GCP Exclusive Reporting

10/cate3/GCP Exclusive Reporting

Featured Startups

5/cate1/icos

exchanges

6/cate2/exchanges

videos

6/cate3/videos

regulations

5/cate1/regulations

Now Playing:

3/cate6/videos

Recent post

236,000 Crypto Scam Sites Trace Back to a Single Chinese App Builder...

Crypto scam network glow

A new investigation just put a number on something every crypto user should be worried about.

Threat intel firm Infoblox identified 236,493 distinct second-level domains that are all built on the same Chinese open-source app framework, DCloud Uni-App, and a huge portion of them exist for one purpose, which is to drain crypto wallets and run fake exchanges. The framework itself is perfectly legitimate, used by real developers around the world to ship apps to iOS, Android, and the web from a single codebase. That same convenience is what makes it so attractive to fraud crews. They get a polished, mobile-friendly fake exchange or fake investment dashboard in days instead of months, and the underlying code looks indistinguishable from a thousand actual startups.

Why This Is Worse Than the Usual Scam Site Sprawl

The numbers tell their own story about how quickly this got out of hand. Before October 2024, Infoblox was seeing a few thousand new DCloud-fingerprinted scam sites appear each month, which already would be a lot. After the RainbowEx scandal broke into international headlines that fall, the rate ballooned to roughly 15,000 newly observed sites per month at peak. Scammers apparently looked at the press coverage and decided the playbook was worth copying at scale, not abandoning. The sites target speakers of at least eight languages and span every continent, posing as everything from major stock exchanges to retail giants to messaging platforms. Most of them are hosted on Cloudflare, AWS, Alibaba Cloud, and Tencent Cloud, which lets them blend in with real businesses and makes simple IP blocklists basically useless.

Few RainbowEx and the Argentine Town That Got Wiped Out

If you want a sense of what victims actually experience, the RainbowEx case is the textbook example. In 2024, residents of San Pedro, Argentina poured money into what looked like a slick cryptocurrency exchange. The dashboard showed live trades, balances climbed steadily, and stablecoin deposits flowed in without issue. Then withdrawals stopped working. Thousands of people in a single small town discovered the trades had been fabricated, the balances were synthetic, and the operators were gone. Argentine authorities later arrested seven people allegedly tied to the operation, but most of the money is gone, and the exact same template, with cosmetic branding changes, is now running on a measurable percentage of those 236,000 domains.

What an Average Trader Should Actually Do About It

There is no clean solution here, because the underlying framework is legitimate software and the hosts are mainstream cloud providers who cannot deplatform their entire customer base. About 6% of confirmed scam domains were found running on bulletproof hosts like CTG Server Limited, which has been flagged for malicious activity before, so at least those have a clear villain. The rest hide in normal traffic. Anyone evaluating a new exchange, airdrop site, or investment opportunity found through a Telegram group, WhatsApp chat, or Twitter DM should treat the polish of the website as evidence of nothing at all. Check whether the company is registered anywhere real, whether withdrawals actually work for small amounts before sending large ones, and whether the domain was registered in the last few months. If the answer to any of those raises a flag, walk away. The Hacker News has additional technical detail for anyone who wants to dig deeper.

The takeaway from this count is uncomfortable but useful. The crypto scam economy is no longer a scattered collection of one-off sites built by individual scammers working in their basements. It is an industrial production line running on shared tooling, mainstream hosting, and proven playbooks, and 236,000 storefronts is just what was visible enough to count. Treat every unfamiliar exchange link the way you would treat an unsolicited email asking for your password, because at this scale, the odds are not in your favor.

---------------

Author: Ren Nakamura
Asia Newsroom
Breaking Crypto News

Ripple Beats Europe's Crypto Deadline by 8 Days - Most Competitors Won't Make It

Eight days. That is all that stood between Ripple and a regulatory wall most of its competitors are about to slam into.

The payments company announced Tuesday that Luxembourg's financial regulator, the Commission de Surveillance du Secteur Financier, has issued it a preliminary "Green Light Letter" for a Crypto Asset Service Provider license under the EU's Markets in Crypto Assets framework. The timing is no accident. On July 1, MiCA's hard deadline kicks in, and any crypto firm still operating in Europe without authorization is suddenly, technically, in breach of the law. Ripple cleared the bar with a week to spare. By the latest count from industry trackers, only around 210 firms can say the same.

That second number is the one worth sitting with for a moment. By mid-2026, roughly 83 percent of crypto firms doing business in the EU had not secured a MiCA license. Some are still in line at national regulators. Some never bothered to apply. Either way, after next Tuesday, they are either pulling out of the bloc, scrambling for a stopgap, or quietly hoping nobody notices. Luxembourg, meanwhile, has positioned itself as the go-to passporting hub for firms that want one approval to cover the entire region.

Why this license is worth more than it looks on paper

The Green Light Letter is, on its own, just a step. The CSSF still has to finalize conditions before the license becomes fully effective. But the way MiCA is structured, that single Luxembourg authorization will work as a passport across all 30 countries in the European Economic Area. No more country by country applications, no patchwork of approvals, no juggling 27 different sets of forms in 24 different languages. One license, thirty markets, and roughly 450 million potential customers, give or take.

For Ripple specifically, the CASP license slots on top of an EU Electronic Money Institution license the company already holds. That combination is the part the company is most eager to talk about. The EMI piece handles the fiat side, with euros in and euros out, regulated as proper electronic money. The CASP piece handles the crypto side, including custody, exchange, transfers, and RLUSD stablecoin operations. Stitch them together, and a European bank or fintech can move both traditional cash and digital assets through one Ripple integration. Until now, that kind of full stack setup almost always required juggling separate providers and separate compliance teams.

The MiCA bottleneck nobody planned for

When MiCA was drafted, the assumption was that crypto firms would queue up at the various national regulators across the EU and shuffle through the process in an orderly fashion. That is not what happened. Regulators in larger markets like Germany and France got buried under applications. Some firms decided the cost of compliance simply was not worth the European revenue. Others held out hoping the deadline might slip again. It will not. The European Securities and Markets Authority has been signaling for months that July 1 is firm, and member states have been quietly preparing enforcement plans.

The companies that did move early, like Coinbase, Kraken, OKX, and Bitstamp, picked their jurisdictions carefully. Some went to Ireland for the regulatory familiarity. Others picked the Netherlands or Malta. Luxembourg has emerged as a quiet favorite for institutional payments players because the CSSF is considered fast and technically literate, and used to dealing with cross-border financial firms. Ripple's choice fits that pattern. The company has been talking about Luxembourg as its European base for years, and its existing EMI license was also issued there.

What it changes for Ripple's European push

Ripple's executives have been telegraphing an aggressive European strategy for at least a year. The company sees Europe as the place where regulated stablecoins and institutional crypto payments could move from pilot projects to actual rails. RLUSD, the company's dollar-backed stablecoin, is part of that pitch. So is the cross-border payments business that has long been Ripple's bread and butter. The CASP authorization, once finalized, means Ripple can pitch banks and corporates a regulated stack that competitors without a license cannot legally match.

It also matters for XRP, even if Ripple is careful about the framing. Wider availability of regulated services tied to Ripple's infrastructure tends to translate into more institutional touchpoints for the token over time, even though the CASP license itself is about service provision rather than the asset. Traders noticed regardless, and the licensing news has been one of the bigger talking points in European crypto markets this week. Volume on regulated European venues ticked up after the announcement, which is the kind of reaction Ripple was probably hoping for.

The bigger picture for everyone else

The Ripple announcement is, in its own way, a status report on the entire European crypto industry. Less than two weeks from the deadline, the licensed group is small, the unlicensed group is large, and the gap is not going to close in time. Expect a wave of withdrawals, partnerships, and quiet pause announcements over the next month. Expect the licensed firms to use that period to grab market share. And expect regulators to get visibly active fairly quickly, if only to make the point that the deadline was real.

For traders and institutions in Europe, the practical message is to check whether the platforms they use are on the right side of the line. After July 1, the cost of being on the wrong side is no longer theoretical. Customer funds could end up frozen at a venue forced to wind down, payment flows could get interrupted, and any platform without a license will face escalating enforcement risk. That is not a comfortable position to be in, and it is one a lot of crypto companies are about to occupy.

---------------

Author: Sebastian Marrow
European Newsroom
Breaking Crypto News

Pump.fun's New 'Pay Anyone to Do Anything' Platform Is Already Drawing 'Black Mirror' Comparisons - and a NY Governor Wants It Banned

Pump.fun has been the engine room for Solana's memecoin chaos for two years, but its latest experiment is something different.

The platform rolled out a feature called "GO" earlier this month, and it operates on a slogan that sounds more like a dare than a product description: "Pay ANYONE to do ANYTHING." Anyone with a connected wallet and an X account can post a bounty, lock crypto in escrow, and let strangers race to claim it by performing whatever task the buyer dreamt up. Within hours of going live, the board filled with the kind of listings that make moderators reach for the off switch, and the platform has been doing damage control ever since. Now a sitting U.S. governor is publicly calling for legislation to shut it down.

The mechanics are straightforward in a way that is part of the problem. A creator writes a description, sets a deliverable, picks a timeframe, and funds the bounty starting at $5. The money cannot be pulled back once it is posted, so refunds only happen if the bounty expires unclaimed and a short dispute window passes. Pump.fun reserves "sole authority" to approve, reject, modify, or cancel any submission, which is the only thing standing between the marketplace and total free for all. In practice that gatekeeping function is being tested constantly, and the test cases are getting darker by the day.

The Bounties That Are Making People Uncomfortable

The headline numbers are catnip for clicks, and Pump.fun seems to know it. One advertised reward sits at roughly $50,000 for a volunteer willing to skydive into a World Cup match wearing a full body memecoin mascot costume, with live video as proof. A separate $23,525 listing asks for a two minute video interview with the family of a convicted murderer or the officer who put the murderer away. Smaller bounties offer cash for getting a token ticker tattooed on the forehead, streaking an NBA Finals game, or breaking a running world record on camera. The dashboard shows hundreds of active listings and almost $144,000 sitting in unclaimed rewards, which is a lot of dangling cash for whatever idea catches a poster's attention next.

Then there is the one nobody can ignore. A 10,000 SOL bounty, worth roughly $690,000 at current prices, surfaced tied to a self harm related act, and the screenshots spread faster than the platform could pull the listing. Critics argue that this is exactly the predictable outcome of an open bounty board with crypto payouts, because the people most likely to take a horrific dare are the ones who need the money the most. The marketplace amplifies that pressure rather than dampening it. Pump.fun has not issued a detailed moderation policy in response, which is doing nothing to quiet the criticism. A statement may eventually come, but for now the silence is the story.

A Governor, a Ban, and a Black Mirror Episode

New York Governor Kathy Hochul called the feature a "dystopian nightmare" and said she would back legislation to ban GO outright. The comparison everyone keeps reaching for is the Black Mirror episode "Common People," in which a desperate man performs increasingly degrading stunts on a livestream platform to fund his wife's medical care. The reference is so unavoidable that it is now baked into nearly every headline written about the launch. For a project that spent the past year trying to rehabilitate its image after a string of memecoin scandals, this is a notable own goal.

The economic story is almost as strange as the optics. While the dashboard advertises six figure pools, the largest single payout that has actually been recorded sits at $686.44, with the next two at $596.51 and $487.11. That gap between the eye popping listings and the modest real world payouts is a strong hint that most of these bounties are PR stunts, token pumping schemes, or jokes that will quietly expire. The token itself, $PUMP, briefly rallied roughly 3% on the launch news before settling back down. Whether the platform survives the regulatory attention is a separate question, and one that may get answered before the skydive ever happens.

Closing thoughts

The deeper issue is not that someone built a crypto bounty board, because that has existed in various forms for years. It is that Pump.fun built one with no real onboarding friction, an audience already conditioned to chase viral attention, and an escrow system that makes the money feel guaranteed even when most of it is sitting in publicity stunts that will never pay out. The mismatch between the marketing and the actual payouts is doing a lot of work to keep people posting, and that is exactly the dynamic regulators are now zeroing in on. If a state attorney general or the SEC decides this looks like a structured incentive to cause harm, the legal exposure goes from theoretical to immediate very quickly.

For traders watching from the sidelines, the takeaway is simpler. Pump.fun has built a real business on volatility and outrage, and GO is the logical extension of that strategy rather than a departure from it. The platform's track record suggests the team will iterate, throttle the worst listings, and keep the marketplace alive in some form. But the political temperature around crypto incentives just went up several degrees, and the next regulatory response is unlikely to be friendly. If anyone needed a reminder that the memecoin economy operates on different rules than the rest of crypto, this week delivered it.

---------------

Author: Cedric Holloway
New York Newsroom
Breaking Crypto News

Zuckerberg Takes on Polymarket and Kalshi... Or Are They? Meta IS Building a Prediction Market - but it "Won't Use Cash Or Crypto"...

Mark Zuckerberg has reportedly told a small group inside Meta to start building a prediction market app, and it sounds a lot like Polymarket with the engine swapped out.

The New York Times broke the story on Monday, reporting that Zuckerberg directed an internal team at Meta to develop a standalone smartphone app referred to internally as "Arena." It would let users weigh in on the outcome of sporting events, elections, market moves, pop culture moments, and anything else worth wagering an opinion on. For now, users would not be wagering money. Arena is being built around a points system the report compares to a video game, which is a meaningful departure from how Polymarket and Kalshi actually became billion-dollar businesses. Meta has not ruled out adding real-money trading later, which is the kind of phrasing that usually means it is going to add real-money trading later. The app would live outside of Facebook, Instagram, WhatsApp, and Messenger, in its own silo.

Why Now? Because the Sector Just Crossed $130 Billion

Prediction markets used to be a niche curiosity for the politics-and-poker crowd. That changed when Polymarket and Kalshi turned the 2024 US election into a referendum on whether on-chain odds were a better signal than traditional polling. Combined trading volume on the two platforms hit roughly $50 billion in 2025, and it has already cleared $130 billion so far in 2026. Bernstein analysts have floated an estimate that the category could push $1 trillion in annual volume by 2030, which is the kind of number that gets the CEO of a 3-billion-user social network to suddenly clear his afternoon. Zuckerberg's team has described the Arena push as "experimental" but also a "top priority," which in Silicon Valley translation usually means he has been pinging the project lead on weekends.

The BIG Difference - No Cash, No Crypto... For Now

This is where the story gets interesting for anyone who follows crypto. Polymarket runs on Polygon and settles markets in USDC. Kalshi is CFTC-regulated and uses cash. Both made it past the regulatory minefield in different ways, one by being a non-US protocol that lets users trade with stablecoins, the other by becoming a registered designated contract market. Meta's points approach skips both of those battles and lands the app in what is essentially a casual gaming bucket. That gets Arena to market faster, but it also means launch-day users will not be doing the thing that made Polymarket fascinating in the first place, which is putting real skin in the game on the question of who is going to win Iowa. The plan, according to the reporting, is to allow money trading eventually. Whether eventually means months or years is anyone's guess.

Meta's Crypto Track Record Is, How To Put This, Uneven

This is not Meta's first attempt to plant a flag in financial infrastructure. The Libra project, later rebranded Diem, was supposed to be a global stablecoin run by a Switzerland-based consortium. Regulators across half the world made it very clear they would rather chew glass than approve it, and the project was eventually sold off and quietly buried. The company is currently making another attempt at stablecoins, with a reported plan to enter the dollar-pegged token space later this year via a third-party integration, and a USDC creator-payout pilot already running in Colombia and the Philippines. Arena is launching alongside that effort, which means Meta will be juggling a points-based prediction market in one hand and a stablecoin payments rail in the other. If both ship, the integration question gets very interesting very quickly.

Polymarket and Kalshi Investors Did Not Take the News Well

The reaction to the NYT scoop was immediate. DraftKings ended the day off more than 2 percent, FanDuel parent Flutter Entertainment dipped nearly 2 percent before recovering slightly, and Robinhood (which offers prediction market contracts from Kalshi) fell on the same logic. The sell-off was driven by the very simple math that a Meta clone with 3 billion built-in users is the kind of competitor that turns a high-growth category into a brutal one. Polymarket itself remains private and just took a significant funding round at a multibillion-dollar valuation. Kalshi has been on a tear with sports event contracts and political markets. Neither of them needs an existential threat right now, and neither of them gets a vote.

How will this effect the broader market?

That depends on what Zuck's end game is. If Arena launches and becomes a platform using real-money, then all the companies mentioned above will have to deal with the strange scenario where the 'new competition' is starting off with 3 billion users.  But until then, existing markets won't be losing any users to a 'points-only' market - their users are there to play for cash.

For now, the only thing confirmed is that a small team inside Meta has been told to build it. The rest is going to play out one product leak at a time.

---------------

Author: Cedric Holloway
New York Newsroom
Breaking Crypto News

Ethereum's Most Notorious Front Running Bot's Own Greed Gets Used Against It - Tricked Into Giving Up MILLIONS worth of ETH...

The hunter became the hunted, and the hunter was holding a fortune in stolen ETH when it happened.

JaredFromSubway.eth, the most active and most hated MEV or 'front running' bot on Ethereum - it works by spotting places where it can insert itself ahead of a pending trade, cuts in line ahead by paying higher gas fees, buying the tokens that otherwise should have gone to you, instead forcing your order to be filled with higher priced tokens. Then, once you've overpaid for your coins, it will immediately sell the ones they bought at the new higher price. While the amount earned each time is often small, multiply that by hundreds of transactions every hour and this practice adds millions in additional costs to traders every year. 

But it was the front runners who took a hit over the weekend by an attacker built an elaborate honeypot designed to look exactly like the kind of profit opportunity the bot is wired to chase. Security firm Blockaid disclosed the exploit on Saturday, and the on-chain trail tells a story that has the entire crypto community grinning ear to ear. The bot did what it was built to do. The attacker just made sure it did it on the wrong contracts. For anyone who has ever lost a few cents to a sandwich attack while trying to swap on Uniswap, this might be the most satisfying news of the year.

There is no comment from the operator beyond the bounty offer, and there is unlikely to be one any time soon.

How a Hunter Built a Better Trap

The attacker deployed 66 fake token contracts, each one mimicking the look and interface of real assets like WETH, USDC, and USDT, and paired each one with a sham liquidity pool. The routes were carefully designed so that the bot's automated decision logic would flag the contracts as a legitimate sandwich opportunity. The first few baits worked exactly the way a normal MEV trade would. Small approvals went in, the swap closed cleanly, and the approvals were consumed by the trade. The bot's risk model had no reason to flinch.

Then the trap snapped. On the larger bait transactions, the attacker had structured the swaps so that the approvals stayed open instead of being spent on a real trade. By the time anyone was watching, JaredFromSubway had quietly granted token-spending permissions on USDC, USDT, and WETH to a series of attacker-controlled helper contracts. The bot was not hacked in the traditional sense. There was no smart contract bug, no compromised private key, no leaked seed phrase. The exploit was a behavioral one, and the bot was tricked into giving permission the same way it gives permission every day, just to the wrong wallet.

Somewhere Between $7 and $15 Million in ETH, gone

Once the approvals were in place, the attacker drained the bot's working capital and swapped most of it into roughly 4,427 ETH, worth about $7.7 million at the time of the move. On-chain analysts at HTX and other tracking firms watched as 1,000 ETH of those funds were immediately routed into Tornado Cash, the mixer that was sanctioned by the US Treasury before being delisted from the sanctions list earlier this year. The rest of the funds are still being tracked across wallets, with several exchanges already flagging deposit addresses linked to the attacker. Some reports place the final loss higher, with BleepingComputer putting the figure closer to $15 million once every approval is added up.

JaredFromSubway's operator, who has never publicly identified themselves, did not stay quiet. Within hours of the drain, they used an on-chain input data message to offer the attacker a bounty of 2,150 ETH, close to half of the stolen funds, for the return of the rest within 48 hours. The operator said no further action would be taken if the funds came back. The clock started ticking and as of this writing nothing had been returned. Whatever the final number, this is the largest single loss for a private MEV operation in Ethereum's history, and the bounty offer is the first time the JaredFromSubway team has spoken publicly through anything other than block transactions.

The Cosmic Joke Nobody Misses

There is no easy way to feel sorry for the operator of a bot that has spent years skimming value out of every retail user dumb enough to swap with default slippage. The accused attacker has effectively run a counter-MEV operation, a tactic that has been theorized in academic papers for years but rarely executed at this scale. By engineering opportunities that looked profitable but were actually designed to bait approvals, the attacker turned the bot's strongest features, speed and aggression, into its biggest vulnerability. It is the closest thing crypto has had to poetic justice this year, and one of the cleanest examples of the predator becoming the prey since the genre was invented.

The bigger lesson, for any sandwich operator or other automated arbitrage system on Ethereum, is that the meta is shifting. Counter-MEV is no longer just research, and the approvals logic that every bot uses to interact with new contracts has become part of the attack surface. Operators who spent years optimizing for raw speed and gas now also have to optimize for trust. JaredFromSubway has been quiet on chain since the drain, the bounty clock is still running, and the community is still laughing. Somewhere out there a very patient honeypot designer is watching $7.7 million in fresh wallets settle in. Whether the bounty gets accepted or not, the message has already been delivered to every other MEV bot operator on the network. Greed has a price, and it is finally being paid in the same currency it was used to extract.

---------------

Author: Cedric Holloway
New York Newsroom
Breaking Crypto News

Bank of England Just Killed It's Own Stablecoin Restrictions, Admits They Were 'Excessively Conservative'...

A central bank does not usually publicly trash its own homework, but the Bank of England did exactly that on Monday.

The Bank spent the better part of a year telling everyone that if you wanted to hold a sterling stablecoin, you would be capped at 20,000 pounds per individual. Businesses got their own 10 million pound ceiling. The reasoning was that if too many deposits flowed out of high street banks and into digital tokens, the lending plumbing that keeps mortgages and overdrafts cheap could spring a leak. That was the official line in the November 2025 consultation, and the industry hated every word of it. Coinbase, Circle, and every UK-based fintech with a stablecoin ambition spent the last six months explaining, loudly, that those caps would push the entire business overseas before it even launched.

On Monday morning, the Bank scrapped the whole concept of personal holding caps. Everyday users and large businesses will no longer face restrictions on how much, how often, or what type of sterling stablecoin they can move. Deputy Governor Sarah Breeden, who has spent the last few months telegraphing this change in interviews and committee appearances, was unusually blunt about why: the original plan was "excessively conservative" and "cumbersome operationally for a temporary measure." When the regulator writing your rulebook publicly calls its own draft cumbersome, the rewrite is just a matter of time. The interesting question is what was supposed to replace the caps, and the answer is more clever than expected.

What replaces the 20,000 pound personal cap

Instead of policing how much retail wallets can hold, the Bank is putting a ceiling on the issuers themselves. Each systemic sterling stablecoin will be allowed up to 40 billion pounds in total circulation, a temporary guardrail the Bank says it will phase out as the market matures. That figure works out to roughly 50 billion dollars at current rates, and it applies per coin rather than across the whole market. So if three different issuers wanted to compete, each could grow to that ceiling without crowding the others out. The Bank also softened the reserve rules, letting issuers park up to 70 percent of backing assets in short-term UK government debt rather than the original 60 percent, with the rest sitting at the central bank. Interest payments to coin holders remain banned, which keeps these tokens from looking too much like savings accounts in disguise.

Why the Bank backed down

Six months of relentless industry pushback and a sharp House of Lords committee report did most of the work. Coinbase's head of policy for Europe, Katie Harries, told reporters that "a cap on stablecoin holdings is a cap on innovation, with real and significant risks for UK competitiveness." Issuers warned they would not bother with the UK market if every retail user had to be screened against an arbitrary holding ceiling, especially when the EU, Singapore, and Hong Kong are all moving toward friendlier frameworks. The threat of London quietly ceding the next decade of fintech building to other capitals seems to have landed at Threadneedle Street. Harries did add that aggregate issuance caps are still unusual globally, and that no other major jurisdiction has made them a baseline requirement, so the new framework is not exactly a victory lap for the industry either.

What this means for users and the next 12 months

The consultation on the new framework is open until 22 September 2026, with the final Code of Practice expected by year end and operational UK-regulated stablecoins targeted for 2027. For UK readers, the practical takeaway is straightforward: if a sterling stablecoin from a regulated issuer launches next year, you will not be told you have hit a personal limit at 20,000 pounds. For the broader industry, this is one of those rare cases where a major central bank publicly walks a position back because the market and lawmakers refused to play along. The Bank still gets its safety mechanism through the issuer-level cap, just without the heavy-handed retail version that nobody wanted to police. Whether 40 billion pounds per coin proves generous or stifling depends on how quickly demand actually shows up, but for now the regulator has chosen to let the market exist rather than fence it off.

---------------

Author: Sebastian Marrow
European Newsroom
Breaking Crypto News

How a $4.67 Million Crypto Hack took a FULL WEEK For Anyone to Notice...

It took seven full days for anyone to realize $4.67 million had walked out of the Axelar to Secret Network bridge.

The drain happened on June 10, and nobody on either side noticed until June 17, when a routine cross-chain transfer failed and someone went to check the escrow balance on the Axelar side. The account was empty. Because Secret Network is built around a privacy-by-default design where contract state and transaction details are shielded from public view, the on-chain footprints that usually tip off security researchers within minutes were simply invisible.

That gave the attacker an entire week of breathing room while the funds were quietly moved off. Axelar's emergency committee has since disabled the Secret and Secret-SNIP connections, but the money is already gone.

An infinite-mint bug, wrapped in a custom contract

The vulnerability lived in a modified CW20-ICS20 contract on the Secret side of the bridge, which is the piece of code that handles inbound assets arriving over Cosmos IBC and mints Secret-wrapped versions of them. Those wrapped versions are the saTokens that DeFi users on Secret actually hold and trade. The attacker is accused of doing something elegantly simple: spinning up their own single-validator Cosmos chain, opening a brand new IBC channel directly to the Secret bridge contract, then self-relaying forged packets that carried token denominations matching the contract's allow-list. The contract checked which denomination was coming in. It did not check which channel that denomination was supposed to be coming from.

That single missing check is the entire story. Because the saToken contract trusted any properly-formatted IBC packet carrying a known denomination, the attacker was free to mint fully-backed-looking saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH out of thin air. Those freshly minted saTokens were then redeemed back over the legitimate Axelar IBC channel, which dutifully released the real escrowed assets sitting on the Axelar side. The Secret chain saw nothing unusual because the minting was technically valid. The Axelar chain saw nothing unusual because the redemptions were technically valid. Only the math on the escrow account disagreed, and nobody was looking at it.

A custom rework that never got externally audited

Investigators on the Secret side say the bridge contract had been adapted from a standard escrow model to a mint model when the Axelar integration was put together, and during that rework two validation functions that would have caught exactly this kind of forged-channel attack were removed from the code. Axelar reportedly never requested an external audit before flipping the connection live. Custom bridge code with its safety checks taken out, deployed without a fresh audit on a chain where outside parties cannot easily watch contract state from the outside. That is roughly the worst combination of factors a security researcher could draw up. The exploit itself was almost mundane once you understand how the contract was wired. The fact that nobody caught it for a week is the part that should worry every team running a CW20-ICS20 fork.

AXL up 5%, Secret holders less amused

Axelar's emergency committee has confirmed that the rest of the Axelar network is functioning normally and that the attack was isolated to the Secret connection. Exchanges and law enforcement have reportedly been notified, and the investigation is still open as of this week. Somewhat strangely, AXL has actually traded up around 5% since the news broke, possibly because the market read the quick shutdown as evidence the emergency procedures work the way they were advertised. Secret Network's SCRT, on the other hand, is having a less celebratory week. Holders who used the bridge are now waiting to see whether the Secret community decides to socialize the loss across treasury or staker funds, and whether the Axelar side chips in any of the recovery.

Bridges keep failing the same way

If you have followed crypto security for any length of time you have seen this exact movie before, a custom fork of a standard contract with a couple of safety checks quietly removed, no external audit, and a clever attacker who reads contract code faster than the deployers ever did. What is genuinely new here is the role privacy played in the timeline. The same on-chain opacity that makes Secret Network appealing to users who want shielded balances also blinded the wider security community to the fact that a drain was already in progress for a full week. There is a real conversation to be had about how privacy chains build out-of-band monitoring so the next incident gets caught in hours rather than days. For now, bridge users are out roughly four and a half million dollars, and another integration is being unwound on the fly.

---------------

Author: Dorian Fenwick
Silicon Valley Newsroom
Breaking Crypto News

Ethereum Foundation Just Lost Its 10th Senior Leader in 6 Months - Why It's Been a Rough Year...

Hsiao-Wei Wang just stepped down as co-executive director of the Ethereum Foundation, and that makes her the second co-director out in four months.

Wang's exit on June 18 also lands her on a different and less flattering list, as roughly the tenth senior figure to walk away from the organization in under half a year. She did it the polite way, with a thoughtful post on X, gratitude for nearly a decade inside the Foundation, and plans to "spend more time closer to home." The timing matters a lot more than the tone. The Foundation she just left is staring down a $30 million annual funding gap for the people who actually maintain Ethereum's base layer, and the warning bell on that came from one of its own former contributors only days earlier.

Wang is the headline here because of who she is, not just the title she held. She joined EF Research in mid-2017 as a Layer 1 researcher, helped build the early proof-of-concepts for sharding, and worked on the Beacon Chain that carried Ethereum through the Merge. In March 2025 she was promoted to co-executive director alongside Tomasz Stanczak, in what was billed as a stable two-person leadership setup for the post-Vitalik era. Stanczak resigned earlier this year. Now Wang is gone too, which leaves the Foundation without a permanent co-executive director for the second time in 2026, while the wider research team is also visibly thinning out around her.

Eight senior names, five months, and an exit list that hurts

The departures around Wang are not junior researchers nobody outside Ethereum has heard of. Carl Beek, Julian Ma, Barnabe Monnot, Tim Beiko, Alex Stokes, and longtime ecosystem coordinator Trent Van Epps have all left or announced exits in 2026. Five of those happened in May alone. Counting Stanczak and Wang, that is roughly ten senior names off the org chart in under six months, with about 19 layoffs and exits across the Foundation in total this year. Whatever is going on internally at EF, it is not a quiet trickle anymore. The people leaving are mostly the ones who knew where the wires connect, and that knowledge is now walking out the door.

The departures sit on top of a separate and equally awkward problem. Van Epps used his own exit window to publicly flag that the people maintaining Ethereum's base layer could face a real funding shortfall in the next three to nine months. He puts the cost of keeping core development running at roughly $30 million a year. The Foundation has been cutting spending across the board, and the Client Incentive Program that helped pay execution clients wound down in April. The math from there is not friendly, and Van Epps is not exactly a stranger to how this sausage gets made.

The "stake to fund" plan isn't covering it

Earlier this year the Foundation pivoted to a "stake to fund" model, putting around 70,000 ETH (roughly $143 million at the time) into staking to generate yield instead of selling treasury straight into the market. The headline math is straightforward and not great, since staking returns work out to something like $4 to $5 million a year against a $30 million annual need. To cover the difference, the Foundation has been quietly drawing down ETH anyway. About 17,000 ETH was unstaked in April, another 21,270 ETH (around $50 million) was unstaked in May, and at least 15,000 ETH has gone out in OTC sales to BitMine, including a 10,000 ETH deal closed on May 1 for about $22.9 million. The "we will not sell ETH" optics are getting harder to defend with that kind of paper trail.

The strange part is that all of this is happening while the network itself looks fine. On-chain activity is healthy, the post-Merge stack is stable, the validator set is enormous, and Ethereum is still the settlement layer most serious L2s build on. The risk is not the protocol layer, it is the coordination layer around it. If client teams and core researchers cannot be reliably funded, upgrade roadmaps slow down, security work gets thinner, and the people who do that work start fielding offers from L2 foundations and large stakers who can pay. That is not a tomorrow problem, that is a next year, possibly sooner problem, which is exactly the window Van Epps was pointing at on his way out.

What ETH holders should actually take from this

None of this means Ethereum is in trouble in the way crypto Twitter would like to dramatize it on a slow Saturday. ETH the asset and ETH the network are not the same thing as the Foundation that helped midwife them, and there are well-funded ecosystem players, including client teams, L2 foundations, and very large stakers, who have every reason to keep the lights on even if EF cannot write the check. But it does mean the institutional center of gravity that used to live inside one organization in Zug is fragmenting in real time. Some of that may be healthy decentralization, since one Swiss nonprofit probably should not be the load-bearing wall for the second largest crypto network. Some of it is normal turnover during a stressful market. And some of it is a $30 million funding hole that someone is going to have to write a check to close before client teams start making different decisions. The next few months will tell us which one of those it actually is, and Wang's exit is a useful marker of how late it is in the day.

---------------

Author: Sebastian Marrow
European Newsroom
Breaking Crypto News