The front door and the vault
Ripple opened its internal DPRK threat intelligence to the industry through Crypto ISAC. The perimeter just got sharper. The action moment is still naked.
WRITING · DATED, SIGNED
On detection, methodology, and the gaps that remain.
Post-mortems, threat-model breakdowns, and gate-by-gate honesty about what we do not detect.
Yes. Weeks ago.
Six months across the table. Twelve minutes to drain. The signatures were valid. The gap between when a human says yes and when the action executes.
The cert tests yesterday's threat.
iBeta Level 2 certification does not test digital injection. NIST said so in 2023. iProov measured 2,665 percent native-virtual-camera growth in 2024.
The action layer just stopped being optional.
In nineteen days, three institutional voices independently named the action layer as mandatory. Treasury, Tether, and the SEC Chair all converged.
One signer.
Aave is mid-raise on a $230M bad-debt cover. The architectural choice was a 1-of-1 DVN — a cross-chain bridge whose authority reduced to one off-chain signer.
49 days to undo 46 minutes.
Five DeFi protocols filed a coordinated proposal to recover funds an attacker took in 46 minutes. The proposal will take 49 days. That ratio is the design.
The bank wasn't breached. The printer was.
3.4M Citizens Bank records and 250K Frost Bank records walked out of a print vendor on April 20. Neither bank was breached. The next $300M loss is downstream.
Three audits. One admin. $3.5M.
Volo Protocol paid three auditors. Ran a bug bounty. Shipped reviewed production code. On April 21, none of that mattered. The attacker never touched the code.
Mach-O Man: the attacker already has your keychain
CertiK disclosed Mach-O Man. A calendar invite, a pasted command, an erased malware kit, a keychain full of valid credentials now in Pyongyang.
Ice Open Network: no funds moved, the database left
Four former contractors walked out of Ice Open Network with every user email, phone, and public key on April 15. No funds stolen. Here is the phishing email.
Meta paid for agent identity verification
Meta acquired Moltbook to bet on a registry where agents are tethered to human owners. Juniper projects $1.5T in agentic commerce by 2030.
$605M is missing from April. Same cash-out every time.
Twelve protocols hit in twenty days. Six attack classes. One exit. Every April 2026 exploit converged on the same withdrawal layer that asked nothing.
Kraken just got extorted. The attackers didn't need to break in.
Kraken disclosed an insider extortion attempt. 2,000 accounts exposed via support access. No systems breached, no funds moved. CSO calls insider recruitment priority one.
Grinex lost $13M. Same chain that broke at Bybit.
On April 16, the Grinex exchange disclosed approximately $13M in stolen user funds. The post-mortem reads identically to four other 2025 incidents. Authentication held at signup. Authorization held at withdrawal. The gap between them held nothing.
Deepfake injection attacks grew 2,665% in 2025
iProov 2025: virtual-camera injection attacks up 2,665% YoY. Four regulatory deadlines in 120 days. The gap between KYC and the withdrawal button.
The funniest hack of 2026 almost wasn't funny.
Hyperbridge joked about being hacked on April 1. Twelve days later, an attacker minted $1B in fake tokens. The only thing that saved them was no buyers.
The attacker's playbook has three steps. None of them require hacking.
Kraken disclosed an insider extortion scheme. Coinbase had the same attack last year. The playbook: recruit, photograph, extort. No code exploited.
The companies verifying your identity are the ones leaking it
1B records exposed by a verification vendor. 46 deepfake bank accounts. 6.65M KYC violations. Q1 2026 proved the verification layer is the vulnerability.
20,000 people signed away their crypto
Operation Atlantic found 20,000 approval phishing victims in 30 countries. A Kraken user lost $18.2M to social engineering. The same gap fed both attacks.
Why crypto exchanges are our first target market
Three events in 48 hours: $1M/month North Korean IT workers, Bybit attackers returning, an Android wallet vulnerability. One architectural gap.
The JWT your auditor actually wants to see
Treasury now treats crypto like banks. Bitcoin Depot lost $3.7M with no proof of who authorized the transfers. What a real audit trail looks like.
An AI found a 27-year-old zero-day for $20K. Your audit means nothing now.
Anthropic Mythos autonomously finds and exploits zero-days in every major OS, browser, and crypto library. DeFi $200B in contracts just became a target.
ABA: transaction-level biometrics are non-negotiable
ABA, Better Identity Coalition, and FSSCC published 20 recommendations to fight AI identity attacks. Transaction-level biometric liveness is the centre.
$11.4B fraud: is onboarding KYC enough? (FBI IC3 2025)
The FBI 2025 IC3 report shows $11.4B in crypto fraud, all to users who passed KYC. The gap is not onboarding. It is everything after.
Drift Protocol: $285M stolen with a feature, not a bug
North Korean hackers spent 6 months inside Drift Protocol, then drained $285M in 12 minutes with pre-signed transactions. A Solana feature, not a bug.
How step-up would have prevented $400M Coinbase fraud
Coinbase breach cost $180-400M. Stolen KYC enabled fraud because no one verified the human at withdrawal. Where step-up verification breaks the chain.
Integration guide: 3 endpoints, 15 minutes
Install the SDK, enroll a user, verify a transaction. Full integration in 15 minutes with code examples in Python, Node, and cURL.
How Lorica handles biometric data
No photos stored. No PII. Only encrypted embeddings. Here's the full data architecture.
The 3 liveness modes: when to use each one
Passive, dual-frame, and motion liveness — three modes for three risk levels. Here's how to choose.
The anatomy of a deepfake attack on a financial platform
Deepfake injection attacks on financial platforms grew 311% in 2024. Here's exactly how they work — and the 7 layers that stop them.
You Don't Get to Add Trust After the Breach
Every financial platform builds security after the first incident. The ones that survive build it before. The architecture of trust infrastructure.
When AI agents trade, who proves the human said yes?
AI agents will execute financial transactions autonomously. The missing layer is not capability. It is the human authorization proof that travels with it.
The Compliance Receipt Your Auditor Actually Wants
Auditors do not want dashboards. They want a signed, timestamped, independently verifiable receipt that a specific human authorized a specific action.
The $50K Question Nobody Asks Before the Money Moves
Every financial platform verifies identity at signup and authenticates at login. Almost none verify the human at the moment money actually moves.
What NASA Taught Me About Verification Failure
At NASA Goddard, every component has a chain of custody. Every test has a verification record. I brought that discipline to financial software.
Your Fraud Team Reviews Transactions After the Money Is Gone
Current fraud detection is reactive: analyze, flag, maybe reverse. The money is already gone. Recovery costs $50,000.
Authentication vs Authorization at the moment money moves
Authentication proves identity at login. Authorization at the moment proves a human approved THIS action RIGHT NOW. These are different problems.
Why Wallet Signatures Don't Prove a Human Did It
A wallet signature proves a key was used. It doesn't prove a human was holding it. Here's why that distinction matters for institutional crypto.