error resolution procedures and reimburse consumers for losses from certain transactions not authorized by the consumer, among other requirements. There are uncertainties associated with being subject to consumer protection rules and regulations of the CFPB and other regulators, including in the application of certain rules and regulations to our business model and to digital assets. Under certain consumer protection rules and regulations, we may be exposed to significant liability to consumers in the event that there is an incident which results in a large number of unauthorized and fraudulent transfers out of our system. Additionally, we could face private litigation by consumers under consumer protection laws and regulations that have private rights of action. Technical violations of consumer protection laws could result in the assessment of actual damages or statutory damages or penalties of up to $1,000 in individual cases or up to $500,000 per violation in any class action and treble damages in some instances; we could also be liable for plaintiffs’ attorneys’ fees in such cases. We could be subject to, and could be required to pay amounts in settlement of, lawsuits containing allegations that our business violated the EFTA and Regulation E or otherwise advance claims for relief relating to our business practices.

Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.

We are subject to a number of laws, rules, directives and regulations relating to the collection, use, retention, security, transfer and other processing of personal information about our consumers, employees, and other individuals (“privacy and security obligations”) in the jurisdictions where we operate. Our business relies on the processing of data and the movement of data, and, as a result, much of the personal information that we process, especially financial information, may be regulated by multiple privacy and security obligations. In many cases, these privacy and security obligations apply not only to third-party transactions, but also to transfers of information between or among us, our subsidiaries and other parties with which we have commercial relationships. Regulatory scrutiny of privacy, data protection, cybersecurity and the collection, storage, use and sharing of personal information is increasing across multiple jurisdictions.

Furthermore, laws relating to privacy, data protection and cybersecurity, including with respect to the use of data in connection with artificial intelligence and machine learning, are rapidly evolving, extensive, complex and include inconsistencies and uncertainties. Examples of recent and anticipated developments that have or could impact our business include the following:

-60-

• The California Consumer Privacy Act (“CCPA”), as amended and supplemented by the California Privacy Rights Act (“CPRA”), provides California residents with certain privacy rights and protections with respect to certain sensitive personal information, including the ability to opt out of sales of their personal information. The CPRA also creates a new state agency that, along with the California Attorney General, has authority to implement and enforce the CCPA and the CPRA.

• Numerous other U.S. states are considering, and in certain cases have adopted, laws similar to the CCPA. For example, legislation similar to the CCPA has been adopted in Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Oregon, Florida, Delaware, Texas, New Jersey, Maryland, Minnesota, Nebraska, New Hampshire, Kentucky, and Rhode Island. Other U.S. states have adopted privacy laws addressing biometrics, financial privacy, and other matters. The U.S. federal government has also considered privacy legislation. These and other new and evolving laws could have potentially conflicting requirements that would make compliance challenging.

• The United States government is considering regulating artificial intelligence and machine learning, and legislation regulating certain aspects of artificial intelligence and machine learning has been proposed, and in certain cases adopted, in U.S. states.

• The certifications we maintain and the standards we comply with, including the Payment Card Industry Data Security Standard, among others, are becoming more stringent.

These and other similar legal and regulatory developments could contribute to legal and economic uncertainty, affect how we design, market, sell and operate our platform, how our clients, customers and vendors process and share data, how we process and use data, and how we transfer personal information from one jurisdiction to another, which could negatively impact demand for our platform. We may incur substantial costs to comply with privacy and security obligations, to meet the demands of our clients relating to their own compliance with applicable privacy and security obligations, and to establish and maintain internal policies, self-certifications and third-party certifications supporting our compliance programs. Our clients may delegate their privacy and security obligations relating to these or other laws or regulations to us via contract, and may impose additional obligations upon us via contract. More generally, we may be required to expend resources to assist our clients with such compliance obligations and to comply with our contractual obligations to our clients. In addition, any actual or perceived non-compliance with applicable laws, regulations, policies, industry data protections, security standards, certifications, and other actual or alleged privacy and security obligations or other undertakings relating to privacy or cybersecurity could result in proceedings, investigations, or claims against us by regulatory authorities, consumers, clients, or others, leading to reputational harm, significant fines, litigation costs, damages and other liabilities. Furthermore, many foreign countries and governmental bodies have laws and regulations concerning the collection, use, storage, deletion and other processing of personal information obtained from their residents or by businesses operating within their jurisdiction. These laws and regulations often are more restrictive than those in the United States. All of these impacts could have a material adverse effect on our business, financial condition and results of operations.

We may at times fail to comply with our privacy policies or other notices or statements we may make regarding the collection, use, disclosure and other processing of personal information, including credit card information, and certain other information or may be perceived to have failed to do so. We may also not be successful in achieving compliance if our employees or vendors fail to comply with our policies, certifications, documentation, notices and statements. Such failures can subject us to potential investigations, enforcement actions or other proceedings if they are found to be deceptive, unfair or misrepresentative of our actual practices.

-61-

In addition, because of the large number of text messages, emails, phone calls and other communications we send or make to our consumers for various business purposes, communication-related privacy laws that provide a specified monetary damage award or fine for each violation could result in particularly significant damage awards or fines. For example, under the Telephone Consumer Protection Act (“TCPA”), in the U.S., plaintiffs may seek actual monetary loss or statutory damages of $500 per violation, whichever is greater, and courts may triple the damage award for willful or knowing violations. We could be subject to lawsuits (including class-action lawsuits) containing allegations that our business violated the TCPA. These lawsuits seek damages (including statutory damages) and injunctive relief, among other remedies. Given the large number of communications we send to our consumers, a determination that there have been violations of the TCPA or other communications-based statutes could expose us to significant damage awards that could, individually or in the aggregate, materially harm our business.

We may be unable to sufficiently protect our proprietary rights and may encounter disputes from time to time relating to our use of the intellectual property of third parties.

We rely on a combination of trademarks, patents, service marks, copyrights, trade secrets, domain names and agreements with employees and third parties to protect our proprietary rights. Nonetheless, third parties may challenge, invalidate or circumvent our intellectual property, and our intellectual property may not be sufficient to provide it with a competitive advantage.

Despite our efforts to protect these rights, unauthorized third parties may attempt to duplicate or copy the proprietary aspects of our technology and processes. Our competitors and other third parties independently may design around or develop similar technology or otherwise duplicate our services or products such that we could not assert our intellectual property rights against them. In addition, our contractual arrangements may not effectively prevent disclosure of our intellectual property and confidential and proprietary information or provide an adequate remedy in the event of an unauthorized disclosure. Measures in place may not prevent misappropriation or infringement of our intellectual property or proprietary information and the resulting loss of competitive advantage, and we may be required to litigate to protect our intellectual property and proprietary information from misappropriation or infringement by others, which is expensive, could cause a diversion of resources and may not be successful.

We also may encounter disputes from time to time concerning intellectual property rights of others, and we may not prevail in these disputes. Third parties may raise claims alleging that we, or consultants or other third parties retained or indemnified by us, infringe on their intellectual property rights. Given the complex, rapidly changing and competitive technological and business environment in which we operate, and the potential risks and uncertainties of intellectual property-related litigation, an assertion of an infringement claim against us may cause us to spend significant amounts to defend the claim, even if we ultimately prevail, pay significant money damages, lose significant revenues, be prohibited from using the relevant systems, processes, technologies or other intellectual property (temporarily or permanently), cease offering certain products or services, or incur significant license, royalty or technology development expenses.

Regulatory requirements upon a change of control of our regulated subsidiaries may require an investor to obtain prior approval or submit information to regulators upon acquiring a direct or indirect controlling interest in us.

Certain of our subsidiaries are subject to regulatory supervision, including the requirement to obtain prior consent from the relevant regulator when a person holds, acquires or increases a controlling interest in those entities. For instance, under certain state money transmitter regulations, no person may hold or acquire, alone or together with others, a direct or indirect stake of 10% or more of us, or exercise, directly or indirectly, a controlling influence over us or any of the regulated subsidiaries. Under other state money transmitter regulations, that threshold may be higher. Such regulatory requirements may deter or delay an investor from acquiring a direct or indirect controlling interest in us or may make the closing of such a proposed investment subject to regulatory uncertainty.

Non-compliance with those requirements may lead to injunctions, penalties and sanctions against us as well as the person seeking to hold, acquire or increase a controlling interest, may subject the relevant transactions to

-62-

cancellation or forced sale, and may result in increased regulatory compliance requirements or other potential regulatory restrictions on our business (including in respect of matters such as corporate governance, restructurings, mergers and acquisitions, financings and distributions). If any of this were to occur, it could damage our reputation, limit our growth and materially and adversely affect our business, financial condition and results of operations.

Changes in tax laws or their judicial or administrative interpretations, or becoming subject to additional taxes that cannot be passed through to our loyalty customers, could negatively affect our business, financial condition and results of operations.

Our operations may be subject to extensive tax liabilities, including federal and state income taxes and other taxes, such as excise, sales/use, payroll, franchise, withholding and ad valorem taxes. Changes in tax laws or their judicial or administrative interpretations could decrease the amount of revenues we receive, the value of any tax loss carryforwards and tax credits recorded on our balance sheet and the amount of our cash flow and may have a material adverse impact on our business, financial condition and results of operations. Some of our tax liabilities may be subject to periodic audits by the applicable taxing authority, which could increase our tax liabilities. Furthermore, we may become subject to taxation in various taxing jurisdictions. If we are required to pay additional taxes and are unable to pass the tax expense through to our customers, our costs would increase and our net income would be reduced, which could have a material adverse effect on our business, financial condition and results of operations.

Because there is limited guidance for tax reporting or accounting of bitcoin and other digital asset transactions, the determination that we have made for how to account for or report the tax treatment of digital asset transactions may be subject to change and challenge by relevant tax authorities in various countries, including the United States.

In 2014, the IRS released Notice 2014-21, IRB 2014-16, or IRS Notice, discussing certain aspects of “convertible virtual currency” (that is, crypto currency that has an equivalent value in real (or fiat) currency or that acts as a substitute for fiat currency) for U.S. federal income tax purposes. IRS stated that such crypto currency is treated as “property”, not “currency” for purposes of the rules relating to foreign currency gain or loss, and may be held as a capital asset. In 2019, the IRS released Revenue Ruling 2019-24 and a set of “Frequently Asked Questions”, or the 2019 Revenue Ruling & FAQs, that provide some additional guidance, including guidance to the effect that, under certain circumstances, hard forks of crypto currencies are taxable events giving rise to ordinary income and guidance with respect to the determination of the tax basis of crypto currency. In 2023, the IRS released Revenue Ruling 2023-14, or the 2023 Revenue Ruling, that provides a cash-method taxpayer that receives additional units of crypto from staking must include those rewards in gross income. However, the IRS Notice, the 2019 Revenue Ruling & FAQs and the 2023 Revenue Ruling do not address other significant aspects of the U.S. federal income tax treatment of crypto and related transactions.

It is also unclear what additional guidance may be issued in the future on the treatment of existing digital asset transactions and future digital asset innovations for purposes of U.S. federal income tax or other foreign tax regulations. Future technological and operational developments that may arise with respect to crypto currencies may increase the uncertainty with

-63-

respect to the treatment of crypto currencies for U.S. federal income and foreign tax purposes.

Additionally, changes in applicable laws and administrative guidance could impose such obligations on us. For example, under the Infrastructure Investment and Jobs Act of 2021 (Pub. L. As a result, we may be required to file certain information reports, including customer’s names and addresses, gross proceeds from sales, and any capital gains or losses to the IRS. In 2024, the IRS issued final regulations and other guidance on tax reporting requirements for cryptocurrency brokers, which were intended to implement the changes in law enacted by the Infrastructure Act. The IRS may introduce new rules related to our tax reporting and withholding obligations on our customer transactions in the future, possibly in ways that differ from our existing compliance protocols and where there is risk that we do not have proper records to ensure compliance for certain legacy customers. Such rules are under discussion today by the member and observer states of the “Organization for Economic Cooperation and Development” (the “OECD”) and may give rise to potential liabilities or disclosure requirements for prior customer arrangements and new rules that affect how we onboard our customers and report their transactions to taxing authorities.

Our ability to use net operating losses to offset future taxable income may be subject to certain limitations under U.S. or state tax law.

Under Section 382 of the Internal Revenue Code of 1986, as amended (the “Code”), a corporation that undergoes an “ownership change” is subject to limitations on its ability to utilize its net operating losses (“NOLs”) to offset future taxable income. The Company has not determined if it has experienced Section 382 ownership changes in the past and if a portion of its NOL carryforwards are subject to limitation. Future changes in our stock ownership, the causes of which may be outside of our control, could result in an ownership change under Section 382 of the Code. Any NOLs may also be subject to limitation under state laws.

In addition, under the 2017 Tax Cuts and Jobs Act, or Tax Act, federal NOLs arising in taxable years beginning after December 3, 2017 do not expire but may be utilized to offset no more than 80% of taxable income annually. We may be required to pay federal income taxes in future years despite having NOLs for federal income tax purposes. There is also a risk that due to statutory or regulatory changes, such as suspensions on the use of NOLs, or other unforeseen reasons, our NOLs could expire or otherwise be unavailable to offset future income tax. Based on state conformity or the lack thereof to the provisions in the Tax Act, as amended by the CARES Act, there is the potential that NOLs could expire or be unavailable to offset future income for state income tax purposes. For these reasons, we may not be able to realize a tax benefit from the use of any NOLs, whether or not we attain profitability.

Unrealized fair value gains on our digital asset holdings may cause us to become subject to the corporate alternative minimum tax under the Inflation Reduction Act of 2022.

-64-

The United States enacted the Inflation Reduction Act of 2022 (“IRA”) in August 2022. Unless an exemption applies, the IRA imposes a 15% corporate alternative minimum tax (“CAMT”) on a corporation with respect to an initial tax year and subsequent tax years if the average annual adjusted financial statement income for any consecutive three-tax-year period preceding the initial tax year exceeds $1 billion. On September 12, 2024, the Department of Treasury and the IRS issued proposed regulations with respect to the application of CAMT.

Additionally, to the extent we pursue our Investment Policy, we expect to be required to adopt ASU 2023-08, under which our Bitcoin holdings must be measured at fair value in our statement of financial position, with gains and losses from changes in the fair value of our Bitcoin recognized in net income each reporting period. When determining whether we are subject to CAMT and when calculating any related tax liability for an applicable tax year, the proposed regulations provide that, among other adjustments, our adjusted financial statement income must include any unrealized gains or losses reported in the applicable tax year.

Accordingly, as a result of the enactment of the IRA and our expected adoption of ASU 2023-08, we may be subject to CAMT in the 2026 taxable year and beyond. If we become subject to CAMT, it could result in a material tax obligation that we would need to satisfy in cash, which could materially affect our financial results, including our earnings and cash flow, and our financial condition.

We may be subject to various governmental export control and trade sanctions laws and regulations that could impair our ability to compete in international markets or subject us to liability if we violate these controls.

In some cases, our platform may be subject to export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce, and platform and other our activities may be subject to trade and economic sanctions, including those administered by the United States Department of the Treasury’s Office of Foreign Assets Control, or OFAC (collectively, “Trade Controls”). As such, a license may be required to make our platform available or to provide services to certain countries and end-users, and for certain end-uses. The process for obtaining necessary licenses may be time-consuming or unsuccessful, potentially causing delays in sales or losses of sales opportunities, and these licenses may not be issued. Trade Controls are complex and dynamic regimes and monitoring and ensuring compliance can be challenging. Although we have procedures in place designed to ensure our compliance with Trade Controls, any failure to comply could subject us to both civil and criminal penalties, including substantial fines, possible incarceration of responsible individuals for willful violations, possible loss of our export or import privileges, and reputational harm.

In addition, various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our software and services or could limit our customers’ ability to implement our platform in those countries. Changes in our platform or changes in export and import regulations in such countries may create delays in the introduction of our platform into international markets, prevent our customers with international operations from deploying our platform globally or, in some cases, prevent or delay the export or import of our software and services to certain countries, governments, or persons altogether.

Risks Related to Information Technology and Data

Actual or perceived cyberattacks, security incidents or breaches could result in serious harm to our reputation, business and financial condition.

Our business involves the collection, storage, processing and transmission of confidential information and customers’ personal information, including financial information and information about how customers interact with our platform. We have built our reputation on the premise that we offer customers a secure and convenient way to manage their digital assets. We also maintain and process other information in our business, including our own proprietary, confidential or otherwise sensitive information, and information we maintain or otherwise process for

-65-

third parties. An increasing number of organizations, including large merchants, businesses, technology companies and financial institutions, as well as government institutions, have disclosed breaches of their information security systems, some of which have involved sophisticated and highly targeted attacks, including on their websites, mobile applications and infrastructure.

The techniques used to obtain unauthorized, improper, or illegal access to systems and information (including customers’ personal information), disable or degrade service, or sabotage systems are constantly evolving and have become very complex and sophisticated, may be difficult to detect quickly, and often are not recognized or detected until after they have been launched against a target. We may be unable to anticipate these techniques or to implement adequate preventative measures, and any cyberattack, breach or other security incident may take longer than expected to remediate or otherwise address. Unauthorized parties have attempted, and we expect that they will continue to attempt, to gain access to our systems or facilities through various means, including, but not limited to, hacking into our systems or facilities or those of our customers or vendors, and attempting to fraudulently induce users of our systems (including employees and customers) into disclosing customer names, passwords, payment card information, or other sensitive information, which may in turn be used to access our information technology systems, or to steal digital assets stored by our customers. Threats can come from a variety of sources, including criminal hackers, hacktivists, state-sponsored intrusions, industrial espionage and insider threats. Certain efforts may be supported by significant financial and technological resources, making them even more sophisticated and difficult to detect. The wars in Ukraine and the Middle East, and other geopolitical tensions and military conflicts, may increase the risks we and our vendors face from cyberattacks. Numerous and evolving cybersecurity threats, including advanced and persistent cyberattacks, cyberextortion, ransomware, denial-of-service attacks, spear phishing and social engineering schemes, the introduction of computer viruses, ransomware or other malware, and the physical destruction of all or portions of our information technology and infrastructure could compromise the confidentiality, availability and integrity of the information (including consumers’ personal information) in and being processed by our systems. Although we have developed systems and processes designed to protect information we manage, prevent data loss and other security breaches and to permit us to effectively respond to known and potential risks, and we expect to continue to expend significant resources to bolster these systems and processes, there can be no assurance that our security measures will provide absolute security or have prevented or will prevent breaches, security incidents or attacks, in particular, as the frequency and sophistication of cyberattacks increases. To the extent we pursue our Investment Policy, the foregoing risks will also apply to any Bitcoin or other digital assets held as part of our corporate treasury. Attacks upon systems across a variety of industries, including industries related to Bitcoin, are increasing in frequency, persistence, and sophistication, and, in many cases, are being conducted by sophisticated, well-funded and organized groups and individuals, including state actors.

Our information technology and infrastructure and those of our vendors (including data center and cloud computing providers) may be vulnerable to cyberattacks, security breaches and incidents and third parties may be able to access our customers’ personal information and/or proprietary information, banking, digital assets and payment card information, or other confidential, proprietary, or otherwise sensitive information, stored on or accessible through those systems. We have experienced from time to time, and may experience in the future, security breaches or incidents due to human error, malfeasance, insider threats, system errors, bugs, vulnerabilities, or other causes. Actual or perceived breaches of, or incidents impacting our or our vendors’ security could, among other things:

• interrupt our operations;

• result in our systems or services being unavailable, disrupted or degraded;

-66-

• result in loss or unavailability of, or improper acquisition, use, disclosure or other processing of information (including consumers’ personal information) and actual or perceived violations of applicable laws, regulations, or other actual or asserted legal or contractual obligations;

• materially harm our reputation;

• result in significant liability claims, litigation, regulatory scrutiny, investigations and other proceedings, fines, penalties and other legal and financial exposure;

• cause us to incur significant remediation costs;

• lead to loss or theft of customer digital assets and other harm to customers;

• lead to loss or theft of intellectual property;

• lead to loss of customer confidence in, or decreased use of, our products and services;

• divert the attention of management from the operation of our business;

• result in significant compensation or contractual penalties from us to our customers as a result of losses to them or claims by them; and

• adversely affect our business and results of operations.

We have expended and expect to continue to invest in resources to protect against privacy compromises and security breaches and incidents and may be required to redress problems caused by such matters. We have implemented remote and hybrid working protocols and offer work-issued devices to certain employees, but the actions of employees while working remotely may have a greater effect on the security of our infrastructure and networks and the information, including personal information, we process, including for example by increasing the risk of compromise to systems or information arising from employees’ combined personal and private use of devices, accessing our networks or information using wireless networks that we do not control, or the ability to transmit or store information outside of our secured network. Our employees’ or third parties’ intentional, unintentional or inadvertent actions may increase our vulnerability or expose us to security threats, such as ransomware or other malware or phishing attacks, and we may remain responsible for unauthorized access to, or loss, unavailability, alteration, destruction, acquisition, disclosure or other processing of information we or our vendors process or otherwise maintain. Also, cyberattacks, including on the supply chain, continue to increase in frequency and magnitude, and we cannot provide assurances that our preventative efforts have been or will be successful.

Financial services regulators in various jurisdictions have implemented authentication requirements for banks and payment processors intended to reduce online fraud, which could impose significant costs, require us to change our business practices, make it more difficult for new consumers to join us, and reduce the ease of use of our platform, which could harm our business. Our insurance policies may not be adequate to reimburse us for losses caused by security breaches or incidents. We also cannot be certain that our insurance coverage will be adequate for incurred cybersecurity liabilities, that insurance will continue to be available to us on economically reasonable terms, or at all, or that an insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, results of operations, and reputation.

Systems failures and resulting interruptions in the availability of our websites, applications, products or services could harm our business.

-67-

Our systems and those of our service providers and clients have experienced from time to time, and may experience in the future service interruptions or degradation because of hardware and software defects or malfunctions, insider threats, human error, earthquakes, hurricanes, floods, fires and other natural disasters, power losses, disruptions in telecommunications services, fraud, geopolitical tensions, and military or political conflicts (including the wars in Ukraine and the Middle East), terrorist attacks, computer viruses, ransomware or other malware, or other events. We have experienced from time to time, and may experience in the future, disruptions in our systems.

We have experienced and expect to continue to experience system failures, denial-of-service attacks and other events or conditions from time to time that interrupt the availability, or reduce or adversely affect the speed or functionality, of our products and services. These events have resulted and likely will result in loss of revenue. A prolonged interruption in the availability or reduction in the availability, speed, or functionality of our products and services could materially harm our business. Frequent or persistent interruptions in our services could cause current or potential clients to believe that our systems are unreliable, leading them to switch to competitors or to avoid or reduce the use of our platform, and could permanently harm our reputation. Moreover, if any system failure or similar event results in damages to our customers, these clients could seek significant compensation or contractual penalties from us for their losses, and those claims, even if unsuccessful, would likely be time-consuming and costly for us to address, and could have other consequences described under the caption “—Actual or perceived cyberattacks, security incidents or breaches could result in serious harm to our reputation, business and financial condition.” Further, frequent or persistent site interruptions could lead to regulatory scrutiny, significant fines and penalties and mandatory and costly changes to our business practices, and ultimately could cause us to lose existing licenses that we need to operate or prevent or delay us from obtaining additional licenses that may be required for our business.

We also rely on facilities, components, applications and services supplied by third parties, including data center facilities and cloud storage services, which subjects us to risks in the nature of those discussed under the caption “—We face operational, legal and other risks related to our reliance on third party vendors, over which we have no control.”

Implementation of new systems and technologies is complex, expensive and time-consuming. If we fail to timely and successfully implement new information systems and technologies, or improvements or upgrades to existing information systems and technologies, or if such systems and technologies do not operate as intended, this could have an adverse impact on our business, internal controls (including internal controls over financial reporting), results of operations and financial condition.

If we use open source software inconsistent with our policies and procedures or the license terms applicable to such software, we could be subject to legal expenses, damages, or costly remediation or disruption to our business.

We use open source software in our platform. While we have policies and procedures in place governing the use of open source software, there is a risk that we incorporate open source software with onerous licensing terms, including the obligation to make our source code available for others to use or modify without compensation. If we receive an allegation that we have violated an open source license, we may incur significant legal expenses, be subject to damages, be required to redesign our platform to remove the open source software, or be required to comply with onerous license restrictions, all of which could have a material impact on our business. Even in the absence of a claim, if we discover the use of open source software inconsistent with our policies, we could expend significant time and resources to replace the open source software or obtain a commercial license, if available. All of these risks are heightened by the fact that the ownership of open source software can be uncertain, leading to litigation, and many of the licenses applicable to open source software have not been interpreted by courts, and these licenses could be construed to impose unanticipated conditions or restrictions on our ability to commercialize our

-68-

products. Any use of open source software inconsistent with our policies or licensing terms could harm our business and financial position.

Risks Related to Risk Management and Financial Reporting

If we are unable to maintain effective internal controls over financial reporting, we may be unable to produce timely and accurate financial statements, which could have a material adverse effect on our business.

Pursuant to the Sarbanes-Oxley Act we are required to make a formal assessment of the effectiveness of our internal control over financial reporting and we will also be required to include an attestation report on internal control over financial reporting issued by our independent registered public accounting firm.

We have limited accounting and finance personnel and other resources and must develop our own internal controls and procedures consistent with SEC regulations. In 2024, we identified and subsequently remediated a material weakness in our internal control over financial reporting relating to the review of the work performed by a third-party valuation specialist used in the valuation of our Class 1 Warrants and Class 2 Warrants issued in February 2024. While we have taken steps to further improve our internal control environment, we cannot assure you that additional control deficiencies or material weaknesses will not be identified in the future.

Any failure to maintain effective disclosure controls and procedures or internal control over financial reporting could have an adverse effect on our business and operating results, and cause a decline in the price of our securities.

Real or perceived inaccuracies in our key operating metrics may harm our reputation and negatively affect our business.

We track certain key operating metrics with internal systems and tools that are not independently verified by any third party. While the metrics presented in this Form 10-K are based on what we believe to be reasonable assumptions and estimates, our internal systems and tools have a number of limitations, and our methodologies for tracking these metrics may change over time. In addition, limitations or errors with respect to how we measure data or with respect to the data that we measure may affect our understanding of certain details of our business, which could affect our long-term strategies. If the internal systems and tools we use to track these metrics understate or overstate performance or contain algorithmic or other technical errors, the key operating metrics we report may not be accurate. If investors do not perceive our operating metrics to be accurate, or if we discover material inaccuracies with respect to these figures, our reputation may be significantly harmed and our results of operations and financial condition could be adversely affected.

If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our results of operations could be adversely affected.

The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities, disclosure of contingent assets and liabilities at the date of the condensed financial statements and income and expenses during the periods reported. Actual results could materially differ from those estimates and the amounts reported in our consolidated financial statements and accompanying notes appearing elsewhere in this Form 10-K. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant estimates and judgments involve those related to going concern, revenue recognition, internal-use software development costs, valuation of our stock-based compensation awards, including the determination of fair value of our common stock, accounting for income taxes, the carrying value of operating lease right-of-use assets and useful lives of long-lived

-69-

assets, among others. Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the market price of our securities.

Our management has limited experience in operating a public company.

Certain of our executive officers and directors, including our Chief Executive Officer, have limited experience in the management of a publicly traded company. Such limited experience in dealing with the complex laws pertaining to public companies could be a disadvantage and result in a significant amount of their time being devoted to these activities, which will result in less time being devoted to our management and growth.

If members or former members of our management engage in business activities of the types conducted by us, we may be materially adversely affected.

Certain members and former members of our management and their affiliates have in the past provided management services to other finance and technology companies that may compete with us. Certain members and former members of our management have entered into restrictive covenant agreements with non-competition provisions. If these agreements are not effective in preventing these parties from engaging in business activities that are competitive with us, it could have a material adverse effect on our business, financial condition, results of operations or prospects.

We are a “smaller reporting company” and any decision to comply with certain reduced reporting and disclosure requirements applicable to smaller reporting companies could make our securities less attractive to investors.

We are a “smaller reporting company,” as defined in Regulation S-K of the Securities Act of 1933, as amended (the “Securities Act”), which allows us to take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not smaller reporting companies, including reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements.

If some investors find our securities less attractive because we rely on any of these exemptions, there may be a less active trading market for such securities and the market price of such securities may be more volatile and may decline.

Future changes in financial accounting standards may significantly change our reported results of operations.

GAAP is subject to standard setting or interpretation by the FASB, the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results. Any future adjustments could materially impact our regulatory capital requirements and our reported results of operations, which could have negative outcomes for us and harm our reputation and could affect the reporting of transactions completed before the announcement of a change.

Risks Related to Our Securities

We may issue additional shares of common stock or other equity securities, which would dilute stockholders’ ownership interest in us and may reduce the market price of our securities.

We may issue additional shares of our common stock or other equity securities in the future in connection with, among other things, future acquisitions, repayment of outstanding indebtedness, the exercise of previously

-70-

issued warrants, or grants under the Omnibus Incentive Plan, or other grant awards without stockholder approval in a number of circumstances. The issuance of additional common stock or other equity securities could have, among other things, one or more of the following effects:

• our existing stockholders’ proportionate ownership interest will decrease;

• the amount of cash available per share, including for payment of dividends in the future, may decrease;

• the relative voting strength of each previously outstanding share of our common stock may be diminished; and

• the market price of our common stock and/or Warrants may decline.

Any such exercise increases the number of shares outstanding and eligible for future resale in the public market and results in dilution to our stockholders.

On July 28, 2025, we issued and sold pre-funded warrants to purchase an aggregate of 746,373 shares of our common stock for aggregate net proceeds of approximately $69 million. Further, on February 26, 2026, we issued and sold pre-funded warrants to purchase an aggregate of 2,475,201 shares of our common stock for aggregate net proceeds of approximately $48.125 million. In addition, we have outstanding Class 1 Warrants and Class 2 Warrants to purchase up to an aggregate of 2,017,850 additional shares common sock at an exercise price $25.50 per share. Sales of substantial numbers of such shares in the public market or the fact that such warrants may be exercised could adversely affect the market price of common stock.

We may not receive any additional funds upon the exercise of the Warrants.

Our Class 1 Warrants and Class 2 Warrants may be exercised by way of a cashless exercise, meaning that the holder may not pay a cash purchase price upon exercise, but instead would receive upon such exercise the net number of shares of the common stock as determined according to the formulas set forth in the Warrant. In addition, upon the occurrence of certain events, the Class 2 Warrants may be exercised by way of an alternative cashless exercise, allowing the holder to receive the product of (x) the aggregate number of shares subject to the alternative cashless exercise (up to the full number of shares that would be issuable upon exercise of the Class 2 Warrant in accordance with the terms of the Class 2 Warrant if such exercise were by means of a cash exercise rather than a cashless exercise) and (y) 0.5. Accordingly, we may not receive any additional funds upon the exercise of our Class 1 Warrants or our Class 2 Warrants.

The valuation of our warrants could increase the volatility in our net income (loss) in our consolidated statements of operations.

The change in fair value of our warrants is the result of changes in stock price and warrants outstanding at each reporting period. (Loss) gain from change in fair value of warrant liabilities represents the mark-to-market fair value adjustments to the outstanding warrants. Significant changes in our stock price or number of warrants outstanding may adversely affect our net income (loss) in our consolidated statements of operations.

If securities and industry analysts do not publish research or publish inaccurate or unfavorable research about our business, the prices and trading volumes of our securities could decline.

-71-

The trading market for our securities depends, in part, on the research and reports that securities and industry analysts publish about us and our business. If securities and industry analysts downgrade our securities or publish inaccurate or unfavorable research about our business, the market price of our securities would likely decline. If one or more of these analysts cease coverage of us or fail to publish reports on us regularly, demand for our stock could decrease, which might cause the market price and trading volume of our securities to decline.

Delaware law and our Certificate of Incorporation and By-Laws contain certain provisions, including anti-takeover provisions that limit the ability of stockholders to take certain actions and could delay or discourage takeover attempts that stockholders may consider favorable.

Our certificate of incorporation (the “Certificate of Incorporation”) and our by-laws (the “By-Laws”) contain provisions that could have the effect of rendering more difficult, delaying, or preventing an acquisition deemed undesirable by the Board and therefore depress the trading price of our securities. These provisions could also make it difficult for stockholders to take certain actions, including electing directors who are not nominated by the current members of the Board or taking other corporate actions, including effecting changes in management. Among other things, the Certificate of Incorporation and By-Laws include provisions regarding:

• a classified Board with three-year staggered terms, which could delay the ability of stockholders to change the membership of a majority of the Board;

• the ability of the Board to issue shares of Preferred Stock, including “blank check” preferred stock and to determine the price and other terms of those shares, including preferences and voting rights, without stockholder approval, which could be used to significantly dilute the ownership of a hostile acquirer;

• the limitation of the liability of, and the indemnification of, our directors and officers;

• the right of the Board to elect a director to fill a vacancy created by the expansion of the Board or the resignation, death or removal of a director, which prevents stockholders from being able to fill vacancies on the Board;

• the requirement that directors may only be removed from the Board for cause and upon the affirmative vote of the holders of at least 66 2/3% of the total voting power of then outstanding common stock;

• a prohibition on stockholder action by written consent (except as required for holders of future series of Preferred Stock), which forces stockholder action to be taken at an annual or special meeting of stockholders and could delay the ability of stockholders to force consideration of a stockholder proposal or to take action, including the removal of directors;

• the requirement that a special meeting of stockholders may be called only by the Board, the Chairman of the Board or our Chief Executive Officer, which could delay the ability of stockholders to force consideration of a proposal or to take action, including the removal of directors;

• controlling the procedures for the conduct and scheduling of the Board and stockholder meetings;

• the requirement for the affirmative vote of holders of at least 66 2/3% of the total voting power of all of the then outstanding shares of the voting stock, voting together as a single class, to amend, alter, change or repeal certain provisions in the Certificate of Incorporation which could preclude stockholders from bringing matters before annual or special meetings of stockholders and delay changes in the Board and also may inhibit the ability of an acquirer to effect such amendments to facilitate an unsolicited takeover attempt;

• the ability of the Board to amend the By-Laws, which may allow the Board to take additional actions to prevent an unsolicited takeover and inhibit the ability of an acquirer to amend the By-Laws to facilitate an unsolicited takeover attempt; and

-72-

• advance notice procedures with which our stockholders must comply to nominate candidates to the Board or to propose matters to be acted upon at a stockholders’ meeting, which could preclude stockholders from bringing matters before annual or special meetings of stockholders and delay changes in the Board and also may discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer’s own slate of directors or otherwise attempting to obtain control.

These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in the Board or management.

Our Certificate of Incorporation designates a state or federal court located within the State of Delaware as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers, or employees.

Our Certificate of Incorporation provides that, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware, or if such court does not have subject matter jurisdiction, any other court located in the State of Delaware with subject matter jurisdiction, will be the sole and exclusive forum for (a) any derivative action or proceeding brought on behalf of us, (b) any action asserting a claim of breach of a fiduciary duty owed by any current or former director, officer, other employee or stockholder of ours to us or our stockholders, (c) any action asserting a claim against us or our officers or directors arising pursuant to any provision of the Delaware General Corporation Law (the “DGCL”) or the Certificate of Incorporation or By-Laws or as to which the DGCL confers jurisdiction on the Court of Chancery of the State of Delaware, (d) any action to interpret, apply, enforce or determine the validity of the Certificate of Incorporation or the By-Laws or any provision thereof, (e) any action asserting a claim against us or any current or former director, officer, employee, stockholder or agent of ours governed by the internal affairs doctrine of the law of the State of Delaware or (f) any action asserting an “internal corporate claim” as defined in Section 115 of the DGCL.

Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all suits brought to enforce any duty or liability created by the Securities Act or the rules and regulations thereunder. Accordingly, both state and federal courts have jurisdiction to entertain such Securities Act claims. To prevent having to litigate claims in multiple jurisdictions and the threat of inconsistent or contrary rulings by different courts, among other considerations, the Certificate of Incorporation provides that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the federal district courts of the United States of America shall be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act; however, there is uncertainty as to whether a court would enforce such provision, and investors cannot waive compliance with federal securities laws and the rules and regulations thereunder. Notwithstanding the foregoing, the Certificate of Incorporation provides that the exclusive forum provision will not apply to suits brought to enforce any cause of action arising under the Securities Act, any duty or liability created by the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. Section 27 of the Exchange Act creates exclusive federal jurisdiction over all suits brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder.

Any person or entity purchasing or otherwise acquiring any interest in any of our securities will be deemed to have notice of and consented to this provision. These exclusive-forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers, or other employees, which may discourage lawsuits against us and our directors, officers and other employees. If a court were to find these exclusive-forum provisions to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.

Our Certificate of Incorporation does not limit the ability of ICE to compete with us.

ICE and its affiliates engage in a broad spectrum of activities, including investments in the financial services and technology industries. In the ordinary course of its business activities, ICE and its respective affiliates may engage in activities where their interests conflict with our interests, or those of our other stockholders. Our

-73-

Certificate of Incorporation provides that ICE and its affiliates (including any non-employee directors of ours appointed by ICE) have no duty to refrain from (1) engaging in and possessing interests in other business ventures of every type and description, including those engaged in the same or similar business activities or lines of business in which we now engage or propose to engage or (2) otherwise competing with us, on their own account, in partnership with, or as an employee, officer, director or shareholder of any other individual, corporation, general or limited partnership, limited liability company, joint venture, trust, association or any other entity. ICE also may pursue, in its capacity other than as directors of the Board, acquisition opportunities that may be complementary to our business and, as a result, those acquisition opportunities may not be available to us. In addition, ICE may have an interest in pursuing acquisitions, divestitures and other transactions that, in its judgment, could enhance its investment, even though such transactions might involve risks to our other stockholders. ICE will not be liable to us, our stockholders any of our affiliates for breach of any fiduciary duty solely by reason of the fact that they engage or have engaged in any such activities.

ICE may exert significant influence over us and its interests may conflict with yours or those of other stockholders in the future.

This concentration of ownership may delay or deter possible changes in control, which may reduce the value of an investment in our securities. So long as ICE continues to own a significant amount of the combined voting power, even if such amount is less than 50%, ICE will continue to be able to strongly influence our decisions.

The price of our securities may be volatile.

The trading market for our securities has in the past been and could in the future be impacted by market volatility. The price of our securities may fluctuate due to a variety of factors, including:

• changes in the digital asset industry;

• changes in laws and regulations affecting our business;

• developments involving our competitors or other companies in our industries;

• variations in our operating performance and the performance of our competitors in general;

• actual or anticipated fluctuations in our quarterly or annual operating results;

• publication of research reports by securities analysts about us or our competitors or our industry;

• the public’s reaction to our press releases, our other public announcements and our filings with the SEC;

•rumors and market speculation involving digital assets and the regulation thereof, or us or other companies in our industry;

• actions by stockholders;

• the exercise of warrants to purchase our securities;

• additions and departures of key personnel or members of the Board;

• changes in our capital structure, such as future issuances of securities or the incurrence of debt;

-74-

• the volume of our common stock available for public sale; and

• general economic and political conditions, such as recessions, inflation, volatility in the markets, increases in interest rates, local and national elections, fuel prices, international currency fluctuations, corruption, political instability, pandemics or other public health emergencies and the wars in Ukraine and the Middle East, resulting sanctions imposed by the U.S. and other countries, and retaliatory actions taken by Russia in response to such sanctions.

These market and industry factors may materially reduce the market price of our securities regardless of our operating performance.

A sustained decline in the market price of our common stock, or other adverse developments affecting our trading market, could cause us to fall out of compliance with applicable exchange listing standards, which could result in a delisting of our securities. Any such delisting could reduce the liquidity of our securities, increase volatility, limit our ability to access the capital markets and increase the costs and burdens associated with being a public company.

We intend to retain future earnings, if any, for future operations, expansion and debt repayment and there are no current plans to pay any cash dividends for the foreseeable future. The Board may take into account general and economic conditions, our financial condition and results of operations, our available cash and current and anticipated cash needs, capital requirements, contractual, legal, tax and regulatory restrictions, implications of the payment of dividends by us to our stockholders or by our subsidiaries to us and such other factors as the Board may deem relevant.

-75-

Item 1B. Unresolved Staff Comments

None.

Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We regularly face cybersecurity threats from malicious third parties that could obtain unauthorized access to our internal systems, networks, and data. It is virtually impossible for us to entirely mitigate the risk of these and other security threats we face, and the security, performance, and reliability of our products may be disrupted by third parties, including nation-states, fraudsters, criminal syndicates, competitors, hackers, disgruntled employees, former employees, or contractors. While we have implemented security measures internally and have integrated security measures into our systems, network, and products, these measures may not always function as expected and may not always detect or prevent all unauthorized activity, prevent all security breaches or incidents, mitigate all security breaches or incidents, or protect against all attacks or incidents.

Particularly in light of the extensive cybersecurity risks facing our company and the fact that we provide digital asset products to our clients, we recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to protect our internal systems and our clients’ data. We have established a multi-layered approach to manage our cybersecurity risks with preventative and detective capabilities enabled in our network and internal systems that are designed to protect against identified cyber threats. This approach to cybersecurity includes, among other things, annual and periodic risk assessments; ongoing collaboration with our product and engineering teams for the purpose of securing our products, systems, and data; a vulnerability management program focused on proactively identifying, triaging and mitigating security vulnerabilities within our systems, penetration tests and other simulations; regularly required security training for all employees; and a comprehensive incident response process to identify, contain, and remediate cybersecurity incidents. We also engage with external cybersecurity assessors and consultants in evaluating and testing the design and operating effectiveness of controls.

To identify and assess material risks from cybersecurity threats, our Enterprise Risk Management program considers cybersecurity risks alongside other company risks as part of our overall risk assessment process. We perform specific cybersecurity risk assessments at least annually to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to further identify risks.

We are aware of risks associated with our use of third-party service providers, including those who have access to our systems, data, or facilities. We have implemented processes to help manage these risks. We conduct security assessments of third-party providers who may have access to sensitive information as part of our selection and onboarding process. We also conduct ongoing monitoring in the form of periodic reviews conducted by our security team based on the business criticality of the third-party service.

As of the date of this Form 10-K we do not believe that these risks or any previous cybersecurity events or incidents have materially affected or are reasonably likely to materially affect us. We face risks from cybersecurity threats, including those associated with cyberattacks and security breaches and incidents, in the future. For additional information regarding whether and how risks from identified cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition refer to “Item 1A. Risk Factors” and “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Form 10-K, which disclosures are incorporated by reference herein.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of focus for the Board and management. The Board is responsible for monitoring and assessing strategic risk exposure, and our cybersecurity program and strategy are overseen by our Chief Information Security Officer (CISO). Our CISO, who joined us in 2022, has over 25 years of prior work experience in various roles managing enterprise risk and information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs, as well as several relevant degrees and certifications, including Certified Information Security Manager, Certified Information Systems Auditor, and Certified

-76-

Information Systems Security Professional. The CISO provides regular updates to the executive management team and provides the quarterly Board updates, as discussed below. The executive management team allocates resources to support the cybersecurity program through allocation of budget.

The Board administers its cybersecurity risk oversight function directly as a whole, as well as through its Audit and Risk Committee, which is responsible for oversight of risks from cybersecurity threats. At least quarterly, the entire Board receives an update from the CISO of our cybersecurity program covering topics such as results from third-party assessments, progress toward strategic goals, compliance with regulatory requirements, and certain cybersecurity threat risks or developments, as well as the steps management has taken to respond to such risks. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
SFDL	35 minutes ago
OVTZ	an hour ago
UNB	an hour ago
LFAC	an hour ago
SWDR	2 hours ago
SLBK	2 hours ago
FSEA	5 hours ago
VSCO	6 hours ago
MIST	6 hours ago
DG	7 hours ago
AEVA	16 hours ago
OZ	17 hours ago
PELI	19 hours ago
YSS	19 hours ago
FLY	20 hours ago
ODYS	20 hours ago
SBXD	20 hours ago
STRW	20 hours ago
ASST	20 hours ago
SPIR	20 hours ago
ELDN	20 hours ago
COLA	20 hours ago
BKKT	20 hours ago
AWX	21 hours ago
NBY	21 hours ago
NLST	21 hours ago
COEP	21 hours ago
MSAI	21 hours ago
LUNR	21 hours ago
RCAT	21 hours ago
BFRG	21 hours ago
HRGN	21 hours ago
ECOR	21 hours ago
ZNOG	21 hours ago
WWR	21 hours ago
FIVE	21 hours ago
SAIL	21 hours ago
RLMD	21 hours ago
ALMS	21 hours ago
TPTA	21 hours ago
KOYN	21 hours ago
MOV	1 day, 3 hours ago
EQPT	1 day, 4 hours ago
PLBC	1 day, 5 hours ago
MREO	1 day, 5 hours ago
TSHA	1 day, 5 hours ago
SIG	1 day, 5 hours ago
MLCI	1 day, 6 hours ago
GRTX	1 day, 6 hours ago
ACRV	1 day, 6 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - BKKT

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - BKKT

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing