GCP Exclusive Reporting

10/cate3/GCP Exclusive Reporting

Featured Startups

5/cate1/icos

exchanges

6/cate2/exchanges

videos

6/cate3/videos

regulations

5/cate1/regulations

Now Playing:

3/cate6/videos

Recent post

Ethical Hackers Found a Way to Break a $70 Billion Blockchain - With a $3,000 Budget...

Turns out you don't need a nation-state budget to threaten a multi-billion dollar blockchain. You need about $3,000 and a very good weekend.

That is the uncomfortable lesson from a disclosure that went public on July 4, when security firm Hexens revealed a critical flaw it found in Aptos back in February. The bug lived inside the Move virtual machine, the engine that runs every smart contract on the chain, and it was serious enough that Hexens put the first-order systemic risk at roughly $70 billion. For a network that markets itself on speed and safety, that is not a number anyone wants attached to their name. The good news, which we will get to, is that no funds were ever lost. The bad news is how little it would have taken to change that.

The story matters because Aptos is not some abandoned testnet. It is a top-tier layer-1 with real stablecoins, real bridges, and real money parked in its ecosystem. When a researcher tells you a flaw could have reached that much value, they are not just talking about tokens sitting in wallets. They are talking about the plumbing that connects Aptos to the rest of crypto. And the people who found this did it on a budget that would not cover a decent gaming PC.

What they actually found

Hexens described the issue as a "stale-cache bug" that led to a type-confusion vulnerability. In plain terms, that means the software could be tricked into treating one kind of on-chain resource as if it were a completely different one. If you have ever handed someone the wrong key and watched them open a door they were never supposed to touch, you get the general idea. According to the firm, the flaw let an attacker potentially hijack on-chain structs and authority resources, which are the core data structures that decide who owns what and who is allowed to do what. Mess with those, and the normal rules about ownership stop meaning very much.

Type confusion is one of those bug classes that sounds academic until it is pointed at real money. It has haunted traditional software for decades, and the Move language was specifically designed to make this sort of thing hard to pull off. That is part of why this disclosure stings a little. The whole selling point of Move is that it treats digital assets as a special resource the compiler guards closely, so seeing a type-confusion flaw surface in Aptos is a bit like finding a leak in the one boat everyone promised was unsinkable.

The scary part: It took $3,000 to make it happen

Plenty of blockchain exploits require deep pockets, insider access, or control of a big chunk of the network. This one, allegedly, did not. Hexens says it simulated the attack under real network conditions with a success rate above 90 percent, using a server setup that cost around $3,000 and stood in for roughly a third of the validator set. No special permissions, no insider help, no cooperation from anyone already inside the system. That combination is what turns a technical curiosity into a genuine emergency, because it means the barrier to entry was almost nothing. When the cost of breaking something is measured in hundreds or low thousands of dollars and the prize is measured in billions, you are relying entirely on nobody else noticing first.

Where the $70 billion number comes from

A $70 billion figure sounds almost cartoonish for a chain whose own token market cap is a fraction of that, so it is worth explaining. Hexens was not claiming $70 billion sits directly on Aptos. The estimate covers everything the flaw could have reached through the connections crypto has quietly built over the last few years. That includes value moving across bridges, cross-chain messaging systems, stablecoin administration flows, and assets custodied by centralized exchanges that touch the network. Modern crypto is stitched together, and a hole in one important chain does not stay politely contained to that chain. That is the real warning here, and it applies to a lot more than just Aptos.

The quiet fix nobody heard about until now

Here is the part that keeps this from being a horror story. Hexens reported the flaw through Aptos Labs' bug bounty program on February 25, and the team says a fix was developed, tested, and pushed to mainnet within hours of discovery. An Aptos spokesperson told CoinDesk that no users or funds were impacted at any point, and the details were only made public months later, which is exactly how responsible disclosure is supposed to work. The researchers got paid, the hole got patched before anyone with bad intentions found it, and the wider world found out once it was safe to talk about.

Still, it is worth sitting with what almost happened. A flaw that could have rippled across $70 billion in connected value was closed off by a bug bounty and a fast engineering response, not by luck at the moment of attack. If white-hat researchers had not gotten there first, this would read very differently. The lesson for anyone holding crypto is not to panic about Aptos specifically, which is now patched, but to notice how much of this industry's safety still depends on a small group of ethical hackers choosing to send an email instead of draining a wallet. That is a thin line to be standing on, and it is worth remembering the next time a chain tells you it is unbreakable.

---------------

Author: Dorian Fenwick
Silicon Valley Newsroom
Breaking Crypto News

236,000 Crypto Scam Sites Trace Back to a Single Chinese App Builder...

Crypto scam network glow

A new investigation just put a number on something every crypto user should be worried about.

Threat intel firm Infoblox identified 236,493 distinct second-level domains that are all built on the same Chinese open-source app framework, DCloud Uni-App, and a huge portion of them exist for one purpose, which is to drain crypto wallets and run fake exchanges. The framework itself is perfectly legitimate, used by real developers around the world to ship apps to iOS, Android, and the web from a single codebase. That same convenience is what makes it so attractive to fraud crews. They get a polished, mobile-friendly fake exchange or fake investment dashboard in days instead of months, and the underlying code looks indistinguishable from a thousand actual startups.

Why This Is Worse Than the Usual Scam Site Sprawl

The numbers tell their own story about how quickly this got out of hand. Before October 2024, Infoblox was seeing a few thousand new DCloud-fingerprinted scam sites appear each month, which already would be a lot. After the RainbowEx scandal broke into international headlines that fall, the rate ballooned to roughly 15,000 newly observed sites per month at peak. Scammers apparently looked at the press coverage and decided the playbook was worth copying at scale, not abandoning. The sites target speakers of at least eight languages and span every continent, posing as everything from major stock exchanges to retail giants to messaging platforms. Most of them are hosted on Cloudflare, AWS, Alibaba Cloud, and Tencent Cloud, which lets them blend in with real businesses and makes simple IP blocklists basically useless.

Few RainbowEx and the Argentine Town That Got Wiped Out

If you want a sense of what victims actually experience, the RainbowEx case is the textbook example. In 2024, residents of San Pedro, Argentina poured money into what looked like a slick cryptocurrency exchange. The dashboard showed live trades, balances climbed steadily, and stablecoin deposits flowed in without issue. Then withdrawals stopped working. Thousands of people in a single small town discovered the trades had been fabricated, the balances were synthetic, and the operators were gone. Argentine authorities later arrested seven people allegedly tied to the operation, but most of the money is gone, and the exact same template, with cosmetic branding changes, is now running on a measurable percentage of those 236,000 domains.

What an Average Trader Should Actually Do About It

There is no clean solution here, because the underlying framework is legitimate software and the hosts are mainstream cloud providers who cannot deplatform their entire customer base. About 6% of confirmed scam domains were found running on bulletproof hosts like CTG Server Limited, which has been flagged for malicious activity before, so at least those have a clear villain. The rest hide in normal traffic. Anyone evaluating a new exchange, airdrop site, or investment opportunity found through a Telegram group, WhatsApp chat, or Twitter DM should treat the polish of the website as evidence of nothing at all. Check whether the company is registered anywhere real, whether withdrawals actually work for small amounts before sending large ones, and whether the domain was registered in the last few months. If the answer to any of those raises a flag, walk away. The Hacker News has additional technical detail for anyone who wants to dig deeper.

The takeaway from this count is uncomfortable but useful. The crypto scam economy is no longer a scattered collection of one-off sites built by individual scammers working in their basements. It is an industrial production line running on shared tooling, mainstream hosting, and proven playbooks, and 236,000 storefronts is just what was visible enough to count. Treat every unfamiliar exchange link the way you would treat an unsolicited email asking for your password, because at this scale, the odds are not in your favor.

---------------

Author: Ren Nakamura
Asia Newsroom
Breaking Crypto News

Ripple Beats Europe's Crypto Deadline by 8 Days - Most Competitors Won't Make It

Eight days. That is all that stood between Ripple and a regulatory wall most of its competitors are about to slam into.

The payments company announced Tuesday that Luxembourg's financial regulator, the Commission de Surveillance du Secteur Financier, has issued it a preliminary "Green Light Letter" for a Crypto Asset Service Provider license under the EU's Markets in Crypto Assets framework. The timing is no accident. On July 1, MiCA's hard deadline kicks in, and any crypto firm still operating in Europe without authorization is suddenly, technically, in breach of the law. Ripple cleared the bar with a week to spare. By the latest count from industry trackers, only around 210 firms can say the same.

That second number is the one worth sitting with for a moment. By mid-2026, roughly 83 percent of crypto firms doing business in the EU had not secured a MiCA license. Some are still in line at national regulators. Some never bothered to apply. Either way, after next Tuesday, they are either pulling out of the bloc, scrambling for a stopgap, or quietly hoping nobody notices. Luxembourg, meanwhile, has positioned itself as the go-to passporting hub for firms that want one approval to cover the entire region.

Why this license is worth more than it looks on paper

The Green Light Letter is, on its own, just a step. The CSSF still has to finalize conditions before the license becomes fully effective. But the way MiCA is structured, that single Luxembourg authorization will work as a passport across all 30 countries in the European Economic Area. No more country by country applications, no patchwork of approvals, no juggling 27 different sets of forms in 24 different languages. One license, thirty markets, and roughly 450 million potential customers, give or take.

For Ripple specifically, the CASP license slots on top of an EU Electronic Money Institution license the company already holds. That combination is the part the company is most eager to talk about. The EMI piece handles the fiat side, with euros in and euros out, regulated as proper electronic money. The CASP piece handles the crypto side, including custody, exchange, transfers, and RLUSD stablecoin operations. Stitch them together, and a European bank or fintech can move both traditional cash and digital assets through one Ripple integration. Until now, that kind of full stack setup almost always required juggling separate providers and separate compliance teams.

The MiCA bottleneck nobody planned for

When MiCA was drafted, the assumption was that crypto firms would queue up at the various national regulators across the EU and shuffle through the process in an orderly fashion. That is not what happened. Regulators in larger markets like Germany and France got buried under applications. Some firms decided the cost of compliance simply was not worth the European revenue. Others held out hoping the deadline might slip again. It will not. The European Securities and Markets Authority has been signaling for months that July 1 is firm, and member states have been quietly preparing enforcement plans.

The companies that did move early, like Coinbase, Kraken, OKX, and Bitstamp, picked their jurisdictions carefully. Some went to Ireland for the regulatory familiarity. Others picked the Netherlands or Malta. Luxembourg has emerged as a quiet favorite for institutional payments players because the CSSF is considered fast and technically literate, and used to dealing with cross-border financial firms. Ripple's choice fits that pattern. The company has been talking about Luxembourg as its European base for years, and its existing EMI license was also issued there.

What it changes for Ripple's European push

Ripple's executives have been telegraphing an aggressive European strategy for at least a year. The company sees Europe as the place where regulated stablecoins and institutional crypto payments could move from pilot projects to actual rails. RLUSD, the company's dollar-backed stablecoin, is part of that pitch. So is the cross-border payments business that has long been Ripple's bread and butter. The CASP authorization, once finalized, means Ripple can pitch banks and corporates a regulated stack that competitors without a license cannot legally match.

It also matters for XRP, even if Ripple is careful about the framing. Wider availability of regulated services tied to Ripple's infrastructure tends to translate into more institutional touchpoints for the token over time, even though the CASP license itself is about service provision rather than the asset. Traders noticed regardless, and the licensing news has been one of the bigger talking points in European crypto markets this week. Volume on regulated European venues ticked up after the announcement, which is the kind of reaction Ripple was probably hoping for.

The bigger picture for everyone else

The Ripple announcement is, in its own way, a status report on the entire European crypto industry. Less than two weeks from the deadline, the licensed group is small, the unlicensed group is large, and the gap is not going to close in time. Expect a wave of withdrawals, partnerships, and quiet pause announcements over the next month. Expect the licensed firms to use that period to grab market share. And expect regulators to get visibly active fairly quickly, if only to make the point that the deadline was real.

For traders and institutions in Europe, the practical message is to check whether the platforms they use are on the right side of the line. After July 1, the cost of being on the wrong side is no longer theoretical. Customer funds could end up frozen at a venue forced to wind down, payment flows could get interrupted, and any platform without a license will face escalating enforcement risk. That is not a comfortable position to be in, and it is one a lot of crypto companies are about to occupy.

---------------

Author: Sebastian Marrow
European Newsroom
Breaking Crypto News

Pump.fun's New 'Pay Anyone to Do Anything' Platform Is Already Drawing 'Black Mirror' Comparisons - and a NY Governor Wants It Banned

Pump.fun has been the engine room for Solana's memecoin chaos for two years, but its latest experiment is something different.

The platform rolled out a feature called "GO" earlier this month, and it operates on a slogan that sounds more like a dare than a product description: "Pay ANYONE to do ANYTHING." Anyone with a connected wallet and an X account can post a bounty, lock crypto in escrow, and let strangers race to claim it by performing whatever task the buyer dreamt up. Within hours of going live, the board filled with the kind of listings that make moderators reach for the off switch, and the platform has been doing damage control ever since. Now a sitting U.S. governor is publicly calling for legislation to shut it down.

The mechanics are straightforward in a way that is part of the problem. A creator writes a description, sets a deliverable, picks a timeframe, and funds the bounty starting at $5. The money cannot be pulled back once it is posted, so refunds only happen if the bounty expires unclaimed and a short dispute window passes. Pump.fun reserves "sole authority" to approve, reject, modify, or cancel any submission, which is the only thing standing between the marketplace and total free for all. In practice that gatekeeping function is being tested constantly, and the test cases are getting darker by the day.

The Bounties That Are Making People Uncomfortable

The headline numbers are catnip for clicks, and Pump.fun seems to know it. One advertised reward sits at roughly $50,000 for a volunteer willing to skydive into a World Cup match wearing a full body memecoin mascot costume, with live video as proof. A separate $23,525 listing asks for a two minute video interview with the family of a convicted murderer or the officer who put the murderer away. Smaller bounties offer cash for getting a token ticker tattooed on the forehead, streaking an NBA Finals game, or breaking a running world record on camera. The dashboard shows hundreds of active listings and almost $144,000 sitting in unclaimed rewards, which is a lot of dangling cash for whatever idea catches a poster's attention next.

Then there is the one nobody can ignore. A 10,000 SOL bounty, worth roughly $690,000 at current prices, surfaced tied to a self harm related act, and the screenshots spread faster than the platform could pull the listing. Critics argue that this is exactly the predictable outcome of an open bounty board with crypto payouts, because the people most likely to take a horrific dare are the ones who need the money the most. The marketplace amplifies that pressure rather than dampening it. Pump.fun has not issued a detailed moderation policy in response, which is doing nothing to quiet the criticism. A statement may eventually come, but for now the silence is the story.

A Governor, a Ban, and a Black Mirror Episode

New York Governor Kathy Hochul called the feature a "dystopian nightmare" and said she would back legislation to ban GO outright. The comparison everyone keeps reaching for is the Black Mirror episode "Common People," in which a desperate man performs increasingly degrading stunts on a livestream platform to fund his wife's medical care. The reference is so unavoidable that it is now baked into nearly every headline written about the launch. For a project that spent the past year trying to rehabilitate its image after a string of memecoin scandals, this is a notable own goal.

The economic story is almost as strange as the optics. While the dashboard advertises six figure pools, the largest single payout that has actually been recorded sits at $686.44, with the next two at $596.51 and $487.11. That gap between the eye popping listings and the modest real world payouts is a strong hint that most of these bounties are PR stunts, token pumping schemes, or jokes that will quietly expire. The token itself, $PUMP, briefly rallied roughly 3% on the launch news before settling back down. Whether the platform survives the regulatory attention is a separate question, and one that may get answered before the skydive ever happens.

Closing thoughts

The deeper issue is not that someone built a crypto bounty board, because that has existed in various forms for years. It is that Pump.fun built one with no real onboarding friction, an audience already conditioned to chase viral attention, and an escrow system that makes the money feel guaranteed even when most of it is sitting in publicity stunts that will never pay out. The mismatch between the marketing and the actual payouts is doing a lot of work to keep people posting, and that is exactly the dynamic regulators are now zeroing in on. If a state attorney general or the SEC decides this looks like a structured incentive to cause harm, the legal exposure goes from theoretical to immediate very quickly.

For traders watching from the sidelines, the takeaway is simpler. Pump.fun has built a real business on volatility and outrage, and GO is the logical extension of that strategy rather than a departure from it. The platform's track record suggests the team will iterate, throttle the worst listings, and keep the marketplace alive in some form. But the political temperature around crypto incentives just went up several degrees, and the next regulatory response is unlikely to be friendly. If anyone needed a reminder that the memecoin economy operates on different rules than the rest of crypto, this week delivered it.

---------------

Author: Cedric Holloway
New York Newsroom
Breaking Crypto News

Zuckerberg Takes on Polymarket and Kalshi... Or Are They? Meta IS Building a Prediction Market - but it "Won't Use Cash Or Crypto"...

Mark Zuckerberg has reportedly told a small group inside Meta to start building a prediction market app, and it sounds a lot like Polymarket with the engine swapped out.

The New York Times broke the story on Monday, reporting that Zuckerberg directed an internal team at Meta to develop a standalone smartphone app referred to internally as "Arena." It would let users weigh in on the outcome of sporting events, elections, market moves, pop culture moments, and anything else worth wagering an opinion on. For now, users would not be wagering money. Arena is being built around a points system the report compares to a video game, which is a meaningful departure from how Polymarket and Kalshi actually became billion-dollar businesses. Meta has not ruled out adding real-money trading later, which is the kind of phrasing that usually means it is going to add real-money trading later. The app would live outside of Facebook, Instagram, WhatsApp, and Messenger, in its own silo.

Why Now? Because the Sector Just Crossed $130 Billion

Prediction markets used to be a niche curiosity for the politics-and-poker crowd. That changed when Polymarket and Kalshi turned the 2024 US election into a referendum on whether on-chain odds were a better signal than traditional polling. Combined trading volume on the two platforms hit roughly $50 billion in 2025, and it has already cleared $130 billion so far in 2026. Bernstein analysts have floated an estimate that the category could push $1 trillion in annual volume by 2030, which is the kind of number that gets the CEO of a 3-billion-user social network to suddenly clear his afternoon. Zuckerberg's team has described the Arena push as "experimental" but also a "top priority," which in Silicon Valley translation usually means he has been pinging the project lead on weekends.

The BIG Difference - No Cash, No Crypto... For Now

This is where the story gets interesting for anyone who follows crypto. Polymarket runs on Polygon and settles markets in USDC. Kalshi is CFTC-regulated and uses cash. Both made it past the regulatory minefield in different ways, one by being a non-US protocol that lets users trade with stablecoins, the other by becoming a registered designated contract market. Meta's points approach skips both of those battles and lands the app in what is essentially a casual gaming bucket. That gets Arena to market faster, but it also means launch-day users will not be doing the thing that made Polymarket fascinating in the first place, which is putting real skin in the game on the question of who is going to win Iowa. The plan, according to the reporting, is to allow money trading eventually. Whether eventually means months or years is anyone's guess.

Meta's Crypto Track Record Is, How To Put This, Uneven

This is not Meta's first attempt to plant a flag in financial infrastructure. The Libra project, later rebranded Diem, was supposed to be a global stablecoin run by a Switzerland-based consortium. Regulators across half the world made it very clear they would rather chew glass than approve it, and the project was eventually sold off and quietly buried. The company is currently making another attempt at stablecoins, with a reported plan to enter the dollar-pegged token space later this year via a third-party integration, and a USDC creator-payout pilot already running in Colombia and the Philippines. Arena is launching alongside that effort, which means Meta will be juggling a points-based prediction market in one hand and a stablecoin payments rail in the other. If both ship, the integration question gets very interesting very quickly.

Polymarket and Kalshi Investors Did Not Take the News Well

The reaction to the NYT scoop was immediate. DraftKings ended the day off more than 2 percent, FanDuel parent Flutter Entertainment dipped nearly 2 percent before recovering slightly, and Robinhood (which offers prediction market contracts from Kalshi) fell on the same logic. The sell-off was driven by the very simple math that a Meta clone with 3 billion built-in users is the kind of competitor that turns a high-growth category into a brutal one. Polymarket itself remains private and just took a significant funding round at a multibillion-dollar valuation. Kalshi has been on a tear with sports event contracts and political markets. Neither of them needs an existential threat right now, and neither of them gets a vote.

How will this effect the broader market?

That depends on what Zuck's end game is. If Arena launches and becomes a platform using real-money, then all the companies mentioned above will have to deal with the strange scenario where the 'new competition' is starting off with 3 billion users.  But until then, existing markets won't be losing any users to a 'points-only' market - their users are there to play for cash.

For now, the only thing confirmed is that a small team inside Meta has been told to build it. The rest is going to play out one product leak at a time.

---------------

Author: Cedric Holloway
New York Newsroom
Breaking Crypto News

Ethereum's Most Notorious Front Running Bot's Own Greed Gets Used Against It - Tricked Into Giving Up MILLIONS worth of ETH...

The hunter became the hunted, and the hunter was holding a fortune in stolen ETH when it happened.

JaredFromSubway.eth, the most active and most hated MEV or 'front running' bot on Ethereum - it works by spotting places where it can insert itself ahead of a pending trade, cuts in line ahead by paying higher gas fees, buying the tokens that otherwise should have gone to you, instead forcing your order to be filled with higher priced tokens. Then, once you've overpaid for your coins, it will immediately sell the ones they bought at the new higher price. While the amount earned each time is often small, multiply that by hundreds of transactions every hour and this practice adds millions in additional costs to traders every year. 

But it was the front runners who took a hit over the weekend by an attacker built an elaborate honeypot designed to look exactly like the kind of profit opportunity the bot is wired to chase. Security firm Blockaid disclosed the exploit on Saturday, and the on-chain trail tells a story that has the entire crypto community grinning ear to ear. The bot did what it was built to do. The attacker just made sure it did it on the wrong contracts. For anyone who has ever lost a few cents to a sandwich attack while trying to swap on Uniswap, this might be the most satisfying news of the year.

There is no comment from the operator beyond the bounty offer, and there is unlikely to be one any time soon.

How a Hunter Built a Better Trap

The attacker deployed 66 fake token contracts, each one mimicking the look and interface of real assets like WETH, USDC, and USDT, and paired each one with a sham liquidity pool. The routes were carefully designed so that the bot's automated decision logic would flag the contracts as a legitimate sandwich opportunity. The first few baits worked exactly the way a normal MEV trade would. Small approvals went in, the swap closed cleanly, and the approvals were consumed by the trade. The bot's risk model had no reason to flinch.

Then the trap snapped. On the larger bait transactions, the attacker had structured the swaps so that the approvals stayed open instead of being spent on a real trade. By the time anyone was watching, JaredFromSubway had quietly granted token-spending permissions on USDC, USDT, and WETH to a series of attacker-controlled helper contracts. The bot was not hacked in the traditional sense. There was no smart contract bug, no compromised private key, no leaked seed phrase. The exploit was a behavioral one, and the bot was tricked into giving permission the same way it gives permission every day, just to the wrong wallet.

Somewhere Between $7 and $15 Million in ETH, gone

Once the approvals were in place, the attacker drained the bot's working capital and swapped most of it into roughly 4,427 ETH, worth about $7.7 million at the time of the move. On-chain analysts at HTX and other tracking firms watched as 1,000 ETH of those funds were immediately routed into Tornado Cash, the mixer that was sanctioned by the US Treasury before being delisted from the sanctions list earlier this year. The rest of the funds are still being tracked across wallets, with several exchanges already flagging deposit addresses linked to the attacker. Some reports place the final loss higher, with BleepingComputer putting the figure closer to $15 million once every approval is added up.

JaredFromSubway's operator, who has never publicly identified themselves, did not stay quiet. Within hours of the drain, they used an on-chain input data message to offer the attacker a bounty of 2,150 ETH, close to half of the stolen funds, for the return of the rest within 48 hours. The operator said no further action would be taken if the funds came back. The clock started ticking and as of this writing nothing had been returned. Whatever the final number, this is the largest single loss for a private MEV operation in Ethereum's history, and the bounty offer is the first time the JaredFromSubway team has spoken publicly through anything other than block transactions.

The Cosmic Joke Nobody Misses

There is no easy way to feel sorry for the operator of a bot that has spent years skimming value out of every retail user dumb enough to swap with default slippage. The accused attacker has effectively run a counter-MEV operation, a tactic that has been theorized in academic papers for years but rarely executed at this scale. By engineering opportunities that looked profitable but were actually designed to bait approvals, the attacker turned the bot's strongest features, speed and aggression, into its biggest vulnerability. It is the closest thing crypto has had to poetic justice this year, and one of the cleanest examples of the predator becoming the prey since the genre was invented.

The bigger lesson, for any sandwich operator or other automated arbitrage system on Ethereum, is that the meta is shifting. Counter-MEV is no longer just research, and the approvals logic that every bot uses to interact with new contracts has become part of the attack surface. Operators who spent years optimizing for raw speed and gas now also have to optimize for trust. JaredFromSubway has been quiet on chain since the drain, the bounty clock is still running, and the community is still laughing. Somewhere out there a very patient honeypot designer is watching $7.7 million in fresh wallets settle in. Whether the bounty gets accepted or not, the message has already been delivered to every other MEV bot operator on the network. Greed has a price, and it is finally being paid in the same currency it was used to extract.

---------------

Author: Cedric Holloway
New York Newsroom
Breaking Crypto News

Bank of England Just Killed It's Own Stablecoin Restrictions, Admits They Were 'Excessively Conservative'...

A central bank does not usually publicly trash its own homework, but the Bank of England did exactly that on Monday.

The Bank spent the better part of a year telling everyone that if you wanted to hold a sterling stablecoin, you would be capped at 20,000 pounds per individual. Businesses got their own 10 million pound ceiling. The reasoning was that if too many deposits flowed out of high street banks and into digital tokens, the lending plumbing that keeps mortgages and overdrafts cheap could spring a leak. That was the official line in the November 2025 consultation, and the industry hated every word of it. Coinbase, Circle, and every UK-based fintech with a stablecoin ambition spent the last six months explaining, loudly, that those caps would push the entire business overseas before it even launched.

On Monday morning, the Bank scrapped the whole concept of personal holding caps. Everyday users and large businesses will no longer face restrictions on how much, how often, or what type of sterling stablecoin they can move. Deputy Governor Sarah Breeden, who has spent the last few months telegraphing this change in interviews and committee appearances, was unusually blunt about why: the original plan was "excessively conservative" and "cumbersome operationally for a temporary measure." When the regulator writing your rulebook publicly calls its own draft cumbersome, the rewrite is just a matter of time. The interesting question is what was supposed to replace the caps, and the answer is more clever than expected.

What replaces the 20,000 pound personal cap

Instead of policing how much retail wallets can hold, the Bank is putting a ceiling on the issuers themselves. Each systemic sterling stablecoin will be allowed up to 40 billion pounds in total circulation, a temporary guardrail the Bank says it will phase out as the market matures. That figure works out to roughly 50 billion dollars at current rates, and it applies per coin rather than across the whole market. So if three different issuers wanted to compete, each could grow to that ceiling without crowding the others out. The Bank also softened the reserve rules, letting issuers park up to 70 percent of backing assets in short-term UK government debt rather than the original 60 percent, with the rest sitting at the central bank. Interest payments to coin holders remain banned, which keeps these tokens from looking too much like savings accounts in disguise.

Why the Bank backed down

Six months of relentless industry pushback and a sharp House of Lords committee report did most of the work. Coinbase's head of policy for Europe, Katie Harries, told reporters that "a cap on stablecoin holdings is a cap on innovation, with real and significant risks for UK competitiveness." Issuers warned they would not bother with the UK market if every retail user had to be screened against an arbitrary holding ceiling, especially when the EU, Singapore, and Hong Kong are all moving toward friendlier frameworks. The threat of London quietly ceding the next decade of fintech building to other capitals seems to have landed at Threadneedle Street. Harries did add that aggregate issuance caps are still unusual globally, and that no other major jurisdiction has made them a baseline requirement, so the new framework is not exactly a victory lap for the industry either.

What this means for users and the next 12 months

The consultation on the new framework is open until 22 September 2026, with the final Code of Practice expected by year end and operational UK-regulated stablecoins targeted for 2027. For UK readers, the practical takeaway is straightforward: if a sterling stablecoin from a regulated issuer launches next year, you will not be told you have hit a personal limit at 20,000 pounds. For the broader industry, this is one of those rare cases where a major central bank publicly walks a position back because the market and lawmakers refused to play along. The Bank still gets its safety mechanism through the issuer-level cap, just without the heavy-handed retail version that nobody wanted to police. Whether 40 billion pounds per coin proves generous or stifling depends on how quickly demand actually shows up, but for now the regulator has chosen to let the market exist rather than fence it off.

---------------

Author: Sebastian Marrow
European Newsroom
Breaking Crypto News

How a $4.67 Million Crypto Hack took a FULL WEEK For Anyone to Notice...

It took seven full days for anyone to realize $4.67 million had walked out of the Axelar to Secret Network bridge.

The drain happened on June 10, and nobody on either side noticed until June 17, when a routine cross-chain transfer failed and someone went to check the escrow balance on the Axelar side. The account was empty. Because Secret Network is built around a privacy-by-default design where contract state and transaction details are shielded from public view, the on-chain footprints that usually tip off security researchers within minutes were simply invisible.

That gave the attacker an entire week of breathing room while the funds were quietly moved off. Axelar's emergency committee has since disabled the Secret and Secret-SNIP connections, but the money is already gone.

An infinite-mint bug, wrapped in a custom contract

The vulnerability lived in a modified CW20-ICS20 contract on the Secret side of the bridge, which is the piece of code that handles inbound assets arriving over Cosmos IBC and mints Secret-wrapped versions of them. Those wrapped versions are the saTokens that DeFi users on Secret actually hold and trade. The attacker is accused of doing something elegantly simple: spinning up their own single-validator Cosmos chain, opening a brand new IBC channel directly to the Secret bridge contract, then self-relaying forged packets that carried token denominations matching the contract's allow-list. The contract checked which denomination was coming in. It did not check which channel that denomination was supposed to be coming from.

That single missing check is the entire story. Because the saToken contract trusted any properly-formatted IBC packet carrying a known denomination, the attacker was free to mint fully-backed-looking saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH out of thin air. Those freshly minted saTokens were then redeemed back over the legitimate Axelar IBC channel, which dutifully released the real escrowed assets sitting on the Axelar side. The Secret chain saw nothing unusual because the minting was technically valid. The Axelar chain saw nothing unusual because the redemptions were technically valid. Only the math on the escrow account disagreed, and nobody was looking at it.

A custom rework that never got externally audited

Investigators on the Secret side say the bridge contract had been adapted from a standard escrow model to a mint model when the Axelar integration was put together, and during that rework two validation functions that would have caught exactly this kind of forged-channel attack were removed from the code. Axelar reportedly never requested an external audit before flipping the connection live. Custom bridge code with its safety checks taken out, deployed without a fresh audit on a chain where outside parties cannot easily watch contract state from the outside. That is roughly the worst combination of factors a security researcher could draw up. The exploit itself was almost mundane once you understand how the contract was wired. The fact that nobody caught it for a week is the part that should worry every team running a CW20-ICS20 fork.

AXL up 5%, Secret holders less amused

Axelar's emergency committee has confirmed that the rest of the Axelar network is functioning normally and that the attack was isolated to the Secret connection. Exchanges and law enforcement have reportedly been notified, and the investigation is still open as of this week. Somewhat strangely, AXL has actually traded up around 5% since the news broke, possibly because the market read the quick shutdown as evidence the emergency procedures work the way they were advertised. Secret Network's SCRT, on the other hand, is having a less celebratory week. Holders who used the bridge are now waiting to see whether the Secret community decides to socialize the loss across treasury or staker funds, and whether the Axelar side chips in any of the recovery.

Bridges keep failing the same way

If you have followed crypto security for any length of time you have seen this exact movie before, a custom fork of a standard contract with a couple of safety checks quietly removed, no external audit, and a clever attacker who reads contract code faster than the deployers ever did. What is genuinely new here is the role privacy played in the timeline. The same on-chain opacity that makes Secret Network appealing to users who want shielded balances also blinded the wider security community to the fact that a drain was already in progress for a full week. There is a real conversation to be had about how privacy chains build out-of-band monitoring so the next incident gets caught in hours rather than days. For now, bridge users are out roughly four and a half million dollars, and another integration is being unwound on the fly.

---------------

Author: Dorian Fenwick
Silicon Valley Newsroom
Breaking Crypto News