Cryptopolitan

ZachXBT announced his involvement in a crypto kidnapping case. The on-chain researcher assisted French authorities and helped intercept some of the funds via Binance. 

ZachXBT announced he worked on the case of the streamer TeufeurS in 2023. The case was part of the wave of crypto kidnapping in France. TeufeurS was extorted for a ransom after a family member was kidnapped in France. Later, TeufeurS announced he had abandoned crypto and left France for the safety of his family. 

The streamer ended up paying a $2M ransom, of which $800K was traced and frozen in partnership with the Binance Security team. 

ZachXBT noted the case was sensitive, and he kept the assistance confidential. Six suspects related to the incident were later arrested. 

ZachXBT joins cases against crypto thieves in France

ZachXBT has been known for tracing funds and helping retail holders. He has taken up cases of hacks or entirely on-chain scams. He has also assisted authorities in several recent crypto theft cases in France. 

ZachXBT has specialized in asset freezes and, where possible, in identifying wallet holders. He advises crypto owners to report losses as soon as possible to increase the chance of intercepting some of the funds. 

‘I prioritize these types of cases as they have grown more frequent amidst this disturbing trend,’ wrote ZachXBT in a post on X.   

As Cryptopolitan reported earlier, a fast reaction may be the key to salvaging some of the stolen crypto. In the past year, stolen coins or tokens moved even faster, challenging investigators to move fast and call for freezes where possible. 

Freezing funds was also one of the decisions in the recent Kelp DAO hack. Funds from personal kidnappings may be easily intercepted, as the initial wallets are well known. 

France is seeing an increase in physical attacks to steal crypto

French authorities reported 41 kidnappings or physical attacks linked to crypto ownership since January. 

The latest attack happened on April 21, when police impersonators extorted a family for nearly $1M in BTC. 

🚨🇫🇷 Nouveau braquage crypto en France : une famille séquestrée trois heures à Ploudalmézeau (Finistère), 700 000 € extorqués en cryptomonnaies.

Ce lundi 20 avril 2026 peu avant 9h, 2 individus cagoulés et armés d'un pistolet automatique se sont introduits dans un pavillon des… https://t.co/mwvmdiX2NA pic.twitter.com/cEh7Q7E6B7

— France Cryptos 🔗 (@FranceCryptos) April 22, 2026

The robbers held the family hostage until they agreed to transfer the funds. France uses Euro area rules on crypto ownership, under which wallet holders must declare their main address on all exchange or brokerage platforms. 

Any data leak may allow attackers to dox owners and discover their real-world location. Based on Triple A data, around 5% of French citizens own crypto assets. Surveys have shown that up to 23% of the population may own crypto, based on Coinmarketcap data. France also ranks in the 22nd spot based on global crypto adoption, slightly above the average for the EU. 

France’s crypto adoption is growing, but it has led to an increase in physical attacks. | Source: Chainalysis

French tax law may be the other culprit, as citizens must declare digital asset accounts, even if the crypto was acquired abroad. Wallets are tracked and subjected to self-reporting on capital gains.

Citizens must also report self-hosted wallets and link them to their identity. At least one case of leaked tax data has been connected to crypto kidnappings. 

The smartest crypto minds already read our newsletter. Want in? Join them.

Road Town, British Virgin Islands – April 22, 2026 – Jumper, a DeFi aggregator unifying swaps, cross-chain transfers, and earning across 63 blockchains, today announced full integration with the TRON network, enabling users to bridge assets to and from TRON in a single transaction across 14 initially supported blockchains. Jumper’s aggregation engine compares routes across 29 integrated bridging protocols, identifies the fastest and most cost-effective path, and executes the transfer—delivering optimal rates to users without the need for centralized exchange withdrawals, manual bridge selection, or multi-step workarounds.

At launch, users can bridge USDT, USDC, and other supported assets into TRON’s ecosystem, plus complete stablecoin swaps within TRON. The integration expands Jumper’s multichain footprint to over 63 supported blockchains and fills a previous gap for stablecoin users seeking a streamlined, non-custodial on-ramp to TRON’s deep stablecoin liquidity and robust DeFi ecosystem.

TRON has established itself as the world’s largest settlement layer for stablecoin transactions, having settled $7.9 trillion in USDT transfer volume in 2025 alone. The network processes approximately $21.8 billion in average daily transfer volume, with a capacity of up to 2,000 TPS via Delegated Proof of Stake consensus. Typical USDT transfer fees generally remain under $1, supporting its widespread use for cross-border payments across Southeast Asia, Latin America, and Africa. Moving assets from other chains previously required navigating fragmented processes involving centralized exchanges and withdrawal fees. Jumper’s integration eliminates that friction, compressing a multistep process into a single onchain transaction.

“This is the integration we’ve been waiting for,” said Jordan Neary, marketing lead at Jumper. “TRON processes more daily stablecoin volume than nearly any other network, bringing that power into Jumper is huge and I’m thrilled to see it live.”

Users can also perform stablecoin swaps directly within TRON. Converting between USDT and other digital assets can be done natively on TRON, without leaving the Jumper interface or navigating a separate DEX. The entire flow, whether bridging from an external chain or swapping within TRON, executes in a single transaction with full non-custodial security.

Beyond stablecoin transfers, the integration expands access to TRON’s growing ecosystem. Protocols such as JustLend and SunSwap handle billions in volume, and TRON’s stablecoin liquidity pools enable stablecoin swaps with near-zero slippage. Jumper’s support for these swaps allows users to optimize their stablecoin positions across TRON without switching platforms, reinforcing TRON’s role as foundational infrastructure for global digital payments and DeFi activity.

“Jumper’s bridge aggregation brings a new level of accessibility to TRON’s stablecoin and DeFi ecosystem,” said Sam Elfarra, Community Spokesperson for the TRON DAO. “As cross-chain connectivity becomes essential to how users interact with decentralized finance, integrations like Jumper strengthen TRON’s position as a leading destination for global stablecoin activity and expand the pathways through which the multichain ecosystem can tap into TRON’s speed, scale, and liquidity.”

The collaboration between Jumper and TRON DAO reflects a broader industry shift toward aggregated, user-centric cross-chain infrastructure. As stablecoin adoption continues to accelerate across global markets, the ability to move assets seamlessly without relying on centralized intermediaries becomes increasingly critical. With TRON now live on Jumper, users worldwide gain direct, non-custodial access to one of the most actively used blockchain ecosystems through a single, optimized transaction.

About Jumper

Jumper (jumper.xyz) is a smart money app to move, deploy, and manage capital. It aggregates 29 bridges and 33 DEXs across 63 chains alongside 110+ earning opportunities from over 20 top DeFi protocols in a single interface. Jumper has processed over $35 billion in cumulative volume for more than 2 million wallets. Learn more at jumper.xyz.

Media Contact

Jordan Neary
jordan@jumper.xyz 

About TRON DAO

TRON DAO is a community-governed DAO dedicated to accelerating the decentralization of the internet via blockchain technology and dApps.

Founded in September 2017 by H.E. Justin Sun, the TRON blockchain has experienced significant growth since its MainNet launch in May 2018. Until recently, TRON hosted the largest circulating supply of USD Tether (USDT) stablecoin, which currently exceeds $86 billion. As of April 2026, the TRON blockchain has recorded over 377 million in total user accounts, more than 13 billion in total transactions, and over $27 billion in total value locked (TVL), based on TRONSCAN. Recognized as the global settlement layer for stablecoin transactions and everyday purchases with proven success, TRON is “Moving Trillions, Empowering Billions.”

TRONNetwork | TRONDAO | X | YouTube | Telegram | Discord | Reddit | GitHub | Medium | Forum

Media Contact

Yeweon Park

press@tron.network

Sam Bankman-Fried (SBF) previously argued that FTX could have recovered value if assets were given time to recover, and now he has received fresh proof of that claim in the form of SpaceX’s multi-billion-dollar deal with Cursor. 

A 5% stake in the AI startup Cursor cost $200,000 in 2023, but now, following a new $60 billion deal with SpaceX, the same 5% stake is worth $3 billion.  

How much did FTX sell its Cursor stake for?

In April 2022, Alameda Research, the trading firm founded by Sam Bankman-Fried (SBF), invested $200,000 in Anysphere, the company behind the AI coding tool Cursor. That investment bought them about 5% of the company. 

Fast forward one year, and FTX had collapsed, and the bankruptcy court was in control of the company. In April 2023, the FTX bankruptcy estate sold that 5% stake for the same amount Alameda had paid a year earlier: $200,000. 

However, SpaceX announced a major partnership with Cursor today. Under the deal, SpaceX has an option to buy the entire company for $60 billion; if they choose not to, they will pay $10 billion for the partnership.

Based on that $60 billion valuation, the 5% stake that FTX sold for $200,000 would now be worth about $3 billion, representing a 15,000x return.

Why does this matter for the incarcerated SBF?

Sam Bankman-Fried is currently in prison but remains active on social media. He has been fighting for a pardon, arguing that FTX was not truly insolvent and that the bankruptcy lawyers destroyed value by selling assets too quickly.

In February 2026, SBF shared a chart suggesting FTX could have reached a net asset value of $78 billion after asset prices recovered if the company had not been forced into bankruptcy. 

Crypto lawyer John Deaton dismissed those claims at the time, saying projected values do not change the fact that customers lost money, and that the court had already ruled on the case. 

Now, with the Cursor deal, it is hard to agree that the lawyers maximized value three years ago.

SBF’s parents have also been active in pushing for a pardon, appearing on CNN earlier this year in March to argue that FTX customers got their money back. 

Creditors pointed out that the repayments are based on 2022 prices, not current market values. A customer who had one Bitcoin got paid based on Bitcoin’s $16,800 price in November 2022. 

Odds of a pardon for SBF have dropped to 5% on Polymarket. Source: Polymarket

President Trump has said he will not pardon SBF, and prediction markets currently put the chance of a 2026 pardon at only 5%, but SBF seems determined to keep pushing his version of events regardless.

The smartest crypto minds already read our newsletter. Want in? Join them.

Aave saw outflows of $15.1 billion over just three-and-a-half days following the KelpDAO rsETH scandal. Deposits on the top lending platform fell to $30.7 billion from $48.5 billion ahead of the scandal on April 18, down by about one-third from their previous level.

Aave and Morpho lost significant deposits, while SparkLend by MakerDAO saw inflows worth over $1.3 billion. Users shifted funds to more secure platforms due to the risk-control measures they adopted.

All roads lead back to the KelpDAO rsETH Exploit

This vulnerability stems from a complex exploit in the bridge of KelpDAO’s LayerZero V2 implementation of rsETH. This exploit involved the minting of roughly 116,500 uncollateralized rsETH tokens worth about $293 million on April 18, 2026.

As reported by Cryptopolitan, Tron’s Justin Sun has publicly appealed to the hacker behind the KelpDAO hack to return the funds. “You can’t spend $300 million anyway,” Sun noted.

As it stands, hackers have not headed to that plea. Cryptopolitan reports that these hackers have made heavy Bitcoin purchases, pushing BTC over $78,000.

As per the official report by Aave in collaboration with LlamaRisk, which was published on April 20, the possible losses may vary anywhere between $123.7 million, in case KelpDAO decides to socialize the losses equally among all the holders of rsETH through a loss of around 15 percent, to as much as $230.1 million.

The $181 million Aave Treasury acts as a cushion, while the DAO has obtained indicative commitments from its ecosystem partners to cushion any shortfall. Nevertheless, the incident reveals that Aave heavily depends on liquid staking derivatives provided by third parties.

Outflows hit Aave while Spark gains ground

The fallout created one of the fastest liquidity outflows in DeFi. The on-chain evidence showed that stablecoins and ETH were being withdrawn from Aave on a large scale as the use rates increased across multiple protocols. This is due to concerns about socialization or freeze events. 

Additionally, the total deposit balance in the rival lending protocol, Morpho, fell to $10.2 billion from $11.7 billion prior to the event.

Aave market withdrawals. Source. Aavescan.com

On the other hand, SparkLend, which functions within the MakerDAO ecosystem, became one of the main beneficiaries. The TVL grew from $1.9 billion to $3.2 billion, with around $1.3 billion in investments over the period. 

Big moves, such as the shift of large wallets belonging to major investors from Aave to Spark, contributed to the migration trend. It is argued that Spark, owing to its supply caps and price feeds from multiple oracles, offers greater safety compared to some restaking assets.

Inflows spike on Spark. Source: Sparklend

The inflow and outflow rotation affects the broader DeFi dynamic.  Aave’s deposits, once a benchmark for institutional and retail liquidity, now face real-world usage pressures that could compress yields and slow recovery. 

Aave’s sharp sell-off to a tentative stabilization

AAVE’s price was hardest hit by market sentiment, dropping by more than 20% in the days following the hack. The price fell from levels around $115 to as low as $90-$92. There is evidence of whale dumping on the chain, indicating that more than $6 million in tokens were sold off by whales.

Aave’s price. Source: TradingView

As of April 22, AAVE’s price is $94, suggesting initial signs of consolidation. From a technical perspective, the drop might have been exaggerated, with the 14-day RSI index approaching neutral territory despite its recent excursion into oversold territory.

Also, support around the $90 mark has remained intact, given the lack of selling interest. Conversely, a move above $96 would signal relief for the bulls towards $102-$105, barring any additional negative news from KelpDAO’s loss-allocation exercise.

Your keys, your card. Spend without giving up custody and earn 8%+ yield on your balance with Ether.fi Cash.

Société Générale (GLE)’s SG-FORGE has signed up 15 crypto clients as more regulated companies in Europe look for bank access after the EU’s new crypto rules took effect last year.

Jean-Marc Stenger, the CEO of SG-FORGE, reportedly said that the client base includes crypto exchanges, brokers, and wallet providers.

According to him, “more and more we see ​the connections we have established with crypto native companies through Société Générale-Forge as a good way ​to deliver just traditional banking services to this entity.”

Jean-Marc also said the links built with crypto-native companies are now helping the bank offer regular banking services to those businesses.

SocGen pushes banking services deeper into crypto companies

SocGen launched a euro-pegged stablecoin in 2023 and a dollar-pegged stablecoin in 2025. Other banks have taken a slower route. Some are working together to test the technology. Others are still waiting for stronger client demand before they go further.

Jean-Marc said SocGen is not part of the group of 10 European banks preparing to launch a euro stablecoin later this year. That group includes ING, UniCredit, and BNP Paribas. Even so, he said SocGen is holding bilateral talks with some of the banks involved.

The bank’s own tokens are regulated under the EU’s crypto framework, but usage is still small. SocGen’s euro stablecoin has just 105 million euros in circulation. That is tiny next to Tether and Circle’s USDC. Tether, based in El Salvador, says it has $187 billion of dollar-pegged tokens in circulation. USDC, issued by Circle in the United States, says it has $78.6 billion.

Jean-Marc said the gap could narrow if more crypto companies need euro stablecoins for retail customers in Europe and start looking for local alternatives instead of sticking with the current giants. He also said companies could end up using stablecoins to manage cash and collateral, though that use case is still more theory than fact.

RBC Capital Markets said last week that banks it surveyed saw stablecoins’ effect on liquidity and treasury management as “negligible.”

Exchanges chase new crypto markets as chain competition heats up

That slow take-up is landing in a much bigger fight over where financial activity will live in the next phase of crypto. The chief executive of VanEck said recently, “I think 2026, this is our thesis a little bit, is the year of the corporate chain wars.”

He then broke down what he meant: “Blockchains are shortened to chain. And it used to be okay. What am I going to use as the transaction mechanism for Wall Street in the future? Is it going to be Ethereum? Is it going to be Solana? And then a lot of people were starting their own chains.”

That question is now sitting before enterprises, financial institutions, and sovereign-adjacent players. They have to decide whether to build on a public chain, fork one, or launch their own. The choice could shape who keeps an edge for years.

Another race is underway to build perpetual crypto futures in the United States. Global crypto exchanges are trying to get ahead of an expected move by the U.S. Commodity Futures Trading Commission to allow trading in the product, which is popular, risky, and mostly kept offshore so far.

Kraken’s parent said on Friday it would buy Bitnomial for up to $550 million, giving it a path into Bitnomial’s perpetual futures business.

Coinbase (COIN) has already launched long-dated futures contracts built to look like perpetuals. Robinhood (HOOD) has said it is exploring similar products in the United States.

Perpetual futures trading volume hit $61.7 trillion in 2025, up 29% from 2024, data from CryptoQuant showed.

A big share of that perpetual activity has happened on Hyperliquid, an offshore blockchain-based crypto exchange that has become a major venue for the contracts and lists products tied to different tokens.

Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank

Volo Protocol, the operator of vaults that allow users to earn yields on their assets on Sui, announced that it has started to freeze part of the $3.5 million that hackers stole in an April 21 exploit, in what has become the latest case in a historically bad month of security breaches for DeFi protocols. 

Volo Protocol first reported the $3.5 million hack on its official channels the same day the exploit occurred, after discovering that hackers had looted WBTC, XAUm, and USDG from its Volo Valuts. 

Suilend quickly updated that none of its markets were affected by the incident and that user funds are safe, with deposits, borrowing, and withdrawals functioning as usual. For now, it said it will continue to monitor things, as this episode did not need the kind of preemptive halting of operations it initiated after the rsETH incident on KelpDAO. 

The initial $3.% million loss that Volo reported is the latest million-dollar DeFi exploit in April, a month that has seen protocols lose almost 4X the combined total for the first three months of 2026. 

Volo has started to freeze hacker bounty

It has not been all bad news for Volo Protocol as the project’s latest updates claim it has “successfully intercepted and blocked” attempts to swap 19.6 WBTC into unrecoverable assets. 

The Wrapped Bitcoin (WBTC) that Volo intercepted is worth about $1.5 million based on Bitcoin’s current price, as these assets are meant to maintain a 1:1 peg to the original asset they wrap. 

It is standard practice for hackers to quickly swap assets native to the protocols they attack into unrecoverable ones, such as ETH and BTC, to avoid freezes and clawbacks. As Cryptopolitan reported, KelpDAO hackers have already begun swapping their loot into BTC via Thorchain to avoid a repeat of the $71 million asset freeze on Arbitrum. 

The 19.6 WBTC seizure followed an earlier $500,000 freeze that it initiated “working closely with ecosystem partners.”

The protocol assured that it is working with those ecosystem partners to plan how to recover the frozen tokens. The freezes and potential recoveries are being regarded as positive steps toward the project’s commitment to absorb losses in its initial message to users. 

Is Sui safe after the Volo hack?

Citing sources, Cryptopolitan reported that the KelpDAO hack was an Ethereum L2 problem, with almost no impact on the mainnet. However, the DeFi contagion continues to spread across protocols with exposure to the rsETH token that was stolen in the exploit. 

Similar questions have been raised about the Sui ecosystem by users of Volo Protocol and others with exposure to its vaults. 

Volo already assured that the approximately $28 million in TVL secured in its vaults is safe, as the exploit affected only three vaults. It also ensured that its other vaults are not susceptible to the specific attack vector, which appears to be an admin key compromise, that caused this episode. 

As a precautionary measure, Volo also said it had frozen all its vaults at least until it could provide a full picture of the incident, along with a plan to make users whole. 

Suilend backed up its zero-contagion claims in its own post. 

SUI is trading at $0.97 as of writing time, up about 2.72% over the past day, riding the positive momentum wave led by Bitcoin in response to positive news on the Iran conflict, which has rocked Middle Eastern geopolitics and global markets. 

SUI price remains up despite a dip in DeFi TVL over the last 24 hours. Source: CoinMarketCap

Total value locked on the network is down about 3.4% over the past day, dropping about $20 million during that period.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.

AI stocks are dominating the S&P 500, with the AI boom now pushing their weight to nearly 45% of the index’s total market capitalization. The dominance of this “AI backbone” is primarily driven by a handful of megacap leaders and a surge in infrastructure spending.

AI stocks tied to data center, semiconductor, and energy firms now account for over 40% of the S&P 500’s total value. The high concentration in a few names increases risk if AI revenue monetization fails to meet expectations. 

Goldman Sachs estimates that AI infrastructure investments will account for approximately 40% of all S&P 500 earnings growth in 2026. Data center construction and AI capital expenditure have reached a structural scale, on track to hit 2% of U.S. GDP by late 2026. Analysts from Capital Economics suggest that the S&P 500 would be trading roughly 25% lower without the AI boost.

NVIDIA becomes the single most influential AI stock in early 2026

According to S&P 500 data, Nvidia is the most influential stock, with a 7% weight in the index as of March 30, 2026. NVIDIA’s stock has surpassed Apple (6.3%), Microsoft (4.6%), and Amazon (3.7%) in index influence. The top five AI companies now hold roughly 30% of the S&P 500, the highest concentration in half a century, effectively transforming the broad benchmark into a mega-cap tech fund. 

The top 20 AI-related stocks account for nearly half of the index’s weight, a level that surpasses the peak of the 200 Dot-com bubble. Investors have rotated so heavily into AI infrastructure and semiconductors that other industries, like cybersecurity and enterprise software, were sidelined for much of early 2026. The narrative has shifted from growth potential to tangible monetization, meaning that a correction in just 3-4 AI mega-caps could trigger a systemic deleveraging that the other 480 stocks in the S&P 500 index would be unable to offset.

Hyperscalers’ capital expenditure cements their roles as growth drivers

Beyond chips, massive capital expenditure (CapEx) from hyperscalers like Microsoft and Alphabet (projected to spend nearly $700B collectively on AI in 2026) has cemented their roles as the market’s primary drivers of growth. AI-related firms have seen total gains of 200% since ChatGPT’s launch in 2022, while the remaining ~459 companies in the S&P averaged just 27%. That means any slowdown in AI CapEx could trigger a broad market repricing. 

The “Big Four” (Amazon, Alphabet, Meta, and Microsoft) are expected to spend approximately $645-700 billion on AI infrastructure in 2026 alone, a 50-60% increase from 2025. However, achieving true portfolio diversification has become increasingly difficult as themes across industrials, energy, and technology are now all correlated to the data center buildout. 

The high concentration of AI stocks has made the S&P 500 index “brittle,” even as the market shifts from blind trust to demanding proof. Investors are now scrutinizing whether this massive AI spending is translating into measurable revenue growth and margin expansion because many are “long” on AI.  

There are rising fears that the obsession with AI is sidelining other industries as capital and focus are sucked away from sectors like traditional retail or healthcare. Even minor negative news can trigger outsized market drops. Analysts from Morgan Stanley and Goldman Sachs recommend shifting the focus from broad tech exposure to specific AI adopters with pricing power and infrastructure plays that bridge into the real economy, such as manufacturing and energy.

In 2025 and early 2026, top performers driving this AI trend included GE Vernova, Seagate Technology, Palantir Technologies, and Super Micro Computer. The focus has recently shifted toward companies building physical AI infrastructure, such as Lumentum, Vertiv Holdings, and Coherent, which were added to the S&P 500 on March 3, 2026. The infrastructure boom is also heavily reliant on energy, with companies like GE Vernova and NRG Energy benefiting from the demand for power in data centers.

The smartest crypto minds already read our newsletter. Want in? Join them.

Robinhood (NASDAQ: HOOD) said on Wednesday that one of it has bought a small $75 million stake in OpenAI, with the purpose of giving retail investors another way into a private, unlisted tech company that cannot yet be touched directly.

According to Robinhood, there are currently more than 6.5 times as many private companies as public and the estimated value of these firms in the US surpassed $10 trillion in the first quarter of 2025.

The deal came through Robinhood Ventures Fund I, or RVI, which only recently began trading on the New York Stock Exchange in March, which means Robinhood now has a listed vehicle tied to private growth companies.

Sarah Pinto, president of Robinhood Ventures Fund I, said in a statement, “OpenAI is one of the frontier artificial intelligence companies, and we are incredibly proud to add them to the Fund.”

“The number of publicly traded companies in the US has fallen from about 7,000 in the year 2000 to about 4,000 in 2025. At the same time, companies are staying private longer and growing in both number and value,” said Robinhood.

Robinhood’s decision comes after last summer’s token fight in Europe

Robinhood and OpenAI were in a public argument last summer, which started after Robinhood began offering tokenized shares tied to OpenAI and SpaceX to users in Europe, but Sam Altman pushed back against that and blocked it, saying those stock tokens did not represent actual equity in the company.

Meanwhile, retail investors have been looking for ways to get close to companies like OpenAI, Anthropic, and xAI as the AI trade keeps pulling money and attention across markets, a demand that has also been fed by a broader trend in tech.

Many high-growth companies are staying private for longer. They delay IPOs, raise huge private rounds, keep tighter control, and keep growing without the day-to-day pressure that comes with public markets. For smaller investors, that has made early access much more valuable.

At around $86 a share, the pricing picture of the Robinhood stock is not simple, though it is up 9.3% over the last 7 days and up 21.9% over the last 30 days.

At the same time, it is down 25.0% for the year so far, while still up 105.3% over the last year. Those numbers leave plenty of room for both bullish and cautious takes. Even after the strong one-year gain, Robinhood Markets still has a valuation score of 1 out of 6.

Regardless though, on Wednesday, crypto-linked stocks were among the strongest premarket names in the S&P 500 after President Donald Trump extended a U.S. cease-fire with Iran and Bitcoin kept climbing. Strategy, the biggest corporate holder of Bitcoin, rose 2.2% before the opening bell. Robinhood gained 1.6%. Coinbase added 1.8%.

Iliya Kalchev, an analyst at Nexo, said that the gains in crypto-linked stocks were “all down to Bitcoin.”

Still letting the bank keep the best part? Watch our free video on being your own bank.

Bitcoin traded near $78,280, up 2.62%, while ETH rose 3.71% to $2,400 and SOL climbed 3.09% to $88.39.

Open interest stayed hot, with BTC at $81.17 billion and ETH at $60.26 billion, showing traders are still leaning risk-on.

Gold jumped as much as 1.1% to above $4,770 an ounce, while U.S. stock futures moved higher after Trump extended the U.S. ceasefire in Iran.

Oil eased, Japan’s Nikkei 225 hit a record, China and South Korea rose, while Hong Kong, India, and Australia lagged.

IREN may win the data center game, based on its available energy contracts from the era of Bitcoin mining. The company has a head start in building data centers, where access to reliable energy is turning into a key bottleneck. 

Iren Limited (Nasdaq:IREN) recently drew attention to BTC mining stocks and may signal a shift in general sentiment for mining companies. Traditionally, IREN has tracked the price of BTC and the overall crypto sentiment. 

As of April 2026, IREN has entered a key pivot stage, when the stock may start to reflect the AI narrative, while depending less on tracking the crypto market. IREN traded at around $45.12, bouncing from the year’s lows at $31.62. 

IREN recovered in April, drawing attention to its significant energy contract portfolio. | Source: Google Finance

IREN is closely watched as the most active Bitcoin mining stock, which may lead to recoveries in other assets. Most of the leading Bitcoin mining stocks are in the green for the year to date, based on recent market performance data.

IREN still attracts short open interest

IREN has seen regular spikes in short open interest. As of April 22, short open interest is at 18.42% of the stock’s free float. 

IREN short positions are still small compared to the short open interest for Mara Holdings (Nasdaq: MARA) at up to 30%, as well as CleanSpark (Nasdaq: CLSK). Despite this, traders aim to grab the opportunity for shorting IREN, benefiting from daily swings. 

Bitcoin mining stocks are shorted in expectation of a diminishing role for miners. Yet miners may still retain earnings from their BTC operations, sit on significant reserves, and retain some of their self-mining activity.

IREN may avoid the main bottleneck for US-based AI data centers

IREN is one of the largest holders of power access in the Bitcoin mining space. The company owns land and its own substations. 

The company has built a portfolio of locations using secure supply in Texas, with a 1.4 GW facility in Sweetwater and a total of 2.75 GW signed for all Texas campuses. The Sweetwater 1 facility is expected to launch by the end of April with 1.4 GW of energy. 

The company will keep adding access, with another center expected to access 750 MW.

IREN is positioned with a significant advantage, as US-based data centers are scrambling for reliable energy supply. Previously, data centers faced smaller bottlenecks in securing GPUs, RAM, or other technical elements. 

However, infrastructure and access to reliable energy were the key factors in data center creation. Data centers drove up to 50% of new electricity demand in the USA, creating heated competition for access to the grid.

IREN has already secured access, which may take years for companies just starting out with data facilities. Access to substations and contracts face significant bottlenecks, leading to the delay or cancellation of 50% of AI data center investments, with another 17% of projects facing uncertainty, according to a recent Bloomberg report.

Under those conditions, Bitcoin mining companies may have a comparative advantage, allowing them to pivot to AI with less pain and delays.

The smartest crypto minds already read our newsletter. Want in? Join them.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.

In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.

Upon execution, the code installs a binary named teamsSDK.bin.

The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. 

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.

In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.

Upon execution, the code installs a binary named teamsSDK.bin.

The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. 

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

North Korea’s hackers go after Mac users

As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.

The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.

Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.

In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.

Upon execution, the code installs a binary named teamsSDK.bin.

The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. 

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

North Korea’s hackers go after Mac users

As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.

The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.

Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.

In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.

Upon execution, the code installs a binary named teamsSDK.bin.

The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. 

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions.

The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks.

North Korea’s hackers go after Mac users

As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.

The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.

Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.

In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.

Upon execution, the code installs a binary named teamsSDK.bin.

The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. 

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions.

The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks.

North Korea’s hackers go after Mac users

As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.

The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.

Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.

In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.

Upon execution, the code installs a binary named teamsSDK.bin.

The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. 

Mach-O man malware installation on fake apps. Source: AnyRun

After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.

In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.

Inside the Mach-O Man malware

The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes

It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”

Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.

Lazarus Group’s devastating legacy in crypto and US tech

The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.

This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.

The crypto card with no spending limits. Get 3% cashback and instant mobile payments. Claim your Ether.fi card.

A class-action lawsuit has brought one of the most controversial AI-themed token projects back into the spotlight. Burwick Law accused the creators of the AI16Z and ELIZAOS project of running a massive fraud in the crypto market.

The crucial lawsuit comes as the global crypto market reports some fresh recovery rallies. Bitcoin price surged past the $78,000 mark. AI-linked cryptos also printed green indexes. Their market cap jumped by around 2% in the last 24 hours to hit $18.3 billion.

AI16Z fake AI claims head to court

The case presents a very simple allegation that the project looked real, but wasn’t. The complaint suggests that the defendants allegedly raised what appeared to be a proper AI startup. It was launched with a polished website, developer documentation, GitHub repositories, and more. 

The branding was done heavily on links to Andreessen Horowitz. It even used the “ai16z” name and an AI agent styled as “Marc Andreessen.” The lawsuit claims that the association was entirely manufactured.

We filed a federal class action in SDNY on behalf of our client against the creators of AI16Z and ELIZAOS, alleging consumer protection claims.

Case 1:26-cv-3238 SDNY pic.twitter.com/pT7cFRcbsP

— Burwick Law (@BurwickLaw) April 21, 2026

The token launched on October 24, 2024, and was deployed on the Solana blockchain. The project bagged some traction after a mention from Marc Andreessen on social media. Soon, its market cap surged to $80 million.

The complaint mentioned that the token reached a peak valuation of over $2.6 billion by January 2025. Data shows that AI16Z is trading at an average price of $0.00055 at press time. Its price jumped by around 9% in the last 24 hours. Meanwhile, it is trading down by 99.9% from its all-time high of $2.48, recorded on January 2, 2025. 

The lawsuit argues that the core technology never existed in the way it was presented to the public. The AI agent was marketed as an autonomous investment system. However, it was allegedly operated manually. The open-source framework generated no revenue. It added that the project itself produced no income during the entire period in question.

3,945 wallets hit in AI16Z collapse

Plaintiffs claim the token’s rise was driven by a carefully engineered narrative. It never spiked on fundamentals. As soon as the token went on to hit its ATH, large holders began offloading millions of dollars’ worth of tokens.

One wallet sold $2.52 million, another $2.49 million. Another wallet sold $4.77 million. On January 11, the most profitable trader realized $39 million in profit while public purchasers booked the losses.

The complaint added that Andreessen Horowitz demanded that defendants stop using the a16z name. However, the defendants did not wind down and rebranded it to ELIZAOS. It was followed by a token migration. Almost 40% of the new allocation was directed to insiders. This includes undisclosed private investors and team members. 

A bit late, but the regulated market responds. South Korean exchanges under DAXA flagged the token with a trading warning. On the other side, Coinbase suspended perpetual contract trading linked to it.

According to the complaint, at least 3,945 wallet addresses suffered losses during the collapse. The lawsuit alleges violations under US consumer protection laws. It mentioned deceptive practices and false advertising statutes in both New York and California. 

Plaintiffs are seeking damages and equitable relief on behalf of investors who purchased the token between October 24, 2024, and the filing date of the complaint.

Your keys, your card. Spend without giving up custody and earn 8%+ yield on your balance with Ether.fi Cash.

Tesla (NASDAQ: TSLA) has filed its voice assistant, which runs on generative AI, with the cyberspace regulator in Shanghai. The feature is now among 158 AI-powered tools that have gone through China’s official registration process.

The Shanghai Cyberspace Administration made the announcement on its official WeChat account.

Musk’s Tesla has been trying hard to push up the leaderboards in China. However, the EV maker’s Full Self Driving feature is still awaiting regulatory approval for launch.

The filing is not as big a China win for Tesla. It was a regulatory requirement. China’s Cyberspace Administration has been strict about AI tools. It requires companies to register generative AI features before they can legally run in the country. Hundreds of AI services had already passed through this process by the end of 2024.

In fact, the announcement sent Tesla’s shares down. While the registration itself is a routine compliance step, investors got a red flag of a tightening regulatory environment that global automakers now face when deploying AI features in China.

Still, the timing matters. Tesla is under growing pressure from Chinese rivals like BYD and Geely, which have been building out AI-driven in-car features at a fast pace.

To stay competitive, Tesla is reportedly planning to fold in AI models from Chinese technology companies, DeepSeek for conversation and ByteDance’s Doubao for voice tasks like navigation and controlling the climate system. That marks a notable shift: rather than running a single global AI system, Tesla is now building a separate setup for China, one that works within local rules and connects to local platforms.

Volkswagen and Rivian push deeper into AI

Just a day before Tesla’s filing, Volkswagen also announced AI voice tech in China. The German automaker will be rolling out the feature across all of its cars in China by the second half of 2026.

The system won’t be cloud-dependent as it runs directly on the car using a large language model stored on board. The technology is drawn from Tencent, Alibaba, and Baidu.

Thomas Ulbrich, Volkswagen’s China chief technology officer, said the assistant is designed to read what drivers want before they ask, with a built-in sense of personality.

Volkswagen also unveiled four vehicles at a Beijing media event, including a new model developed with Chinese EV maker Xpeng, a partnership built in just two years. The company also showed its first fully electric car in the FAW-Volkswagen ID. AURA line. Plans call for more than 20 new electric models to launch in China in 2026 alone. A more advanced agentic AI system, one that handles both driving assistance and cockpit controls together, is planned for next year.

As part of the joint venture worth up to $5.8 billion, Rivian and VW have brought in Manasi Vartak as Vice President of AI and Data. She will be focusing on the Rivian Unified Intelligence platform and the Rivian Voice Assistant.

Chief Software Officer Wassym Bensaid had promised delivery of the voice feature in early 2026. However, it was left out of the most recent over-the-air update.

When voice commands go wrong

While EV makers are pushing the voice features, a recent crash in China raises doubts about the complete safety of these systems.

According to reports, a driver told the car, Lynk & Co Z20, to turn off the interior reading lights at night. But the voice feature glitched and turned the headlights off. The driver was also unable to get them back on before hitting a barrier on the road.

On Weibo, the general manager of the car company Mu Jun made an apology and said the software was urgently being fixed. Now, the headlights can only be controlled manually while the car is moving.

Similar problems have been occurring with other brands like Zeekar and Deepal.

If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.

The ongoing conflict between the U.S. and Iran is accelerating Wall Street’s transition into tokenized real-world assets (RWAs) to allay the risk of geopolitical volatility. The crisis has solidified RWAs as essential “always-on” infrastructure for Wall Street, exposing the limitations of traditional financial markets that close during weekends.

As of April 2026, financial institutions are increasingly adopting blockchain-based tokenized trading to reduce the risks posed by 24/7 geopolitical tensions that traditional markets are ill-equipped to handle.

Closing on weekends when many geopolitical escalations occur has emerged as a critical vulnerability in traditional financial markets. Major attacks, such as the U.S. strikes on Iran in February 2026, have frequently happened during off-market hours.

Accordingly, Wall Street desks now use tokenized assets and perpetual futures on platforms like Hyperliquid as the only open window for pricing gold, oil, and war risk when legacy exchanges are offline. The disruption of physical trade routes, particularly in the Strait of Hormuz, has accelerated the shift toward instant “atomic” settlement.

Tokenized U.S. Treasuries market surges to over $12B in April

The tokenized U.S. Treasuries market has surged to $12.78 billion as of April 2026, as investors seek liquid collateral that can be moved instantly across borders. Tokenized commodities like gold and oil have also seen surging volumes as traders seek around-the-clock hedges against energy supply shocks. 

Meanwhile, institutional players are also transitioning from pilot programs to full-scale deployment of tokenized assets. Major firms like BlackRock and Franklin Templeton have integrated tokenized funds into their core offerings to avoid the bottlenecks of the traditional banking system during crises.

These firms provide a digital-native structure that remains operational even as physical infrastructure, like in the Gulf, faces drone threats. As of April 2026, BlackRock has accumulated approximately $1.9 billion in tokenized U.S. Treasuries within its BUIDL fund.

On the other hand, some nations, including Iran, are experimenting with blockchain to exchange value outside the U.S.-dollar-denominated system to bypass sanctions and naval blockades. Crypto-native platforms effectively became “the market” during critical moments, such as the February 2026 airstrikes. Legacy exchanges are now under intense pressure to adopt 24/7 trading models to compete with these digital-native structures, according to media reports.

Consequently, on-chain perpetual futures for commodities like gold and oil now account for more than 67% of builder-deployed contracts on decentralized exchanges, with weekend volumes increasing ninefold since the beginning of 2026. The need for blockchain-based instant settlement has become a structural necessity, providing products that remain liquid even when physical trade routes are disrupted. 

IMF chief economist says U.S.-Iran war creates bigger risk than Trump’s tariffs

IMF chief economist Pierre-Olivier Gourinchas has emphasized that the U.S.-Iran conflict creates a far bigger risk to the global economy than President Donald Trump’s initial wave of steep tariffs a year ago.

He further notes that several countries are likely to undergo outright recessions under this scenario, with oil prices averaging $110 per barrel in 2026 and $125 in 2027.

“What’s happening in the Gulf is potentially much, much larger, and that’s what our scenarios are kind of documenting.”

–Pierre-Olivier Gourinchas, Chief Economist at the IMF

Based on these claims, the U.S.-Iran war is prompting investors to turn to tokenized oil and decentralized finance (DeFi) platforms for hedging, with major financial players fast-tracking the launch of tokenized securities platforms. Traders are using 24/7 crypto-native markets to hedge against oil price volatility stemming from the conflict.

The IMF also predicts that global GDP growth could fall to 2.5% under an adverse scenario of a longer conflict that would keep oil prices around $100 per barrel this year. The fund’s worst-case scenario assumes a deepening, prolonged conflict that could drive oil prices higher, prompting major financial market dislocations and tighter financial conditions, slashing global growth to 2%.

There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.

South Korea’s central bank has entered a new monetary phase with digital currencies at the forefront, as newly appointed Bank of Korea governor Shin Hyun-song begins his four-year term with a strong focus on central bank digital currencies (CBDCs) while maintaining the benchmark interest rate at 2.50%.

In his inaugural address, Shin placed CBDCs and bank-issued deposit tokens at the center of the country’s future financial system, signaling a strategic shift toward state-backed digital money as a foundation for payments innovation.

The policy direction comes as the Bank of Korea holds rates steady at 2.50%, extending a cautious monetary cycle amid inflation risks, geopolitical uncertainty, and slowing growth.

Shin asserted that they plan to collaborate on international initiatives, including Project Agora, to boost the Korean won’s standing in global payments. Earlier, before his appointment, he had also advocated for a CBDC-centric ecosystem.

He commented, “Central Bank Digital Currency and commercial bank deposit tokens issued based on it must become the center of the digital currency ecosystem.” Thus, his recent address only formalizes his digital roadmap.

Has Shin adjusted his position on Korean won-pegged stablecoins? 

Shin emphasized that a CBDC-led ecosystem, supported by tokenized bank deposits, would play a “central role” in modernizing South Korea’s monetary infrastructure. His remarks highlighted ongoing initiatives such as Project Hangang, which is exploring real-world applications for digital currency and settlement systems.

In his earlier address during his nomination hearing, he mentioned he was in favor of stablecoins, though he cautioned about the need to maintain trust in the currency. He had also acknowledged that private stablecoins could complement official bank tokens, ensuring the digital ecosystem stays diverse and functional. 

However, in his recent speech, the new central bank governor did not mention Korean won–pegged stablecoins, raising concerns about his plan for the digital assets. 

For some time, South Korean lawmakers, under President Lee Jae-myung’s endorsement, have been pushing to establish regulations for domestic stablecoins under the Digital Asset Basic Act. KRW1 even entered the market in February as the country’s first fully regulated stablecoin, formed through a collaboration between BDACS and Woori Bank.

However, there has been some division between the ruling and opposition parties on parts of stablecoin regulation. Last year, Democratic Party lawmaker Ahn Do-geol proposed a framework to bar interest payments, while the People Power Party’s Kim Eun-hye introduced a rival bill that left out any restriction on interest.

Shin encouraged the central bank to be more prudent and careful in its decisions

Overall, in his first address, Shin advocated a careful, measured approach to monetary policy amid intensifying uncertainties from the Middle East crisis. He recognized that paths for inflation and growth are now significantly blurred, making it nearly impossible to predict future economic conditions.

He added that they will review policy tools to balance the difficult trade-offs between maintaining a stable won and supporting a cooling economy. He explained, “It has become increasingly difficult to fully identify and respond to risks in the financial system only using existing frameworks.”

Furthermore, he called for greater use of market price movements as a high-frequency early warning system to capture systemic shifts in a world where banks and non-banks are increasingly interconnected.

More recently, policymakers chose to maintain rates at 2.5% again following the fallout from the late February strikes on Iran, which have since mushroomed into a full-scale regional crisis. Their decision marks the seventh consecutive meeting in which they have held rates, effectively freezing any plans to lower borrowing costs as regional war risks take priority.

Shin had previously called for the same, saying that patience is the most powerful tool the BOK has at the moment. In his latest address, he reiterated his goal of maintaining financial stability and protecting trust in money and payments.

There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.

SpaceX has struck a deal giving it the right to buy AI coding startup Cursor for $60 billion later this year, or settle for a $10 billion working partnership, as Elon Musk’s company tries to close the gap with rivals in one of the fastest-moving corners of the technology industry.

The announcement, made Tuesday in a post on X, puts one of Silicon Valley’s most talked-about startups squarely inside Musk’s expanding orbit, just months before SpaceX is expected to go public in what could be the largest stock market debut in history.

Cursor, owned by parent company Anysphere and co-founded in early 2022 by four MIT students, Michael Truell, Aman Sanger, Sualeh Asif, and Arvid Lunnemark, builds tools that use artificial intelligence to help software developers write code faster.

The company released its first product in March 2023, and within months, it had spread rapidly through the developer community. By November 2023, it had cataloged 150,000 codebases. In June 2024, it raised a $60 million in Series A funding led by Andreessen Horowitz.

From zero to $2 billion in three years

What followed was a funding streak rarely seen in enterprise software. Through 2025, Cursor raised three additional rounds totalling $3.3 billion. Its valuation opened 2025 at $2.5 billion and closed the year at $29.3 billion after a $2.3 billion Series D in November. Before that came a $900 million round in June 2025 when it was valued at $9.9 billion. The company is now in talks to raise another $2 billion at a valuation above $50 billion, with Andreessen Horowitz and Thrive Capital expected to co-lead, joined by Nvidia and Battery Ventures.

“If you subtract out the dollars invested, it’s the fastest-growing company we’ve ever seen,” said Martin Casado, Andreessen Horowitz general partner and Cursor board member.

Revenue has grown at a similar pace. Annualized revenue hit $500 million in May 2025, doubled to $1 billion by October, and crossed $2 billion in February 2026.

Cursor says its tools are now used by 67% of the Fortune 500, including Uber and Adobe, and generate 150 million lines of enterprise code every day. Jensen Huang, CEO of Nvidia, an investor and partner, told CNBC in October: “My favorite enterprise AI service is Cursor. Every one of our engineers, 100 percent, is now assisted by AI coders, and our productivity has gone up incredibly.”

A fast rise now under pressure

Yet the company’s quick growth has landed it in a difficult position. Anthropic launched Claude Code as a research preview in February 2025, and it caught on fast. By early 2026, Claude Code had a $2.5 billion annual run rate and more than 300,000 business customers. The difference between the two products is significant: Cursor helps developers write code faster, while Claude Code writes entire chunks of code on its own. “We invented agentic coding as a thing,” said Boris Cherny, Anthropic’s head of Claude Code.

Social media has begun buzzing with the idea that Cursor is in trouble. One startup, Valon, publicly said in February it was moving off Cursor, setting off a wave of “Cursor is dead” commentary online. Some investors have noticed clients pulling back. Two of Cursor’s own engineers, Andrew Milich and Jason Ginsberg, left in March to join SpaceX and xAI.

There is also a pricing problem. Cursor pays open-market rates to access AI models from Anthropic and OpenAI, the same companies competing directly against it. “Anthropic is trying to drown out Cursor,” one venture capitalist told Fortune.

To reduce that reliance, Cursor has been developing its own model, called Composer, since 2025. Composer has outperformed Anthropic’s Opus 4.6 on some benchmarks, though Composer 2 came in behind OpenAI’s GPT 5.4. A Cursor blog post on Tuesday said model training had been “bottlenecked by compute” and that the SpaceX deal would let it “dramatically scale up” its models using xAI’s Colossus supercomputer cluster in Memphis.

SpaceX, for its part, has its own reasons to move fast. The company filed IPO paperwork with the SEC in early April and plans a roadshow in early June. It merged with xAI in February in a deal valued at $1.25 trillion and is now seeking a $1.75 trillion valuation, which would make it the biggest IPO ever. It ended 2025 with $24.7 billion in cash.

Cursor CEO Michael Truell, 25, said the deal was “a meaningful step on our path to build the best place to code with AI.” Whether SpaceX eventually buys the company or not, Truell has said he wants to build something that lasts. In an industry where everything changes every six months, that is a harder task than it sounds.

Still letting the bank keep the best part? Watch our free video on being your own bank.

The effects of the KelpDAO attackers go deeper, this time affecting even BTC trading. Some of the funds from the exploit were moved through ThorChain and swapped into BTC. 

The KelpDAO hack has wider effects on the crypto ecosystem, as the hackers attempt to swap and mix their holdings. The latest move showed the funds moved through ThorChain and were swapped into BTC. 

The hack brought another $211M in spot buying to BTC, and was one of the factors that sent BTC above $78,000. BTC rallied within hours, launching from its lower range of $75,000. For now, BTC rejected the $78,000 level, but the hackers indicated that the market would react to an inflow of buyers. 

KelpDAO boosted ThorChain volume

ThorChain has been one of the platforms widely used to swap funds in a totally permissionless environment. In previous hacks reported by Cryptopolitan, ThorChain’s team has not cooperated to intercept the funds during bridging or other visible operations. The chain has not even set up a mechanism to intercept funds, as all transactions depend on 95 permissionless nodes. 

THORChain was modelled after Bitcoin, to be permissionless and censorship resistant.

There’s no single person or entity in control of the protocol. There’s no admin key. There’s no 2-of-3 multisig. Currently, there’s 95 nodes spread globally that control the network. For the… pic.twitter.com/Za2Obrh9dO

— THORChain (@THORChain) April 21, 2026

During previous incidents, ThorChain has allowed funds to be mixed and disguised, citing its main goal of not interfering. Yet after Web3 hacks accelerated in the past month, all participants reconsidered the need to freeze funds and diminish the losses. 

The KelpDAO attackers moved funds just three hours after Arbitrum froze around 25% of their haul on the network. One of the identified wallets was used to move and swap ETH, based on Arkham Intelligence tracking.

The hacker’s activity boosted ThorChain activity to 10 times its normal daily volume, ending up with 442 BTC moved to 400 addresses. On-chain researchers have pinpointed some of the key addresses with the biggest holdings. The coins can be mixed further or swapped into privacy coins to disguise their origin. 

ThorChain posted its biggest daily fees after the KelpDAO attackers used the protocol to swap ETH for BTC. | Source: DeFiLlama.

Following the attack, ThorChain recorded its highest daily fee volume for the year to date. The network helped the hackers perform on average 146 transactions an hour.

KelpDAO attackers moved funds to the Bitcoin chain

Additional on-chain research shows the funds from the KelpDAO hack were mixed with proceeds from other incidents, including the BTC Turk and Bybit attacks from 2025. ThorChain also refused to assist with the Bybit hack, though other ecosystem participants were ready to freeze funds where possible. 

The latest laundering episode shows the TraderTraitor group and other DPRK hackers were an increasing threat to Web3. The ability to launder funds is adding more risk, as hackers have evolved their techniques for faster and untraceable laundering. After using ThorChain, the hackers moved all BTC on the main network, where the coins could be traced, but not frozen. 

The KelpDAO exploit also affected other networks, creating significant outflows. Ethereum lost 17.73% of its total value locked, 17.68% flowed out of Hyperliquid, Arbitrum lost 13.65% of its liquidity, and Solana saw 6.14% in outflows. The lost funds may have wide repercussions on Web3, due to the composability of DeFi lending and reusing some coins for collateral on other protocols. The final estimate is that the hack led to around 177M in bad debt on Aave.

Still letting the bank keep the best part? Watch our free video on being your own bank.

Billionaire crypto investor Justin Sun has sued President Donald Trump-backed World Liberty Financial for allegedly freezing his WLFI tokens without cause, dragging WLFI into the federal spotlight. The case exposes a growing rift between Trump-aligned crypto supporters and the project’s leaders, whom Sun accuses of betraying crypto’s decentralization ethos.

On April 2, 2026, Tron founder Justin Sun filed a lawsuit in a California federal court against WLFI for wrongfully freezing all of his WLFI holdings worth at least $75 million. The complaint alleges that the project’s team is threatening to permanently burn his tokens, depriving him of his voting rights on governance proposals. Sun is seeking a jury trial to force WLFI to unfreeze his tokens, as well as monetary damages and injunctive relief to prevent the destruction of his assets.

Meanwhile, Sun’s filing characterizes WLFI as being “on the verge of collapse,” accusing the company of an illegal scheme involving extortion. The complaint includes causes of action for fraud in the inducement, unjust enrichment, conversion, and breach of contract. Sun claims the project used a hidden backdoor in its smart contracts to unilaterally freeze his holdings, highlighting a growing tension between the project’s decentralized marketing and its leadership’s centralized control.

Core rift exists between WLFI’s branding and technical reality

According to Sun’s complaint, a core rift exists between WLFI’s branding as a tool for financial freedom and the technical reality of its smart contracts. The billionaire crypto investor alleges that the project covertly installed a blacklist function that allows a single anonymous account to freeze any holder’s assets at will.

Meanwhile, this discovery has led supporters to argue that the project functions more like a traditional bank than a decentralized finance (DeFi) protocol, contradicting the industry’s values. Sun has further characterized WLFI’s governance as “theater,” asserting that voting power is heavily concentrated among a few team-linked wallets.

Specifically, on-chain data suggests that a small cluster of wallets controls roughly 60% of the voting power, effectively watering down community votes. Sun points to recent punitive proposals that include locking early investors’ tokens until 2030 and potentially permanently freezing the assets of those who vote against the team’s agenda. 

“This proposal is bad for the community, but because World Liberty has frozen my early investor tokens, I cannot vote for or against the proposal.”

–Justin Sun, Founder of Tron DAO

On the other hand, the project’s “Gold Paper” reveals that nearly 75% of net income is allocated to Trump-linked entities, while ordinary token holders receive no share of protocol revenue. Investors like Sun and critics accuse the project leaders of treating the WLFI community as a “personal ATM.” The leadership reportedly used billions of WLFI tokens to collateralize a $75 million stablecoin loan for their own use, a move that critics say risks further crashing WLFI’s value.

The case filed by Sun has created a unique fracture among Trump-aligned supporters who argue that the project’s managers are contradicting Trump’s values. Sun and other critics also argue that the President would not tolerate WLFI’s current mode of operation if he were fully aware of it.

WLFI fights back at Sun’s lawsuit, dismisses it as baseless

WLFI is countering Sun’s lawsuit by dismissing it as baseless, further characterizing his claims as an attempt to distract from his own alleged misconduct. The WLFI team claims that Sun’s tokens were not frozen due to a “hidden backdoor,” but rather as a reactive measure to his specific misconduct.

Specifically, WLFI claims that Sun used his HTX exchange to offload WLFI tokens while simultaneously encouraging retail investors to lock their own holdings for yield. WLFI’s risk disclosures state that the company can block and freeze wallet addresses and associated tokens it determines are linked to illegal activities or violations of its terms.

The project also contends that Sun’s strategy was to exit his position early by using users’ locked tokens as liquidity on his exchange, with plans to use future token vestings to fill those balances. In this case, WLFI argues that Sun breached his investor agreement, justifying the freeze of nearly 595 million tokens. The project’s leadership maintains that blacklisting addresses is a legitimate security and compliance measure rather than a secret tool for censorship.

However, Senator Elizabeth Warren and other Democratic lawmakers have used the feud to highlight what they call “presidential crypto corruption.” They further claim that the Trump administration is favoring “billionaire buddies,” while ordinary retail investors suffer from the token’s 90%+ price decline.

If you're reading this, you’re already ahead. Stay there with our newsletter.

Bitfire is where Li Lin is placing his next crypto bet in Hong Kong. Li is taking the trading team and trading setup from Avenir Group, his family office, and putting them into Bitfire Group, the Hong Kong-listed company where he is the biggest shareholder.

Bitfire, which works in wealth management, said on Wednesday that it agreed to buy Avenir’s investment team and trading systems for $1.6 million.

Li first made his name through Huobi, the exchange now called HTX. Mainland China has banned cryptocurrency trading since 2021, but Hong Kong is trying to build itself into a virtual asset center. Li sold a controlling stake in Huobi for about $1 billion to Justin Sun in 2022. After that, he turned his attention to Avenir.

Bitfire brings Li’s trading team into Hong Kong to raise outside Bitcoin money

With the Avenir deal in place, Bitfire wants to raise outside capital for a regulated bitcoin-denominated asset management product called Alpha BTC.

Livio Weng, chief executive of Bitfire, said the company wants to attract investment equal to more than 10,000 Bitcoins within a year. At the value cited in the source material, that is about $760 million.

Livio said, “Market demand for such products is huge,” as more local companies hold Bitcoin but still do not have an easy way to earn returns from it.

He said the Alpha BTC strategy plans to generate profit through derivatives trading, including options, using either bitcoin or the IBIT ETF as the underlying asset. The target clients are both crypto-native investors and Hong Kong-based companies.

That target list matters because Bitfire estimates that at least 40 Hong Kong-listed companies already hold bitcoin.

So the company is going after a market where companies already have crypto on their books and may now want a regulated way to try to earn more from those holdings.

Hong Kong builds crypto rules while US lawmakers stay stuck over stablecoin and market bills

Meanwhile, at one of the city’s biggest Web3 events, officials and lawmakers talked openly about taking Hong Kong’s crypto push beyond the local market.

Eric Yip Chee-hang, executive director of intermediaries at the Securities and Futures Commission, said, “We can be a little bit more aspirational now that we have a strong hold locally. We should also expand our influence by [increasing] exposure internationally.”

Eric added that Hong Kong had been “in the spotlight” at international conferences because it had “achieved so much.”

Earlier this month, the city gave out its first two licenses for stablecoin issuers. It is also pushing ahead with rules for crypto dealers and custodians.

Duncan Chiu Tat-kun, a member of the Legislative Council for the Technology and Innovation constituency, said on Monday that there had been “a lot of advancement” in the United States. He said Hong Kong was paying close attention to US bills including the Genius Act, which deals with stablecoins, and the Clarity Act, which is meant to set rules for crypto market structure.

But Duncan also said the Clarity Act has stalled because the Senate is still dealing with a fight over stablecoin yield between banks and crypto companies. He said Hong Kong needs to keep watching what happens next in Washington.

If the bill does not pass this month, he said it could slide to the end of 2027. He added that such a delay would slow a lot of the legislative work in the US, especially with uncertainty around the midterm elections in November.

Duncan said, “I think they’ve written a very good bill, but the political situation will not give clarity [for] some time to the development of the market.”

He then pointed to Hong Kong’s “steady progressive build-up” in digital asset regulation compared with the changing ground in the US before Donald Trump took office in January 2025 and after the Biden administration had taken a hard line against crypto companies.

The smartest crypto minds already read our newsletter. Want in? Join them.