Unchained - How the $1.5 Billion Bybit Hack Could Have Been Prevented - Ep. 791
Episode Date: February 28, 2025Crypto derivatives exchange Bybit just became the latest victim of North Korea’s elite hacking unit, the Lazarus Group. They didn’t brute-force their way in. They didn’t exploit some obscure vul...nerability. Instead, they tricked a trusted developer, slipped in malicious code, and took off with a fortune. How did this happen? Why was $1.5 billion sitting in a single wallet? What mistakes did Bybit and Safe make? And, more importantly, what needs to change to stop this from happening again? This week, Mudit Gupta, chief information security officer at Polygon, joins Unchained to expose the security failures, the sophisticated tactics Lazarus used, and why crypto still hasn’t learned its lesson. Show highlights: 2:11 Mudit’s experience with North Korea’s Lazarus 3:24 How Lazarus perpetrated the $1.5 billion hack 5:55 Why Lazarus relies on social engineering over technical exploits 7:34 Why Bybit was so specifically targeted by the hackers 10:02 What Bybit should have done to prevent the exploit 13:12 Why Mudit believes there was “no reason” to hold so much ETH in one single wallet 15:57 Who should be a signer in multisigs 17:46 How to prevent using a malicious website 19:13 Why Safe should have done things differently, according to Mudit 19:55 How Bybit and Safe handled crisis communication 24:20 Mudit’s must-know security tips for protecting your crypto Visit our website for breaking news, analysis, op-eds, articles to learn about crypto, and much more: unchainedcrypto.com Thank you to our sponsors! Mantle Guest Mudit Gupta, Chief Information Security Officer at Polygon Links Recent coverage of Unchained on the Bybit hack: North Korean Hackers Are Winning. Is the Crypto Industry Ready to Stop Them? The Chopping Block: Crypto’s Worst Week? Bybit Hack, Libra Scandal, & The Memecoin Reckoning Bits + Bips: Markets Are Down Bad. When Will Crypto Recover? Unchained: Bybit Flows Return to ‘Normal’ After Biggest-Ever Crypto Hack Bybit Hack Forensics Report "Safe{Wallet} Statement on Targeted Attack on Bybit " Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Imagine like if one developer had access to the bank's website and allowed people to transfer anything.
That would be very stupid.
And it's not, it doesn't happen anymore.
You will never hear of anything like that.
So why are we still having those scenarios in our industry is like, is very crazy.
Hi, everyone. Welcome to Unchained.
You're no hype resource for all things crypto.
I'm your host, Laura Shin.
We are now featuring quotes from Lerner.
listeners on the show. Today we have one from Crypto Culligan on X, responding to the recent episode
on the Bybit hack with Taylor Monaghan and Jonti about how the last risk group is targeting people,
not products. Crypto Culkin wrote, humans are still the weakest link in cybersecurity.
Sometimes you just need a single human error and the hackers are in. Having good processes,
for example, maker checker slash dual control, mitigate the risk, but it can never be zero.
To have your comment featured, write a review of the podcast overall or leave a comment on our video on YouTube or X.
This is the February 28th, 2025 episode of Unchained.
Mantel is building the future of OnChane Finance.
Experience its enhanced index fund, Mantel banking, and VantleX.
Visit group.mantle.xy-Z to learn more.
Today's guest is Mutukubta, Chief Information Security Officer at Polygon.
Welcome, Mootit.
Hey, Laura. How's it going?
You know, crazy news week is a good way to put it.
This week on Wednesday, Bybit published two forensic investigation reports into how it had gotten hacked for $1.5 billion worth of ether and ether pegged tokens.
This does appear to be the largest hack in history.
And the fact that whatever money gets laundered is going to fund North Korea's nuclear weapons program is bad for the world and also bad for the crypto industry.
Moodip, before we dive into the details of this hack and what the reports found, I know you have extensive experience with North Korean crypto hackers and in particular the Lazarus Group.
Briefly, tell us about that experience and how you became familiar with the Lazarus Group.
Yeah, for sure.
So Lazarus Group is notorious for the biggest crypto heist, especially like in the recent times.
there have been a couple of big crypto hacks like the Polynetwork which were not Lazarus
but all of that money was returned so like by far Lazarus is the biggest entity which has
had crypto entities and not return the money like nobody even comes close to like 10% of
their hacked amount or anything so they are the biggest threat actor in this space I've been doing
security in the space for almost 10 years. So obviously, like, it's my job to be familiar with the
biggest threat actor, my biggest adversary. So I've been researching on them and, like, tracing them for a while
now. Yeah. Honestly, when you said that, it's so funny because, of course, if you are not in North Korea,
then your fear is that after you do a crime, you will be thrown into prison by a government. But when
the government is the criminal, then it all gets reversed, which is, yeah, how.
North Korea ends up being this biggest hacker in crypto.
So let's now talk about this by bit hack and about these two forensics reports that were published this week.
How does it seem North Korea's last risk group perpetrated this hack?
Yeah.
So this was a well thought out execution and specifically targeted towards bybit.
The way they did it was they compromised one of the developers working on safe,
the multi-sac wallet used by bi-bit and a bunch of us.
the crypto companies. So once they compromised this person, their details for how they did it
have not been made public yet, but they compromised this person's laptop through which they got
access to SAFE's AWS account. And in the AWS account, they pushed a malicious version
of the Safe Wallet website. And this malicious version was specifically coded to only be malicious
when ByBit is interacting with it.
So if you or me used Save website,
we would have not noticed anything.
It would have worked perfectly.
And this is also why it went unnoticed for a couple of days.
They actually uploaded this malicious version on 19th of February.
The hack only took place two days later on 21st.
As soon as the hack took place, they had the money.
Within two minutes, they replaced this malicious version with an honest version
to try and remove all of their traces.
Unfortunately for them, we have Wayback Machine
and luckily this version got cached on the Wayback Machine.
So we can see, okay, on 19 February, this was a malicious version.
We can see the history on Wayback Machine on Google Cash.
And that's how we figured out, okay, safe was malicious around this time.
Then people started working backwards from it, like how it became malicious.
When they looked at the logs, they figured out, okay, a malicious version was pushed through this user.
They did forensic analysis on that user's device.
They figured out, okay, it was compromised.
So we ended up with this whole summary, okay, yes, safe developer was compromised,
post a malicious version to their website, which was used to target by bit.
So I know you said there that we don't really know how they got access to the safe developers.
well, actually it's, yeah, how they got access to the SAFE developers systems, which is what allowed
them to access SAF's ADVS account.
But from what you know of LASR's group, what are kind of typical strategies they would use
to have done that?
Yeah, it's always social engineering with them.
So almost always.
Things like they might come to that person and say, hey, I'm Laura Schen.
Would you want to jump on my podcast?
They will send them a link, which would be a major.
his website, it would ask them to install something. If they do install it, it's game over. Similarly,
they can present themselves as like a hiring company, offer a super high pay package. Say, like,
we are working for this big crypto company. We're offering you a job, a million dollars or whatnot.
Here's your task for interview, solve this coding puzzle. And developers usually, okay, we'll start
coding. When they code, they will also test it that it works. As soon as you try to test it,
it's game over. They have your system.
They can, for non-technical folks, they can be like news reporters.
They can be VC funds trying to invest.
Similar pitch, they will try to get you on a call, have you install a video conference software or things like that.
I've seen scenarios where they have gotten even as advanced as sending paperwork for signing the investment for investment documents.
And it's a fake version of do something.
Like, it's ask you to install something.
You do it and then you're compromised.
So it's always social engineering.
They somehow trick you into installing or running something that you should not.
Wow, yeah.
I did another episode where we were talking about how a lot of these exploits just prey on the fact that in our culture,
we tend to trust people, even strangers.
So, you know, that's definitely the quote-unquote vulnerability that we have, which seems strange.
But I did want to also ask you about this fact that the code.
had been updated or not updated, but had been, you know, the malicious code had been set to only
execute if Bybit was a signer. And then there was another address, but I think that
investigators thought it was like a test address or something. So do you feel like, so clearly
they were, you know, targeting Bybit. Do you think that they knew something about Bybit's
operations to know that it would be successful? I mean, they do their research. So it is very
similar to Vazirix hack that happened a few months ago.
And very similar strategy they appointed there that they looked at the operation, they
knew which multi-sixth Vazirix uses.
And they, so in Vazirix case, the interesting thing is we still don't have the root cause
of the hack because there, the wallet they were using, liminal, didn't cooperate with
the investigator.
So they didn't give forensic analysis.
So we have no way to tell for sure if they got.
had or if there was something else.
In this case, SAFE agreed to work with us, which is great.
They gave us all the access that people needed for investigation
and we figured out the actual root cause, which is better for the whole industry.
In Vazirix case, we still don't know the root cause, but similar attack.
In fact, they went as deep as, like, to trigger a rebalance in Vazirics
because they wanted to hack the cold wallet.
They don't care about the hot wallet.
Hot wallet only has like $100 million.
They want the whole money.
They want a billion dollars, $500.
million dollars. So what they did was they repeatedly deposited and withdrew a bunch of tokens
from by bit, from Vazirix in case of Vazirix that depleted their hot wallets of those tokens.
When the hot wallet ran out of that Gala token, they, Vazirix had to do a transfer of Gala
tokens from their cold wallet to their hot wallet. And that's when they got them. So they made
Vazirics do this transaction. So they obviously did their homework. They learned how to
how Vazirix acts, when they will do it.
In ByBitt's case, we don't, since it's a much bigger operation,
it's hard to figure out if something like this happened
or if it was just natural operations.
The details about this haven't really been made public,
but I'm sure they are thorough.
They would have done the research.
They would have known how ByBit works
when they will do the rebalancing and when they can get them.
Okay, yeah, the reason I was curious about that is because
there have been numerous people who mentioned the fact that by bit did not verify the transaction.
So, you know, a part of me wondered if North Korea knew that they wouldn't.
But I guess we can't really know that.
But talk about what it means to verify a transaction and why it really matters that by bit did not do that step.
Yeah, for sure.
So obviously, as we discussed, safe was at fault for this, but it was equally the fault of bybit as well for trusting safe.
Like you don't trust one single person or one single entity with like billions of dollars.
That's just not something you do.
So by bit should have been verifying what they are signing.
The ideal way to do this would have been clear signing on our hardware devices like ledger or grid plus and so on.
Unfortunately, most of the hardware wallets, including ledger, do not support clear signing right now.
So you cannot you cannot tell exactly what you are signing by just looking at the device.
But what you can do is you see a hash of what you're signing,
and that hash you can verify using a different device.
So instead of just using SAFE's website, what you can do is there are a bunch of CLI tools.
There's one good one from Pascal.
There are a few websites you can use, and you're basically in parallel, generate that hash.
You can even use a different laptop to generate that hash, which basically says if you are doing this action,
you should see this hash on your ledger device.
And then you can verify on your ledger, does this hash match?
Similar to how you verify if two addresses match.
You're sending funds to these addresses, does do these addresses match?
If they would have verified this, obviously they would have known something is wrong and they would have stopped.
But it's a common practice in our industry.
It's not just by bit who is doing this, but I would say probably 99.9% of the folks do not verify what they're signing on their device.
So Lazare is probably just assume ByBit is the same way.
And they were right.
ByBet didn't verify what they're signing.
And they got hacked.
Oh, okay.
All right.
Well, in a moment, we're going to talk about other things that ByBit could have done to prevent this hack.
But first, a quick word from the sponsors who make the show possible.
Mantle is revolutionizing its on-chain financial hub.
Powered by a $4 billion treasury and proven products like Mantle Network and M-Eath protocol.
Mantle is launching three innovation pillars.
Enhanced index fund for optimized crypto exposure,
Mantle Banking for blockchain-powered banking,
and Mantle X for AI-driven innovation.
Experience the future of finance with Mantle
and follow Mantle on X to stay tuned.
We have another listener comment responding to the recent interview
with Taylor Monaghan and John T on the ByBit hack.
On X, Art Wojack writes,
quote,
People are the weakest link in any secure system.
Again, if you want to hear your comment featured on the show, please write a review or leave a comment on an episode on YouTube or X.
Back to my conversation with Mootid.
Another issue that came up was I heard Ben Zhao, the CEO of ByBitt, say on a Twitter space is that that particular wallet had 70% of the exchange is ETH in it.
And that to me was alarming. I honestly, if you had asked me to guess what's
standard policies where I would have guessed maximum 10% in any particular cold wallet.
And I mean like literally maximum, more like 5%, or, you know, so I was super shocked by
that.
Is that something that you would consider not to be a best practice?
Yeah, for sure.
There is no reason to hold this large amount of asset in a single wallet.
Even in cold wallets, it should be split into multiple cold wallets.
Now, it depends on the company, like what their risk appetite is to decide this size.
Obviously, Bybit has a very high risk appetite, so they put everything together.
For a small company, it might be $1 million in one particular wallet.
For a larger exchange, like Banan's or ByBit, they might be putting $100 million in one
wallet to make their operations easier.
But beyond that, it's still crazy.
Like, there's no reason to be that aggressive.
And when you give kind of the different amounts for the different size exchanges,
is that based on any percent that you feel is?
kind of best practice?
Yeah, it's basically all of it depends on your risk appetite and how many withdrawals you
are like you want to support at any given moment.
So like ideally the maximum amount a cold wallet holds should be equal to maximum
equal to the top up amount or target amount they want to support in their hot wallets.
So like in if by bit wants to support let's say $50 million worth of withdrawals,
within five minutes, then they need to keep this $50 million in their, at least $50 million
in each of their cold wallet to make their operation seamless where, okay, a big chunk of
withdrawals come in, they only do one transfer from their cold wallet.
All of that can be answered.
So it really depends on their policies and what levels of withdrawals and deposit they can
support.
They can obviously make it lower, but then users will start complaining, hey, my withdrawal
is waiting for 30 minutes, where are you guys, and so on.
So they have to balance user experience with security in this case.
Okay, yeah, because I also saw CZ made a joke that if they were only looking for the biggest
wallet, then they would have gone after Binance's wallets.
And then I thought, oh, my gosh, finance has more, you know, single wallet.
So that also kind of blew my mind.
I mean, they probably don't.
CZ was just joking, or at least I hope they don't.
But it's a good joke to make anyway.
So one other thing that I wanted to ask about was I heard the talk that you gave at DevCon last year about how Lazarus Group works.
And you talked about who should be signing these multi-sig transactions and who shouldn't, frankly.
So interestingly, Ben Zhao, the CEO of Bybet, was one of the signers.
What did you think of that?
Yeah, there is no reason for a public figure like the CEO to be a signer on their cold wallets.
so I have no idea why that was the case.
Usually, in fact, a lot of companies, not in our space,
but in traditional world and especially when you get into the government defense and so on,
even if you're working on these security-related operations,
you're strictly asked to not disclose your identity or your job description to anyone.
And they do it for much smaller amounts of risks than like a billion dollars.
Even at Polygon, like our founders have less access than a general employee.
Like there's no reason for any of our founders or the CEO or the C-level executives to have more access.
Like their day-to-day operations just don't include things like changing website or admin things and so on.
So there's no reason for them to have that access.
We have a finance team who controls our treasuries and so on.
We have security people in there.
So those are the people, not even me.
Like, I am a relatively public phase.
So I'm usually not in most of the critical actions or critical access.
It's just people who are not very public who just keep under the radar, have their object figured out,
who are there actually controlling everything behind the curtains.
All right.
So one other piece that I wanted to ask you about was the fact that they did access the code for the safe,
multi-sig directly from the website or, you know, somehow from the internet, is that a best
practice or what would be a better way to do that?
Yeah.
Ideally, you will run it locally in your device.
So you once download the executable, you run it.
But like talking from a practicality point of view and user experience, that's a very hard
request to make for non-technical people to do.
So what I instead suggest is it's okay, you are trusting the safe official website.
Make sure you're always there.
But at the same time, have a second website or local script that you use to verify the hash.
Now you can, I also recommend air gap devices for signing and a diversified set of signers.
Don't use a personal laptop for all of these critical things.
So it's all about layers.
One layer is the official website.
the second layer is the other website you're using to cross-verify,
and third layer, finally, your hardware wallet,
where you actually read and see, okay, this is what I'm signing.
If all of them line up, then you're perfectly safe.
It's like Lazarus at that point would go after the next target.
There's no reason for them to badger you more
when they know, like there are easier targets out there.
So yeah, just have layers of security in your system.
And then, so I know, as we discussed,
We don't really know what happened on the side of SAFE,
but even given the little bit that we do know,
what do you think SAFE could have done differently?
Oh, yeah.
Save could have done a lot differently.
So I was honestly surprised the way it happened
because it showed like the poor level of security architecture
or afterthought they had for the product.
First of all, no single developer should have had access
to push to production.
I can't blame the developer for being compromised.
Like if Lazarus wants to compromise you or me, they will.
They can spend years and years on this.
We don't know if they started doing this today and did it in one day,
or they were working on trying to compromise this person for three years
and finally managed it.
They have lots of time.
So if they want to get you, they will get you.
If not virtually, they can come grab you from your home,
put a gun on your head, then do it.
So it's like a person will.
get compromised if Lazarus wants to get them compromised.
From an architectural point of view, that person or any single person in the world should
not have access to change anything on a production website and safe.
That's the policy we follow at Polygon as well.
Every change you push must be verified by at least two other people before it goes life.
And we don't run anything as critical as safe.
So this was definitely one oversight safe ad where one person at too much power.
The second oversight, which was also alarming, is this change happened on 19th February,
but safe had no monitoring or alerting around changes and it went unnoticed for two days.
If they had monitoring around these changes, on 19th, when this happened, they would have picked it up,
they would have reacted and by bit would have been saved.
But unfortunately, they just had no monitoring.
It went unnoticed.
And since it only was targeting by bit, other people who used safe were not affected.
and they didn't realize that, okay, this is a compromise version.
So it just lined up very badly for by bit.
Okay.
And then I also saw there were some criticisms around how Safe communicated,
especially when the forensics reports came out.
CZ of Binance tweeted,
this update from Safe is not that great.
It uses vague language to brush over the issues.
I have more questions than answers after reading it.
And he asked, you know, what does compromising a safe wallet developer machine mean?
How did they hack it?
Was it a social engineering?
You know, how did a developer machine have access to an account operated by Bible?
Anyway, in this type of situation, post-hack or like when the post-mortem is being done,
do you also have tips on how companies should communicate about them?
Yeah.
Actually, by-bit's communication was on point.
I loved the way they communicated.
the CEO coming on a live feed and just talking it out and they had good talking points.
That was a good example to learn from.
In case of safe, I think with the fairly small team, they have, they did a fairly good job.
The reality and matter of facts is like even they don't have the answers right now.
The forensic analysis is still going on.
It has been just six days since the analysis started.
It usually takes like two to three weeks to get a report of the analysis.
So they just don't have the answers.
they announced something because I guess by bit pressured them and they wanted to resume safe services.
They wanted to bring back some trust and so on.
But the reality is they just don't have all of the answers that they can provide to others.
Okay.
And so as we mentioned, Lazarus could have been working on this for a very long time.
If you had to guess, how long do you think they were planning this attack or how long do you think they were kind of like searching for
the weak points. Because basically, here they had to put two different things together. It was like
the target was by bit and then the weakness was on safe. So how long do you think it took them to
pull that together? And were they surveilling both of them? And if so, how long?
Yeah. So that's a good question. Now, we are getting into like the Iron Hat category because we
don't have any solid proof for this. But my guess is like they have been doing it for multiple,
they have been keeping an eye on it and trying to get in for multiple months, if not multiple
years. And my reasoning behind is that Wazirix was had around 6 to 7 months ago. And Vazirix is a
smaller target than By-Bit. So my guess is their first target would have been By-Bit. They
just didn't find a way to get in at that time. So they moved on to Vazirix, found a way in. They
came back to By-Bit or they were continuously trying to get in, finally found a way in. Usually
threat actors go from like the highest to the lowest in terms of impact or the money they can get.
So my guess is they have been looking at Coinbase, Binance, ByBit, all of these larger exchanges
for a couple of years probably now.
Wow. Okay. So throughout this chat, you've given a bunch of tips like about verifying using
the hardware wallets. Are there any that you didn't get to mention that you want to make sure
other companies know about? Yeah, for sure. A couple of more I'll mention is one of the biggest
ones is especially on Ethereum wallets, you can add a time lock. So when you are dealing with like
hundreds of millions of assets, keep them in a time locked contract and have like emergency
kill functions there. From what that I mean is like something which is on chain and will
only be executed after a certain time. So even if you get compromised, you sign something malicious,
it goes on chain.
There is, let's say, a waiting period of eight hours or 24 hours
before the change actually takes place.
So you have constant monitoring.
You look at on-chain.
You see what has been proposed.
If it's malicious, you cancel it.
And you figure out what happened and you try again later.
Now the time-lock delay can be whatever you are comfortable with monitoring,
can be as low as 10 minutes.
If you have 24 by 7 on-chain team, which these exchanges have,
or it can be 24 hours, 48 hours for a smaller company.
You can, whatever field works for you, you can have.
But the advantage of this is then you have guarantees from Ethereum that this is happening.
You don't have to trust safe.
You don't have to trust your own laptop, whatever.
It would be on Ethereum.
It would be crystal clear.
Multiple people can monitor it.
That's definitely one big one.
And then I would say just have diversity of signing devices.
This was not the attack vector here.
but usually, like, if you can throw in mobile phones in the mix
using your ledger nanoX, which can connect to mobile,
if you're signing through mobile,
the attack vector for Lazarus changes.
The mobile app may not be compromised.
Depends on how the mobile app is built.
And to make changes to the mobile app,
you usually have to go through Google security review and Apple's review.
So the chances of the mobile app being compromised are lower.
So if you are some people using mobile,
some people using the website, and so on,
it becomes harder to get majority of people compromised.
Okay.
So one other thing is that in your DevCon talk last year, you said, quote,
we haven't seen Lazarus do a big smart contract hack so far.
And you were talking about how everything's been social engineering.
Am I right in thinking that this would be their first smart contract hacks
since they had to write these two malicious contracts?
Or maybe I'm wrong?
They used smart contracts to facilitate this, which they have done in the past as well,
but the actual vulnerability or the hack still happened with the traditional security parameters.
It was this one developer who was compromised and this one developer had access to everything
and by bit folks were trusting this one developer and one website for everything.
So all these three parameters are completely traditional security parameters.
Like secret management and production are nothing new.
You maintain secrets in Web2 all the time.
It's a solved problem.
a new problem. Imagine like if one developer had access to the bank's website and allowed people
to transfer anything. That would be very stupid and it's not, it doesn't happen anymore. You will never
hear of anything like that. So why are we still having those scenarios in our industry is like,
is very crazy. All right. Well, I don't know if there's anything else you want to say about
how you feel their strategies or capabilities are evolving.
Like if you feel like they're going in any different direction
or if it just seems to be what has always been.
I think they are slowly getting more and more advanced targets
that we previously thought were impenetrable.
They are getting through them.
And one interesting thing they're doing now
is that they're starting to clean up.
In the earlier hacks we saw with Lazarus,
they didn't really care about cleaning up.
They got in, they had the protocol, and they left.
Everyone knew its Lazarus. It was obvious. It was always how they did it. But with the Vazirix case, with the Radiant case, and now with Bibit, they cleaned up. They tried to hide how they did it. They are trying to hide because now they're found a way to do it and they don't want us to know. So we fix it. Luckily, in this case, we figured it out. So we have lessons learned. If we would have figured it out in Vazirix case, then this could have been avoided. They covered their traces well in that case. And the
entities didn't cooperate, so we didn't learn our lesson. Now, finally, we have learned our lesson,
so we will not fall victim, like touch word, we will not fall victim to this attack vector
again. Hopefully, this was the last time we fall victim to this. Okay, so this is just like a slightly
different question from everything else, but here we have all these new chains launching, some of
them using different languages, and I have had discussions with people about this being a little
bit more possible in Ethereum, I think, than in other languages. Some people have been saying
maybe formal verification could solve it. I don't know about that. But, you know, there are other
chains that use languages that use formal verification, which is, you could probably explain it
better for the audience than me, but it basically, like, checks to make sure that your intention
is carried out or something like that. Yeah, for sure. So, I mean, the thing is, like, this was not
an EVM or Solidity hack.
So it wouldn't have mattered with chain
it happened. It was just a UI compromise.
So safe contracts
as far as I remember are formally
verified by Satora and they are fine.
This was not a safe contract
hack. It was just their UI
which is like it's irrelevant
which platform which blockchain you're using
which language you're using.
If your UI is compromised
and people are trusting your UI
they will get compromised.
So for this case at least
formal verification wouldn't have helped.
But yes, in general, formal verification is a great tool for smart contract security.
All right, perfect.
Well, Moot, this has been so informative.
Thank you so much for coming on Unchained.
No worries. Thank you.
Don't forget.
Next up is the weekly news recap.
Today, presented by Wondercraft AI.
Stick around for this week in crypto after this short break.
Welcome to this week's Crypto Roundup.
In today's recap, the SEC has dismissed multiple cryptocrypt.
crypto investigations, marking a significant regulatory shift while its crypto task force reviews
the Howie test amid ongoing industry discussions.
OKX settles DOJ charges, paying over $500 million in penalties, and the Ethereum Foundation
sees a leadership shakeup as Ayamiyaguchi steps down as executive director.
Meanwhile, Solana Futures ETFs appear on the DTCC list, fueling speculation of a spot
ETF approval and FTX's token surges after Sam Bankman-Fried posts from prison as its bankruptcy costs
approach $1 billion. OX. Dot Fund faces insolvency concerns while Pump. Dot Fund reportedly
tests its own AMM, threatening Radium's market share. Lastly, Bank of America signals readiness
to launch its own stable coin pending legislative approval. Thanks for tuning in to the weekly
news recap, let's begin.
SEC dismisses multiple crypto investigations.
The US Securities and Exchange Commission, SEC, has dismissed multiple enforcement actions
against major cryptocurrency firms, signaling a significant shift in its approach.
Over the past week, the regulator has formally closed cases involving Coinbase, Uniswap,
Robin Hood Crypto, OpenC, Gemini, and agreed to pause the investigation into Justin Sun's companies.
The dismissals began with Coinbase, which announced that the SEC would drop its lawsuit against
the company.
The lawsuit originally filed in June 2023 accused Coinbase of operating as an unregistered
securities exchange.
Under the agreement, Coinbase will not pay any fines or modify its business practices.
The case is set to be dismissed with prejudice, ensuring that it cannot be refiled.
The final decision now rests with a vote by SEC commissioners Mark Uyeda, Hester Pierce,
Caroline Crenshaw. Coinbase Chief Legal Officer Paul Gruel described the decision as a necessary
correction, stating, they sued us without any basis in law. They sued us without telling us what
the rules were. Gruel also noted that the SEC's approach had imposed significant legal and financial
burdens on the industry, calling it a tax on American innovation. Following this decision, the SEC also
ended its investigation into Uniswap. The decentralized exchange had been under scrutiny after receiving a
Wells notice last year, indicating that enforcement action was being considered.
Uniswap confirmed in a statement that the SEC had officially closed the case with no further action,
allowing the platform to continue its operations without changes.
The SEC also dropped its investigation into Robin Hood Crypto, closing the case without pursuing
any charges. The inquiry focused on whether Robin Hood's crypto trading services constituted
unregistered securities offerings.
Robin Hood's chief legal officer, Dan Gallagher, strongly criticized the SEC's decision to investigate in the first place, stating,
Let me be crystal clear, this investigation never should have been opened. Another major case dismissed by the SEC involved major NFT marketplace OpenC.
The platform had been under investigation over allegations that it was operating as an unregistered securities exchange.
OpenC CEO Devin Finzer welcomed the decision, emphasizing that class,
classifying NFTs as securities would have created legal uncertainties and hindered innovation.
On Wednesday, the SEC also closed its case against Gemini, the cryptocurrency exchange
co-founded by Cameron and Tyler Winklevoss.
Cameron Winklevoss strongly criticized the agency's handling of the matter.
He stated that the prolonged legal battle had cost the company tens of millions of dollars
in legal fees and hundreds of millions in lost business opportunities.
Winkle Voss also argued that the SEC's
actions had caused widespread financial damage to the broader industry.
In addition to these dismissals, the SEC has requested a 60-day pause in its lawsuit against
Justin Sun and his affiliated companies, which include the Tron Foundation and BitTorrent.
The lawsuit, filed in March 2023, accused Son of selling unregistered securities and engaging
in manipulative trading practices.
The SEC and Sun jointly requested the pause to allow time for settlement discussions,
but the outcome remains uncertain.
SEC Task Force considers Howey Test revisions.
Following the series of dismissed crypto cases,
the SEC's Crypto Task Force is now reviewing whether securities laws have been misapplied
to digital assets, unchained, reported.
A group of lawyers argued before the task force that the SEC has wrongly expanded its jurisdiction
under former Chairman Gary Gensler, using the Howie Test to regulate staking, air drops, and NFTs.
The task force, launched last month by acting chair Mark Uyra and led by Commissioner Hester Perce,
is also assessing whether the agency should narrow its definition of brokers and dealers.
Lawyer J.W. Verrett said the SEC's enforcement tactics had created regulatory confusion,
stating, these reforms help the SEC undo the Gordian knot.
OKX settles DOJ charges.
Not all crypto companies got good news this week.
Amid a broader shift in U.S. crypto enforcement,
crypto exchange OkX settled with the U.S. Department of Justice over allegations that it operated
as an unlicensed money transmitter and facilitated illicit transactions.
The settlement, announced Monday, requires Ox K's FinTech Company Limited, an OkX affiliate,
to pay more than $500 million, including $84 million in penalties, and $421 million in forfeited
fees earned from U.S. customers.
According to DOJ, acting U.S. Attorney Matthew Podolsky, OKX enabled over $5 billion in suspicious transactions and criminal proceeds.
The agency also alleged that an OKX employee instructed U.S. users to bypass restrictions by entering false information, stating, just put a random country and it should go through.
Ethereum Foundation Director steps down.
The Ethereum Foundation is undergoing a major leadership shakeup as Ayamiyaguchi, its executive director,
since 2018 announced she is stepping down from the role.
Miyaguchi will transition to a newly created position as Foundation President,
where she will focus on institutional partnerships and Ethereum's cultural vision,
she shared in a blog post on Tuesday.
Her departure comes as Ethereum faces growing competition from rival blockchains like Solana
and mounting criticism over its technical roadmap, marketing strategy,
and lack of Defi support.
Some community members had been calling for leadership changes,
leadership changes, pointing to Ethereum's lagging token performance compared to Bitcoin and
Solana. Ethereum co-founder Vitalik Buterin will personally select Miyaguchi's replacement, though no
successor has been named yet. Some Ethereum supporters remain skeptical of the move, with former
core developer Eric Connor posting, no one knows what president is. No one knows the new leadership
structure. Solana futures ETFs appear on DTCC list, raising hopes for spot approval. The deposit
Trust and Clearing Corporation has listed two Solana Futures exchange traded funds from volatility
shares, marking the first Solana-based ETFs to appear on its fund list, the block reported Wednesday.
The two funds, Volatility Share Solana ETF and Volatility Shares 2X Solana ETF, aimed to
provide exposure to Solana Futures contracts. While a third proposed 1X leveraged ETF was initially
filed, it did not appear on DTCC's list. This development,
could improve the odds of a Spot Solana ETF approval.
Earlier this month, the SEC acknowledged Spot Salana ETF filings from multiple issuers,
including 21 shares, Bitwise, Canary, and Vaneck.
While DTCC listing does not guarantee immediate trading, past cases, such as Vanex spot Ethereum
ETF, suggests that approval could follow within months.
FTX token surges.
After Sam Bankman freed posts from prison, FTCS's native token FTT briefly spiked.
liked 40% on Monday after a series of tweets were posted from Sam Bankmanfried's ex-account,
his first online activity in two years.
Bankman Fried, the former CEO of FTEX, is currently serving a 25-year sentence for fraud
and conspiracy at the Metropolitan Detention Center in Brooklyn.
The tweets, which referenced government layoffs and corporate firings, were posted as Elon
Musk's federal workforce efficiency directive made headlines.
Bankman Freed's account stated,
I have a lot of sympathy for Govet employees.
I, too, have not checked my email for the past few days.
FTT quickly jumped to 2.12 before falling below 180 within 30 minutes.
While Bankman Freed does not have direct access to social media,
he can communicate through Corlinks, a prison messaging system.
It remains unclear who posted the tweets,
but they have reignited speculation around his influence on crypto markets.
In related news, the FTX bankruptcy is on track to become one of the most expensive in U.S. history,
with legal and advisory fees reaching $948 million, according to court records reviewed by Bloomberg.
Law firm Sullivan and Cromwell has received $248.6 million, while Alvarez and Marsell, a financial consulting firm,
has collected $306 million. The total cost still pales in comparison to Lehman Brothers' 2008 bankruptcy,
which exceeded $6 billion but remained staggering for an exchange that held between $10 billion and $50 billion in assets at the time of its collapse.
OX.FUNFANFANFUS. Insolvency fears.
OX. Dot Fun, the crypto exchange launched by Three Arrow's Capital Founders,
Suju and Kyle Davies, is nearing insolvency,
with liquid assets dwindling to just $1.7 million, according to on-chain data,
reviewed by Coinbase head of product Connor Grogan.
If pending 1 million USDC withdrawal requests are processed,
the exchange's stablecoin reserves could drop to roughly $1,000.
The liquidity crisis follows accusations from,
Jeffedau, an artist collective, that Oax. Dot Fund attempted to extort $1 million from them
by conditioning fund returns on positive social media promotion. Oax. Dot Fund denies the allegations,
instead claiming that Jeffa Dow engaged in an Oracle manipulation attack involving Jailstool,
a meme coin linked to barstool sports founder Dave Portnoy. Despite the concerns,
OX dot fund's pseudonymous head of treasury insists the exchange is not insolvent,
but has paused large withdrawals due to market volatility.
Pump. Dot Fun reportedly testing, AMM, threatening Radium's market share.
Pump. Dot Fun, the popular Solana-based meme coin launch pad,
appears to be developing its own automated market maker,
potentially disrupting Radium, the largest AMM on the blockchain.
The discovery was first reported by on-chain analyst at Trenchdiver,
who shared a link to a Pump. Fund-branded AMM interface currently in beta.
If confirmed, this move would bypassed.
Radium's liquidity pools, where Pump. Dot Fund tokens currently migrate after reaching a certain
trading threshold. By keeping trading within its own ecosystem, Pump.Dot Fund could capture
more fees and expand its revenue model, which has already generated over $500 million in fees
since early 2024. Speculation around the AMM launch sent Radium's Ray token down 25 percent
on Monday, as investors worried about the potential loss of trading volume. Pump.
Jump. Fun has not officially commented on the development, but blockchain data shows it has already
tested liquidity pools with a trial token called Snowfall.
Bank of America signals readiness to launch stablecoin.
Bank of America CEO Brian Moynihan said that the bank is prepared to launch its own US dollar-backed
stable coin if Congress legalizes it.
Speaking at the Economic Club of Washington, DC on Tuesday, Moynihan stated, if they make that
legal, we will go into that business.
This comes as Congress pushes to pass stable coin legislation within the first 100 days of the
Trump administration.
Lawmakers, along with White House crypto and AI Tsar David Sachs, have indicated bipartisan
support for regulatory clarity in the sector.
Moynihan compared stable coins to money market funds and bank accounts, emphasizing that
legal approval would allow Bank of America to treat them similarly to foreign currencies.
And that's all.
Thanks so much for joining us today.
If you enjoyed this recap, go to Unchanceymp.
Crypto.com newsletter that is Unchained Crypto.com newsletter and sign up for our free newsletter so that you can stay up to date with the latest in crypto.
Unchained is produced by Laura Shin with help from Matt Pilchard, Juan Aranovich, Megan Gavis, Pam Magimdar, and Margaret Korea.
The weekly recap was written by Juan Aronovich and edited by Stephen Erlich.
Thanks for listening.