Skip to main content

7 posts tagged with "crypto"

View All Tags

Momentary Custody, Long-Term Compliance: A Playbook for Crypto-Payment Founders

· 6 min read
Dora Noda
Software Engineer

If you’re building a crypto payments platform, you might have told yourself, “My platform only touches customer funds for a few seconds. That doesn’t really count as custody, right?”

This is a dangerous assumption. To financial regulators worldwide, even momentary control over customer funds makes you a financial intermediary. That brief touch—even for a few seconds—triggers a long-term compliance burden. For founders, understanding the substance of regulation, not just the technical implementation of your code, is critical for survival.

This playbook offers a clear guide to help you make smart, strategic decisions in a complex regulatory landscape.

1. Why “Just a Few Seconds” Still Triggers Money-Transmission Rules

The core of the issue is how regulators define control. The U.S. Financial Crimes Enforcement Network (FinCEN) is unequivocal: anyone who “accepts and transmits convertible virtual currency” is classified as a money transmitter, regardless of how long the funds are held.

This standard was reaffirmed in FinCEN’s 2019 CVC guidance and again in the 2023 DeFi risk assessment.

Once your platform meets this definition, you face a host of demanding requirements, including:

  • Federal MSB registration: Registering as a Money Services Business with the U.S. Department of the Treasury.
  • A written AML program: Establishing and maintaining a comprehensive Anti-Money Laundering program.
  • CTR/SAR filing: Filing Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs).
  • Travel-Rule data exchange: Exchanging originator and beneficiary information for certain transfers.
  • Ongoing OFAC screening: Continuously screening users against sanctions lists.

2. Smart Contracts ≠ Immunity

Many founders believe that automating processes with smart contracts provides a safe harbor from custodial obligations. However, regulators apply a functional test: they judge based on who has effective control, not how the code is written.

The Financial Action Task Force (FATF) made this clear in its 2023 targeted update, stating that “marketing terms or self-identification as DeFi is not determinative” of regulatory status.

If you (or a multisig you control) can perform any of the following actions, you are the custodian:

  • Upgrade a contract via an admin key.
  • Pause or freeze funds.
  • Sweep funds through a batch-settlement contract.

Only contracts with no admin key and direct user-signed settlement may avoid the Virtual Asset Service Provider (VASP) label—and even then, you still need to integrate sanctions screening at the UI layer.

3. The Licensing Map at a Glance

The path to compliance varies dramatically across jurisdictions. Here is a simplified overview of the global licensing landscape.

RegionCurrent GatekeeperPractical Hurdle
U.S.FinCEN + State MTMA licencesDual layer, costly surety bonds, and audits. 31 states have adopted the Money Transmission Modernization Act (MTMA) so far.
EU (today)National VASP registersMinimal capital requirements, but passporting rights are limited until MiCA is fully implemented.
EU (2026)MiCA CASP licence€125k–€150k capital requirement, but offers a single-passport regime for all 27 EU markets.
UKFCA crypto-asset registerRequires a full AML program and a Travel Rule-compliant interface.
SG / HKPSA (MAS) / VASP OrdinanceMandates custody segregation and a 90% cold-wallet rule for customer assets.

4. Case Study: BoomFi’s Poland VASP Route

BoomFi’s strategy provides an excellent model for startups targeting the EU. The company registered with the Polish Ministry of Finance in November 2023, securing a VASP registration.

Why it works:

  • Fast and low-cost: The approval process took less than 60 days and had no hard capital floor.
  • Builds credibility: The registration signals compliance and is a key requirement for EU merchants who need to work with a VASP-of-record.
  • Smooth path to MiCA: This VASP registration can be upgraded to a full MiCA CASP license in-place, preserving the existing customer base.

This lightweight approach allowed BoomFi to gain early market access and validate its product while preparing for the more rigorous MiCA framework and a future U.S. rollout.

5. De-risking Patterns for Builders

Compliance shouldn’t be an afterthought. It must be woven into your product design from day one. Here are several patterns that can minimize your licensing exposure.

Wallet Architecture

  • User-signed, contract-forwarding flows: Use patterns like ERC-4337 Paymasters or Permit2 to ensure all fund movements are explicitly signed and initiated by the user.
  • Time-lock self-destruct of admin keys: After the contract is audited and deployed, use a time-lock to permanently renounce admin privileges, proving you no longer have control.
  • Shard custody with licensed partners: For batch settlements, partner with a licensed custodian to handle the aggregation and disbursement of funds.

Operational Stack

  • Pre-transaction screening: Use an API gateway that injects OFAC and chain-analysis scores to vet addresses before a transaction is ever processed.
  • Travel Rule messenger: For cross-VASP transfers of $1,000 or more, integrate a solution like TRP or Notabene to handle required data exchange.
  • KYB first, then KYC: Vet the merchant (Know Your Business) before you onboard their users (Know Your Customer).

Expansion Sequencing

  1. Europe via VASP: Start in Europe with a national VASP registration (e.g., Poland) or a UK FCA registration to prove product-market fit.
  2. U.S. via partners: While state licenses are pending, enter the U.S. market by partnering with a licensed sponsor bank or custodial institution.
  3. MiCA CASP: Upgrade to a MiCA CASP license to lock in the EU passport for 27 markets.
  4. Asia-Pac: Pursue a license in Singapore (MAS) or Hong Kong (VASP Ordinance) if volume and strategic goals justify the additional capital outlay.

Key Takeaways

For every founder in the crypto-payments space, remember these core principles:

  1. Control trumps code: Regulators look at who can move money, not how the code is structured.
  2. Licensing is strategy: A lightweight EU VASP can open doors while you prepare for more capital-intensive jurisdictions.
  3. Design for compliance early: Admin-free contracts and sanction-aware APIs buy you runway and investor confidence.

Build like you will one day be inspected—because if you move customer funds, you will.

The Copy-Paste Crime: How a Simple Habit is Draining Millions from Crypto Wallets

· 5 min read
Dora Noda
Software Engineer

When you send crypto, what’s your routine? For most of us, it involves copying the recipient's address from our transaction history. After all, nobody can memorize a 40-character string like 0x1A2b...8f9E. It's a convenient shortcut we all use.

But what if that convenience is a carefully laid trap?

A devastatingly effective scam called Blockchain Address Poisoning is exploiting this exact habit. Recent research from Carnegie Mellon University has uncovered the shocking scale of this threat. In just two years, on the Ethereum and Binance Smart Chain (BSC) networks alone, scammers have made over 270 million attack attempts, targeting 17 million victims and successfully stealing at least $83.8 million.

This isn't a niche threat; it's one of the largest and most successful crypto phishing schemes operating today. Here’s how it works and what you can do to protect yourself.


How the Deception Works 🤔

Address poisoning is a game of visual trickery. The attacker’s strategy is simple but brilliant:

  1. Generate a Lookalike Address: The attacker identifies a frequent address you send funds to. They then use powerful computers to generate a new crypto address that has the exact same starting and ending characters. Since most wallets and block explorers shorten addresses for display (e.g., 0x1A2b...8f9E), their fraudulent address looks identical to the real one at a glance.

  2. "Poison" Your Transaction History: Next, the attacker needs to get their lookalike address into your wallet's history. They do this by sending a "poison" transaction. This can be:

    • A Tiny Transfer: They send you a minuscule amount of crypto (like $0.001) from their lookalike address. It now appears in your list of recent transactions.
    • A Zero-Value Transfer: In a more cunning move, they exploit a feature in many token contracts to create a fake, zero-dollar transfer that looks like it came from you to their lookalike address. This makes the fake address seem even more legitimate, as it appears you've sent funds there before.
    • A Counterfeit Token Transfer: They create a worthless, fake token (e.g., "USDTT" instead of USDT) and fake a transaction to their lookalike address, often mimicking the amount of a previous real transaction you made.
  3. Wait for the Mistake: The trap is now set. The next time you go to pay a legitimate contact, you scan your transaction history, see what you believe is the correct address, copy it, and hit send. By the time you realize your mistake, the funds are gone. And thanks to the irreversible nature of blockchain, there's no bank to call and no way to get them back.


A Glimpse into a Criminal Enterprise 🕵️‍♂️

This isn't the work of lone hackers. The research reveals that these attacks are carried out by large, organized, and highly profitable criminal groups.

Who They Target

Attackers don't waste their time on small accounts. They systematically target users who are:

  • Wealthy: Holding significant balances in stablecoins.
  • Active: Conducting frequent transactions.
  • High-Value Transactors: Moving large sums of money.

A Hardware Arms Race

Generating a lookalike address is a brute-force computational task. The more characters you want to match, the exponentially harder it gets. Researchers found that while most attackers use standard CPUs to create moderately convincing fakes, the most sophisticated criminal group has taken it to another level.

This top-tier group has managed to generate addresses that match up to 20 characters of a target's address. This feat is nearly impossible with standard computers, leading researchers to conclude they are using massive GPU farms—the same kind of powerful hardware used for high-end gaming or AI research. This shows a significant financial investment, which they easily recoup from their victims. These organized groups are running a business, and business is unfortunately booming.


How to Protect Your Funds 🛡️

While the threat is sophisticated, the defenses are straightforward. It all comes down to breaking bad habits and adopting a more vigilant mindset.

  1. For Every User (This is the most important part):

    • VERIFY THE FULL ADDRESS. Before you click "Confirm," take five extra seconds to manually check the entire address, character by character. Do not just glance at the first and last few digits.
    • USE AN ADDRESS BOOK. Save trusted, verified addresses to your wallet's address book or contact list. When sending funds, always select the recipient from this saved list, not from your dynamic transaction history.
    • SEND A TEST TRANSACTION. For large or important payments, send a tiny amount first. Confirm with the recipient that they have received it before sending the full sum.
  2. A Call for Better Wallets:

    • Wallet developers can help by improving user interfaces. This includes displaying more of the address by default or adding strong, explicit warnings when a user is about to send funds to an address they've only interacted with via a tiny or zero-value transfer.
  3. The Long-Term Fix:

    • Systems like the Ethereum Name Service (ENS), which allow you to map a human-readable name like yourname.eth to your address, can eliminate this problem entirely. Broader adoption is key.

In the decentralized world, you are your own bank, which also means you are your own head of security. Address poisoning is a silent but powerful threat that preys on convenience and inattention. By being deliberate and double-checking your work, you can ensure your hard-earned assets don't end up in a scammer's trap.

The Great Crypto Checkout Gap: Why Accepting Bitcoin on Shopify Is Still a Pain

· 9 min read
Dora Noda
Software Engineer

The gap between the promise of crypto payments and the reality for e-commerce merchants remains surprisingly wide. Here's why—and where the opportunities lie for founders and builders.

Despite cryptocurrency's rise in mainstream awareness, accepting crypto payments on leading e-commerce platforms like Shopify remains far more complicated than it should be. The experience is fragmented for merchants, confusing for customers, and limiting for developers—even as demand for crypto payment options continues to grow.

After speaking with merchants, analyzing user flows, and reviewing the current plugin ecosystem, I've mapped the problem space to identify where entrepreneurial opportunities exist. The punchline? The current solutions leave much to be desired, and the startup that solves these pain points could capture significant value in the emerging crypto-commerce landscape.

The Merchant's Dilemma: Too Many Hoops, Too Little Integration

For Shopify merchants, accepting crypto presents an immediate set of challenges:

Restrictive Integration Options — Unless you've upgraded to Shopify Plus (starting at $2,000/month), you cannot add custom payment gateways directly. You're limited to the few crypto payment providers Shopify has formally approved, which may not support the currencies or features you want.

The Third-Party "Tax" — Shopify charges an additional 0.5% to 2% fee on transactions processed through external payment gateways—effectively penalizing merchants for accepting crypto. This fee structure actively discourages adoption, especially for small merchants with tight margins.

The Multi-Platform Headache — Setting up crypto payments means juggling multiple accounts. You'll need to create an account with the payment provider, complete their business verification process, configure API keys, and then connect everything to Shopify. Each provider has its own dashboard, reporting, and settlement schedule, creating an administrative maze.

Refund Purgatory — Perhaps the most glaring issue: Shopify does not support automatic refunds for cryptocurrency payments. While credit card refunds can be issued with a click, crypto refunds require merchants to manually arrange payments through the gateway or send crypto back to the customer's wallet. This error-prone process creates friction in a critical part of the customer relationship.

A merchant I spoke with put it bluntly: "I was excited to accept Bitcoin, but after going through the setup and handling my first refund request, I almost turned it off. The only reason I kept it was that a handful of my best customers prefer paying this way."

The Customer Experience Is Still Web1 in a Web3 World

When customers attempt to pay with crypto on Shopify stores, they encounter a user experience that feels distinctly behind the times:

The Redirect Shuffle — Unlike the seamless in-line credit card forms or one-click wallets like Shop Pay, selecting crypto payment typically redirects customers to an external checkout page. This jarring transition breaks the flow, creates trust issues, and increases abandonment rates.

The Countdown Timer of Doom — After selecting a cryptocurrency, customers are presented with a payment address and a ticking clock (typically 15 minutes) to complete the transaction before the payment window expires. This pressure-inducing timer exists because of price volatility, but it creates anxiety and frustration, especially for crypto newcomers.

The Mobile Maze — Making crypto payments on mobile devices is particularly cumbersome. If a customer needs to scan a QR code displayed on their phone with their wallet app (which is also on their phone), they're stuck in an impossible situation. Some integrations offer workarounds, but they're rarely intuitive.

The "Where's My Order?" Moment — After sending crypto, customers often face an uncertain wait. Unlike credit card transactions that confirm instantly, blockchain confirmations can take minutes (or longer). This leaves customers wondering if their order went through or if they need to try again—a recipe for support tickets and abandoned carts.

The Developer's Straitjacket

Developers hoping to improve this situation face their own set of constraints:

Shopify's Walled Garden — Unlike open platforms like WooCommerce or Magento where developers can freely create payment plugins, Shopify tightly controls who can integrate with their checkout. This limitation stifles innovation and keeps promising solutions off the platform.

Limited Checkout Customization — On standard Shopify plans, developers cannot modify the checkout UI to make crypto payments more intuitive. There's no way to add explainer text, custom buttons, or Web3 wallet connection interfaces within the checkout flow.

The Compatibility Treadmill — When Shopify updates its checkout or payment APIs, third-party integrations must adapt quickly. In 2022, a platform change forced several crypto payment providers to rebuild their integrations, leaving merchants scrambling when their payment options suddenly stopped working.

A developer I interviewed who built crypto payment solutions for both WooCommerce and Shopify noted: "On WooCommerce, I can build exactly what merchants need. On Shopify, I'm constantly fighting the platform limitations—and that's before we even get to the technical challenges of blockchain integration."

Current Solutions: A Fragmented Landscape

Shopify currently supports several crypto payment providers, each with their own limitations:

BitPay offers automatic conversion to fiat and supports about 14 cryptocurrencies, but charges a 1% processing fee and has its own KYC requirements for merchants.

Coinbase Commerce allows merchants to accept major cryptocurrencies, but doesn't automatically convert to fiat, leaving merchants to manage volatility. Refunds must be handled manually outside their dashboard.

Crypto.com Pay advertises zero transaction fees and supports 20+ cryptocurrencies, but works best for customers already in the Crypto.com ecosystem.

DePay takes a Web3 approach, allowing customers to pay with any token that has DEX liquidity, but requires customers to use Web3 wallets like MetaMask—a significant barrier for mainstream shoppers.

Other options include specialty providers like OpenNode (Bitcoin and Lightning), Strike (Lightning for US merchants), and Lunu (focused on European luxury retail).

The common thread? No single provider offers a comprehensive solution that delivers the simplicity, flexibility, and user experience that merchants and customers expect in 2025.

Where the Opportunities Lie

These gaps in the market create several promising opportunities for founders and builders:

1. The Universal Crypto Checkout

There's room for a "meta-gateway" that aggregates multiple payment providers under a single, cohesive interface. This would give merchants one integration point while offering customers their choice of cryptocurrency, with the system intelligently routing payments through the optimal provider. By abstracting the complexity, such a solution could dramatically simplify the merchant experience while improving conversion rates.

2. The Seamless Wallet Integration

The current disconnected experience—where customers are redirected to external pages—is ripe for disruption. A solution that enables in-checkout crypto payments via WalletConnect or browser wallet integration could eliminate redirects entirely. Imagine clicking "Pay with Crypto" and having your browser wallet pop up directly, or scanning a QR code that immediately connects to your mobile wallet without leaving the checkout page.

3. The Instant Confirmation Service

The lag between payment submission and blockchain confirmation is a major friction point. An innovative approach would be a payment guarantee service that fronts the payment to the merchant instantly (allowing immediate order processing) while handling blockchain confirmation in the background. By taking on settlement risk for a small fee, such a service could make crypto payments feel as immediate as credit cards.

4. The Refund Resolver

The lack of automated refunds is perhaps the most glaring gap in the current ecosystem. A platform that simplifies crypto refunds—perhaps through a combination of smart contracts, escrow systems, and user-friendly interfaces—could remove a major pain point for merchants. Ideally, it would enable one-click refunds that handle all the complexity of sending crypto back to customers.

5. The Crypto Accountant

Tax and accounting complexity remains a significant barrier for merchants accepting crypto. A specialized solution that integrates with Shopify and crypto wallets to automatically track payment values, calculate gains/losses, and generate tax reports could transform a headache into a selling point. By making compliance simple, such a tool could encourage more merchants to accept crypto.

The Big Picture: Beyond Payments

Looking ahead, the real opportunity may extend beyond simply fixing the current checkout experience. The most successful solutions will likely leverage crypto's unique properties to offer capabilities that traditional payment methods cannot match:

Borderless Commerce — True global reach without currency exchange complications, enabling merchants to sell to underbanked regions or countries with unstable currencies.

Programmable Loyalty — NFT-based loyalty programs that provide special benefits to repeat customers who pay in crypto, creating stickier customer relationships.

Decentralized Escrow — Smart contracts that hold funds until delivery is confirmed, balancing the interests of both merchants and customers without requiring a trusted third party.

Token-Gated Exclusivity — Special products or early access for customers who hold specific tokens, creating new business models for premium merchants.

The Bottom Line

The current state of crypto checkout on Shopify reveals a striking gap between the promise of digital currency and its practical implementation in e-commerce. Despite mainstream interest in cryptocurrencies, the experience of using them for everyday purchases remains needlessly complex.

For entrepreneurs, this gap represents a significant opportunity. The startup that can deliver a truly seamless crypto payment experience—one that feels as easy as credit cards for both merchants and customers—stands to capture substantial value as digital currency adoption continues to grow.

The blueprint is clear: abstract away the complexity, eliminate redirects, solve the confirmation lag, simplify refunds, and integrate natively with the platforms merchants already use. Execution remains challenging due to technical complexity and platform limitations, but the prize for getting it right is a central position in the future of digital commerce.

In a world where money is increasingly digital, the checkout experience should reflect that reality. We're not there yet—but we're getting closer.


What crypto payment experiences have you encountered as a merchant or customer? Have you tried implementing crypto payments on your Shopify store? Share your experiences in the comments below.

The Wallet Revolution: Navigating the Three Paths of Account Abstraction

· 6 min read
Dora Noda
Software Engineer

For years, the crypto world has been hampered by a critical usability problem: the wallet. Traditional wallets, known as Externally Owned Accounts (EOAs), are unforgiving. A single lost seed phrase means your funds are gone forever. Every action requires a signature, and gas fees must be paid in the chain's native token. This clunky, high-stakes experience is a major barrier to mainstream adoption.

Enter Account Abstraction (AA), a paradigm shift set to redefine how we interact with the blockchain. At its core, AA transforms a user's account into a programmable smart contract, unlocking features like social recovery, one-click transactions, and flexible gas payments.

The journey toward this smarter future is unfolding along three distinct paths: the battle-tested ERC-4337, the efficient Native AA, and the highly anticipated EIP-7702. Let's break down what each approach means for developers and users.


💡 Path 1: The Pioneer — ERC-4337

ERC-4337 was the breakthrough that brought account abstraction to Ethereum and EVM chains without changing the core protocol. Think of it as adding a smart layer on top of the existing system.

It introduces a new transaction flow involving:

  • UserOperations: A new object that represents a user's intent (e.g., "swap 100 USDC for ETH").
  • Bundlers: Off-chain actors that pick up UserOperations, bundle them together, and submit them to the network.
  • EntryPoint: A global smart contract that validates and executes the bundled operations.

The Good:

  • Universal Compatibility: It can be deployed on any EVM chain.
  • Flexibility: Enables rich features like session keys for gaming, multi-signature security, and gas sponsorship via Paymasters.

The Trade-off:

  • Complexity & Cost: It introduces significant infrastructure overhead (running Bundlers) and has the highest gas costs of the three approaches, as every operation goes through the extra EntryPoint logic. Because of this, its adoption has flourished primarily on gas-friendly L2s like Base and Polygon.

ERC-4337 walked so that other AA solutions could run. It proved the demand and laid the groundwork for a more intuitive Web3 experience.


🚀 Path 2: The Integrated Ideal — Native Account Abstraction

If ERC-4337 is an add-on, Native AA is building smart features directly into the blockchain's foundation. Chains like zkSync Era and Starknet were designed from the ground up with AA as a core principle. On these networks, every account is a smart contract.

The Good:

  • Efficiency: By integrating AA logic into the protocol, it strips away the extra layers, leading to significantly lower gas costs compared to ERC-4337.
  • Simplicity for Devs: Developers don't need to manage Bundlers or a separate mempool. The transaction flow feels much more like a standard one.

The Trade-off:

  • Ecosystem Fragmentation: Native AA is chain-specific. An account on zkSync is different from an account on Starknet, and neither is native to Ethereum mainnet. This creates a fragmented experience for users and developers working across multiple chains.

Native AA shows us the "endgame" for efficiency, but its adoption is tied to the growth of its host ecosystems.


🌉 Path 3: The Pragmatic Bridge — EIP-7702

Set to be included in Ethereum's 2025 "Pectra" upgrade, EIP-7702 is a game-changer designed to bring AA features to the masses of existing EOA users. It takes a hybrid approach: it allows an EOA to temporarily delegate its authority to a smart contract for a single transaction.

Think of it as giving your EOA temporary superpowers. You don't need to migrate your funds or change your address. Your wallet can simply add an authorization to a transaction, allowing it to perform batched operations (e.g., approve + swap in one click) or have its gas sponsored.

The Good:

  • Backward Compatibility: It works with the billions of dollars secured by existing EOAs. No migration needed.
  • Low Complexity: It uses the standard transaction pool, eliminating the need for Bundlers and drastically simplifying infrastructure.
  • Mass Adoption Catalyst: By making smart features accessible to every Ethereum user overnight, it could rapidly accelerate the adoption of better UX patterns.

The Trade-off:

  • Not "Full" AA: EIP-7702 doesn't solve key management for the EOA itself. If you lose your private key, you're still out of luck. It's more about enhancing transaction capabilities than overhauling account security.

Head-to-Head: A Clear Comparison

FeatureERC-4337 (The Pioneer)Native AA (The Ideal)EIP-7702 (The Bridge)
Core IdeaExternal smart contract system via BundlersProtocol-level smart accountsEOA temporarily delegates to a smart contract
Gas CostHighest (due to EntryPoint overhead)Low (protocol-optimized)Moderate (small overhead on one transaction for batching)
InfrastructureHigh (Requires Bundlers, Paymasters)Low (Handled by the chain's validators)Minimal (Uses existing transaction infrastructure)
Key Use CaseFlexible AA on any EVM chain, especially L2s.Highly efficient AA on purpose-built L2s.Upgrading all existing EOAs with smart features.
Best For...Gaming wallets, dApps needing gasless onboarding now.Projects building exclusively on chains like zkSync/Starknet.Bringing batching & gas sponsorship to mainstream users.

The Future is Convergent and User-Centric

These three paths aren't mutually exclusive; they are converging toward a future where the wallet is no longer a point of friction.

  1. Social Recovery Becomes Standard 🛡️: The era of "lost keys, lost funds" is ending. AA enables guardian-based recovery, making self-custody as safe and forgiving as a traditional bank account.
  2. Gaming UX Reimagined 🎮: Session keys will allow for seamless gameplay without constant "approve transaction" pop-ups, finally making Web3 gaming feel like Web2 gaming.
  3. Wallets as Programmable Platforms: Wallets will become modular. Users might add a "DeFi module" for automated yield farming or a "security module" that requires 2FA for large transfers.

For developers and infrastructure providers like Blockeden.xyz, this evolution is incredibly exciting. The complexity of Bundlers, Paymasters, and various AA standards creates a massive opportunity to provide robust, reliable, and abstracted infrastructure. The goal is a unified experience where a developer can easily integrate AA features, and the wallet intelligently uses ERC-4337, Native AA, or EIP-7702 under the hood, depending on what the chain supports.

The wallet is finally getting the upgrade it deserves. The transition from static EOAs to dynamic, programmable smart accounts is not just an improvement—it's the revolution that will make Web3 accessible and safe for the next billion users.

Dubai's Crypto Ambitions: How DMCC is Building the Middle East's Largest Web3 Hub

· 4 min read

While much of the world still grapples with how to regulate cryptocurrencies, Dubai has quietly been building the infrastructure to become a global crypto hub. At the center of this transformation is the Dubai Multi Commodities Centre (DMCC) Crypto Centre, which has emerged as the largest concentration of crypto and web3 firms in the Middle East with over 600 members.

Dubai's Crypto Ambitions

The Strategic Play

What makes DMCC's approach interesting isn't just its size – it's the comprehensive ecosystem they've built. Rather than simply offering companies a place to register, DMCC has created a full-stack environment that addresses the three critical challenges crypto companies typically face: regulatory clarity, access to capital, and talent acquisition.

Regulatory Innovation

The regulatory framework is particularly noteworthy. DMCC offers 15 different types of crypto licenses, creating what might be the most granular regulatory structure in the industry. This isn't just bureaucratic complexity – it's a feature. By creating specific licenses for different activities, DMCC can provide clarity while maintaining appropriate oversight. This stands in stark contrast to jurisdictions that either lack clear regulations or apply one-size-fits-all approaches.

The Capital Advantage

But perhaps the most compelling aspect of DMCC's offering is its approach to capital access. Through strategic partnerships with Brinc Accelerator and various VC firms, DMCC has created a funding ecosystem with access to over $150 million in venture capital. This isn't just about money – it's about creating a self-sustaining ecosystem where success breeds success.

Why This Matters

The implications extend beyond Dubai. DMCC's model offers a blueprint for how emerging tech hubs can compete with traditional centers of innovation. By combining regulatory clarity, capital access, and ecosystem building, they've created a compelling alternative to traditional tech hubs.

Some key metrics that illustrate the scale:

  • 600+ crypto and web3 firms (the largest concentration in the region)
  • Access to $150M+ in venture capital
  • 15 different license types
  • 8+ ecosystem partners
  • Network of 25,000+ potential collaborators across sectors

Leadership and Vision

The vision behind this transformation comes from two key figures:

Ahmed Bin Sulayem, DMCC's Executive Chairman and CEO, has overseen the organization's growth from 28 member companies in 2003 to over 25,000 in 2024. This track record suggests the crypto initiative isn't just a trend-chasing move, but part of a longer-term strategy to position Dubai as a global business hub.

Belal Jassoma, Director of Ecosystems, brings crucial expertise in scaling up DMCC's commercial offerings. His focus on strategic relationships and ecosystem development across verticals like crypto, gaming, AI, and financial services suggests a sophisticated understanding of how different tech sectors can cross-pollinate.

The Road Ahead

While DMCC's progress is impressive, several questions remain:

  1. Regulatory Evolution: How will DMCC's regulatory framework evolve as the crypto industry matures? The current granular approach provides clarity, but maintaining this as the industry evolves will be challenging.

  2. Sustainable Growth: Can DMCC maintain its growth trajectory? While 600+ crypto firms is impressive, the real test will be how many of these companies achieve significant scale.

  3. Global Competition: As other jurisdictions develop their crypto regulations and ecosystems, can DMCC maintain its competitive advantage?

Looking Forward

DMCC's approach offers valuable lessons for other aspiring tech hubs. Their success suggests that the key to attracting innovative companies isn't just about offering tax benefits or light-touch regulation – it's about building a comprehensive ecosystem that addresses multiple business needs simultaneously.

For crypto entrepreneurs and investors, DMCC's initiative represents an interesting alternative to traditional tech hubs. While it's too early to declare it a definitive success, the early results suggest they're building something worth watching.

The most interesting aspect might be what this tells us about the future of innovation hubs. In a world where talent and capital are increasingly mobile, DMCC's model suggests that new tech centers can emerge rapidly when they offer the right combination of regulatory clarity, capital access, and ecosystem support.

For those watching the evolution of global tech hubs, Dubai's experiment with DMCC offers valuable insights into how emerging markets can position themselves in the global tech landscape. Whether this model can be replicated elsewhere remains to be seen, but it's certainly providing a compelling blueprint for others to study.

A16Z’s Crypto 2025 Outlook: Twelve Ideas That Might Reshape the Next Internet

· 8 min read

Every year, a16z publishes sweeping predictions on the technologies that will define our future. This time, their crypto team has painted a vivid picture of a 2025 where blockchains, AI, and advanced governance experiments collide.

I’ve summarized and commented on their key insights below, focusing on what I see as the big levers for change — and possible stumbling blocks. If you’re a tech builder, investor, or simply curious about the next wave of the internet, this piece is for you.

1. AI Meets Crypto Wallets

Key Insight: AI models are moving from “NPCs” in the background to “main characters,” acting independently in online (and potentially physical) economies. That means they’ll need crypto wallets of their own.

  • What It Means: Instead of an AI just spitting out answers, it might hold, spend, or invest digital assets — transacting on behalf of its human owner or purely on its own.
  • Potential Payoff: Higher-efficiency “agentic AIs” could help businesses with supply chain coordination, data management, or automated trading.
  • Watch Out For: How do we ensure an AI is truly autonomous, not just secretly manipulated by humans? Trusted execution environments (TEEs) can provide technical guarantees, but establishing trust in a “robot with a wallet” won’t happen overnight.

2. Rise of the DAC (Decentralized Autonomous Chatbot)

Key Insight: A chatbot running autonomously in a TEE can manage its own keys, post content on social media, gather followers, and even generate revenue — all without direct human control.

  • What It Means: Think of an AI influencer that can’t be silenced by any one person because it literally controls itself.
  • Potential Payoff: A glimpse of a world where content creators aren’t individuals but self-governing algorithms with million-dollar (or billion-dollar) valuations.
  • Watch Out For: If an AI breaks laws, who’s liable? Regulatory guardrails will be tricky when the “entity” is a set of code housed on distributed servers.

3. Proof of Personhood Becomes Essential

Key Insight: With AI lowering the cost of generating hyper-realistic fakes, we need better ways to verify that we’re interacting with real humans online. Enter privacy-preserving unique IDs.

  • What It Means: Every user might eventually have a certified “human stamp” — hopefully without sacrificing personal data.
  • Potential Payoff: This could drastically reduce spam, scams, and bot armies. It also lays the groundwork for more trustworthy social networks and community platforms.
  • Watch Out For: Adoption is the main barrier. Even the best proof-of-personhood solutions need broad acceptance before malicious actors outpace them.

4. From Prediction Markets to Broader Information Aggregation

Key Insight: 2024’s election-driven prediction markets grabbed headlines, but a16z sees a bigger trend: using blockchain to design new ways of revealing and aggregating truths — be it in governance, finance, or community decisions.

  • What It Means: Distributed incentive mechanisms can reward people for honest input or data. We might see specialized “truth markets” for everything from local sensor networks to global supply chains.
  • Potential Payoff: A more transparent, less gameable data layer for society.
  • Watch Out For: Sufficient liquidity and user participation remain challenging. For niche questions, “prediction pools” can be too small to yield meaningful signals.

5. Stablecoins Go Enterprise

Key Insight: Stablecoins are already the cheapest way to move digital dollars, but large companies haven’t embraced them — yet.

  • What It Means: SMBs and high-transaction merchants might wake up to the idea that they can save hefty credit-card fees by adopting stablecoins. Enterprises that process billions in annual revenue could do the same, potentially adding 2% to their bottom lines.
  • Potential Payoff: Faster, cheaper global payments, plus a new wave of stablecoin-based financial products.
  • Watch Out For: Companies will need new ways to manage fraud protection, identity verification, and refunds — previously handled by credit-card providers.

6. Government Bonds on the Blockchain

Key Insight: Governments exploring on-chain bonds could create interest-bearing digital assets that function without the privacy issues of a central bank digital currency.

  • What It Means: On-chain bonds could serve as high-quality collateral in DeFi, letting sovereign debt seamlessly integrate with decentralized lending protocols.
  • Potential Payoff: Greater transparency, potentially lower issuance costs, and a more democratized bond market.
  • Watch Out For: Skeptical regulators and potential inertia in big institutions. Legacy clearing systems won’t disappear easily.

Key Insight: Wyoming introduced a new category called the “decentralized unincorporated nonprofit association” (DUNA), meant to give DAOs legal standing in the U.S.

  • What It Means: DAOs can now hold property, sign contracts, and limit the liability of token holders. This opens the door for more mainstream usage and real commercial activity.
  • Potential Payoff: If other states follow Wyoming’s lead (as they did with LLCs), DAOs will become normal business entities.
  • Watch Out For: Public perception is still fuzzy on what DAOs do. They’ll need a track record of successful projects that translate to real-world benefits.

8. Liquid Democracy in the Physical World

Key Insight: Blockchain-based governance experiments might extend from online DAO communities to local-level elections. Voters could delegate their votes or vote directly — “liquid democracy.”

  • What It Means: More flexible representation. You can choose to vote on specific issues or hand that responsibility to someone you trust.
  • Potential Payoff: Potentially more engaged citizens and dynamic policymaking.
  • Watch Out For: Security concerns, technical literacy, and general skepticism around mixing blockchain with official elections.

9. Building on Existing Infrastructure (Instead of Reinventing It)

Key Insight: Startups often spend time reinventing base-layer technology (consensus protocols, programming languages) rather than focusing on product-market fit. In 2025, they’ll pick off-the-shelf components more often.

  • What It Means: Faster speed to market, more reliable systems, and greater composability.
  • Potential Payoff: Less time wasted building a new blockchain from scratch; more time spent on the user problem you’re solving.
  • Watch Out For: It’s tempting to over-specialize for performance gains. But specialized languages or consensus layers can create higher overhead for developers.

10. User Experience First, Infrastructure Second

Key Insight: Crypto needs to “hide the wires.” We don’t make consumers learn SMTP to send email — so why force them to learn “EIPs” or “rollups”?

  • What It Means: Product teams will choose the technical underpinnings that serve a great user experience, not vice versa.
  • Potential Payoff: A big leap in user onboarding, reducing friction and jargon.
  • Watch Out For: “Build it and they will come” only works if you truly nail the experience. Marketing lingo about “easy crypto UX” means nothing if people are still forced to wrangle private keys or memorize arcane acronyms.

11. Crypto’s Own App Stores Emerge

Key Insight: From Worldcoin’s World App marketplace to Solana’s dApp Store, crypto-friendly platforms provide distribution and discovery free from Apple or Google’s gatekeeping.

  • What It Means: If you’re building a decentralized application, you can reach users without fear of sudden deplatforming.
  • Potential Payoff: Tens (or hundreds) of thousands of new users discovering your dApp in days, instead of being lost in the sea of centralized app stores.
  • Watch Out For: These stores need enough user base and momentum to compete with Apple and Google. That’s a big hurdle. Hardware tie-ins (like specialized crypto phones) might help.

12. Tokenizing ‘Unconventional’ Assets

Key Insight: As blockchain infrastructure matures and fees drop, tokenizing everything from biometric data to real-world curiosities becomes more feasible.

  • What It Means: A “long tail” of unique assets can be fractionalized and traded globally. People could even monetize personal data in a controlled, consent-based way.
  • Potential Payoff: Massive new markets for otherwise “locked up” assets, plus interesting new data pools for AI to consume.
  • Watch Out For: Privacy pitfalls and ethical landmines. Just because you can tokenize something doesn’t mean you should.

A16Z’s 2025 outlook shows a crypto sector that’s reaching for broader adoption, more responsible governance, and deeper integration with AI. Where previous cycles dwelled on speculation or hype, this vision revolves around utility: stablecoins saving merchants 2% on every latte, AI chatbots operating their own businesses, local governments experimenting with liquid democracy.

Yet execution risk looms. Regulators worldwide remain skittish, and user experience is still too messy for the mainstream. 2025 might be the year that crypto and AI finally “grow up,” or it might be a halfway step — it all depends on whether teams can ship real products people love, not just protocols for the cognoscenti.

The Radiant Capital Hack: How North Korean Hackers Used a Single PDF to Steal Hundreds of Millions

· 4 min read

In one of the most sophisticated cyber attacks of 2023, Radiant Capital, a decentralized cross-chain lending protocol built on LayerZero, lost approximately $50 million to hackers. The complexity and precision of this attack revealed the advanced capabilities of state-sponsored North Korean hackers, pushing the boundaries of what many thought possible in crypto security breaches.

The Radiant Capital Hack: How North Korean Hackers Used a Single PDF to Steal Hundreds of Millions

The Perfect Social Engineering Attack

On September 11, 2023, a Radiant Capital developer received what seemed like an innocent Telegram message. The sender posed as a former contractor, claiming they had switched careers to smart contract auditing and wanted feedback on a project report. This type of request is commonplace in the remote-work culture of crypto development, making it particularly effective as a social engineering tactic.

The attackers went the extra mile by creating a fake website that closely mimicked the supposed contractor's legitimate domain, adding another layer of authenticity to their deception.

The Trojan Horse

When the developer downloaded and unzipped the file, it appeared to be a standard PDF document. However, the file was actually a malicious executable called INLETDRIFT disguised with a PDF icon. Once opened, it silently installed a backdoor on the macOS system and established communication with the attackers' command server (atokyonews[.]com).

The situation worsened when the infected developer, seeking feedback, shared the malicious file with other team members, inadvertently spreading the malware within the organization.

The Sophisticated Man-in-the-Middle Attack

With the malware in place, the hackers executed a precisely targeted "bait-and-switch" attack. They intercepted transaction data when team members were operating their Gnosis Safe multi-signature wallet. While the transaction appeared normal on the web interface, the malware replaced the transaction content when it reached the Ledger hardware wallet for signing.

Due to the blind signing mechanism used in Safe multi-sig transactions, team members couldn't detect that they were actually signing a transferOwnership() function call, which handed control of the lending pools to the attackers. This allowed the hackers to drain user funds that had been authorized to the protocol's contracts.

The Swift Cleanup

Following the theft, the attackers demonstrated remarkable operational security. Within just three minutes, they removed all traces of the backdoor and browser extensions, effectively covering their tracks.

Key Lessons for the Industry

  1. Never Trust File Downloads: Teams should standardize on online document tools like Google Docs or Notion instead of downloading files. For example, OneKey's recruitment process only accepts Google Docs links, explicitly refusing to open any other files or links.

  2. Frontend Security is Critical: The incident highlights how easily attackers can spoof transaction information on the frontend, making users unknowingly sign malicious transactions.

  3. Blind Signing Risks: Hardware wallets often display oversimplified transaction summaries, making it difficult to verify the true nature of complex smart contract interactions.

  4. DeFi Protocol Safety: Projects handling large amounts of capital should implement timelock mechanisms and robust governance processes. This creates a buffer period for detecting and responding to suspicious activities before funds can be moved.

The Radiant Capital hack serves as a sobering reminder that even with hardware wallets, transaction simulation tools, and industry best practices, sophisticated attackers can still find ways to compromise security. It underscores the need for constant vigilance and evolution in crypto security measures.

As the industry matures, we must learn from these incidents to build more robust security frameworks that can withstand increasingly sophisticated attack vectors. The future of DeFi depends on it.