Bridge or Breach: unpacking TradFi/ DeFi collaboration risk

Simon Williams:

Hello and welcome to Ashurst Legal Outlook. This is episode two and we are continuing our podcast on operationalizing DLT. Today we are talking about some of the material risks of operationalizing DLT and some ways to mitigate and address those risks.

I am Simon Williams, Counsel in Ashurst's Digital Assets and Financial Innovation team. Ashurst is a global law firm with genuine world-first global experience and expertise in the digital assets space, as well as a deep involvement in digital assets' future development and regulation.

In episode one, as a very brief overview, we talked about what we are seeing with traditional finance and digital natives operationalizing distributed ledger technology, including by collaborations. We also gave a very quick overview of the DLT universe. Episode two may make more sense if you've listen ed to episode one. And there's a link in the description.

To help talk through this topic, I'm joined by Meredith Fitzpatrick from Forensic Risk. Welcome, Meredith.

Meredith Fitzpatrick:

Hi, Simon. Thank you so much for having me on.

Simon Williams:

In episode one, we spoke to your colleague, Thomas Hyun.

Before we dive in, Meredith could you tell us a little about your role at Forensic Risk and your expertise in the DLT world?

Meredith Fitzpatrick:

Sure. So first off, very happy that you were able to speak with Tom. He's been in the industry for a long time and has a wealth of knowledge as far as how DLT technology has entered into the traditional financial space.

I'm FRA's Director of Cryptocurrency Investigations, and I lead FRA's cryptocurrency practice. So to think about the differentiation between the practice that Tom leads and the practisc that I lead. Really anything that comes with crypto financial compliance, crypto AML compliance, that's going to be handled by Tom's group. What I do is, and my background, it's really anything that involves on-chain tracing. So using on-chain tracing to either conduct investigations to figure out where money came from or to figure out where money is going to. Or to use on-chain information to do a risk assessment, so looking at an entity's on-chain risk profile.

So I've been at FRA for about two years. Prior to joining FRA, I was a Special Agent in the FBI for seven years. And during that entire time, I focused exclusively on one computer intrusion investigation, so financially motivated computer intrusions. And then the back half of my career, I switched over to the national security side of the house where I was focusing on Russian state-sponsored computer intrusions. And then I also worked cryptocurrency money laundering. So back in 2017, when I started my career at the Bureau, crypto, it was still fringe and it was still on the outskirts as far as investigations, but it was starting to come up more and more in the criminal cyber sense.

And in 2017, it was a really interesting and groundbreaking time where you weren't the guinea pig that was writing the affidavit for the first time. We had already had the Silk Road case. There was an established precedent in court as far as submitting blockchain analytics to support that a party had either financially benefited from a certain activity or that a party was the financial sponsor of a certain activity, and that the way that in which that that was happening, it was cryptocurrency. And the investigative method, it was looking at funds that were moving on the blockchain. So it was really interesting in the sense that bad guys still thought that it was anonymous, which as Tom discussed, and I think what's very well known in the industry now, is that it is anything but anonymous. So back then, it was a really interesting time where bad guys still thought that this was totally anonymous. However, the FBI, DEA, Secret Service, the NCA in the UK, other law enforcement agencies throughout the world, we now have some muscle memory as far as how you actually use blockchain analytics to further your investigation. There's a lot of really interesting cases that happened at that time.

So at that, I've worked cryptocurrency investment fraud, ransomware, bad actors using cryptocurrency as a means to buy and sell illicit goods online. And then over on the nation state side of the house, looking at how different adversarial intelligence agencies throughout the globe - so Russia, North Korea, some other ones - looking at how they were using it to purchase servers. So infrastructure that they would then use for cyber attacks.

I was also an early member of the FBI's virtual currency response team. So back when I first started, it was just a small group of agents and intelligence analysts and forensic accountants that had gained expertise just through experience. And then by the time that I left, the FBI had the Virtual Assets Unit.

Simon Williams:

Thanks, Meredith. That segues really well into the first point. So let's talk about cyber risk.

Meredith Fitzpatrick:

Sure. So I think in the crypto context, cyber risk and cybersecurity is especially important. So these are financial assets that live online. And in the context of a hack and cryptoasset theft, if we think about how this happens, it's really a cybersecurity attack. So that's what I mean when I say that in cryptoasset security, you need to think of it as cybersecurity. Because of the irreversible nature of the blockchain, if somebody hacks into a personal computer of a high net worth individual or an exchange or another type of cryptocurrency platform. If they are able to exfiltrate funds from the wallet, because of the irreversible nature of the blockchain, I mean, they're gone. There isn't a help desk at a corresponding bank that you can call to try and freeze the funds and get them back.

There is a bit of nuance to what I just said. So if it is going from a centralised cryptocurrency exchange to another centralised cryptocurrency exchange, that is a specific scenario where maybe there is that help desk type of situation. But for the most part, I mean, that still requires the funds being sent back - once they are sent out, the blockchain, it is irreversible. So that's what I mean when I say that when you think about securing these assets, it's really your cybersecurity posture. So what is your two-factor authentication? How do you think about your hot storage versus your cold storage? Things of that nature. So really thinking about your cyber hygiene.

And then throughout time, we have seen these cyber attacks get more and more complicated. So I would say, in the early days, and what I was seeing back when I was in the government, is that it was more of just like an old school account takeover or an actor group compromising a centralised cryptocurrency exchange. I think what we're seeing now, and then especially in the context of North Korea and how they are using crypto thefts to fund their nuclear regime, these cyber attacks are getting much more complicated. And then they're really starting to blend in with traditional supply chain hacks that we see more in the cyber sense.

So for example, in February 2025, Bybit suffered a very large hack. There's a lot of open source information out there saying that North Korea was the perpetrator of this hack. And what ultimately happened is that Bybit lost almost $1.2 billion as a result of this theft. However, if we take a step back, it's a little bit misleading to say that Bybit got hacked thus. And that's the sole reason for this hack. What actually happened, if you were to really dig under the hood, is that a wallet provider that they had used –Safe Wallet - they were actually the ones hacked. So Bybit used Safe Wallet as a technology provider to custody their funds. And what happened was that DPRK - is that they essentially injected malicious code into Safe Wallet that was designed to only turn on when it was interacting with Bybit's smart contract address. And so when Bybit then interacted with Safe Wallet, then this malicious code, it essentially redirected $1.2 billion. Instead of going to Bybit, from going to wallets controlled by North Korea.

So this was a very, very technically sophisticated attack. Both in the sense that it was a supply chain-like attack - meaning that Bybit was the ultimate target of this attack. But in order to get to Bybit, North Korea hacked one of the technology providers that they used. And then that it was also very technologically sophisticated in the sense that this malicious code that they injected, it was only meant to essentially activate when it was interacting with Bybit. So it could kind of run silently in the background. And then once the ultimate end target interacted with Safe Wallet, then it would only turn on.

Simon Williams:

That's great. Thanks, Meredith. We're obviously hearing a lot about hacking and the techniques that are in use. Are there any new trends that you're seeing in this space at the moment?

Meredith Fitzpatrick:

I would say - as far as looking at trends - it's a bit of a mix of old and new. So like I just described with North Korea, is that these hacks are just getting a lot more complicated and they're really starting to blend with more of this supply chain family of hacks. So I think - just to back up for listeners that maybe aren't as familiar with supply chain hacks. If your end target is company A. Instead of attacking company A, you're going to maybe attack a component - like company B - that is a supplier or a vendor to company A that legitimately interacts with that other company. So to go back to an old school human intelligence collection situation.

So say if a nation state actor, if they're meaning to target the CEO of a company, and they want to implant a listening device into the CEO of the company's office. Instead of trying to drop in from the ceiling like Tom Cruise and implant a listening device into the CEO's office, they would compromise the cleaning staff of that office and get them to put the listening device in. The cleaning staff has a legitimate relationship with that building. There is a justified reason why they're going into that office every single day, and it is just an easier and more under the radar avenue for compromising your end target. So this is exactly what we're seeing for crypto. So I'd say for companies, it's really important to be doing your vendor due diligence. And when you think about your vendors and your whole supply chain, really looking at their cybersecurity posture and thinking through how they can be an attack vector for your company.

But on the other hand, when I say it's also a little bit of a mix of the old as well, is that social engineering is still the most reliable way. Humans still tend to be the weakest link when it comes into these companies. So going back to this Bybit and Safe Wallet situation, is that the initial attack vector into Safe Wallet - it was actually a social engineering compromise. So this is CEO impersonation, or sending people a very targeted email in order to get them to open up an attachment or click on a hyperlink that they typically wouldn't. When I was in the government, and what I've also seen now, is that job searching is a tried and true method of this. People would email companies saying they're a candidate for this position, and their CV is attached to this email. And then when they open up the attachment to the email, then malicious code gets onto their computer.

So I think the important point to note on that is that even when you think about your most sophisticated cyber actors, like your APT groups, your nation state intelligence agency cyber actor groups, is that they're not going to use a silver bullet if they don't need to. Yes, they do have very technologically sophisticated means for executing cyber attacks, but if they can still get into the network through social engineering, they've still been very successful in using that.

Simon Williams:

Thanks. That's really interesting. And this naturally segues into technology risk - ie, the risk in the technology itself. One issue that we are dealing with a lot at the moment is the private blockchain versus public blockchain issue. So amongst other things, it feeds into regulatory considerations and also the logistics of operationalizing DLT such as interoperability. What is Forensic Risk seeing in the technology risk space Meredith?

Meredith Fitzpatrick:

Most of the customers that we and clients that we are dealing with it's primarily public blockchains. It's a mix of public and private blockchains. I'm thinking more about centralised exchanges where they have wallets that are on Bitcoin, Ethereum, Tron, - your well-known public blockchains. And then they're using private blockchains for internal order book management or internal book transfers. There are different technological risks to both. I would say from a cybersecurity perspective for public blockchains, because it's distributed, I am not as worried about the actual blockchain getting hacked. I would think more about that cryptocurrency platform needing to just have really robust cybersecurity when it comes to their hot wallets.

And then on the flip side, when it comes to private blockchains, that's when different types of threats come in. So insider threats. Or the fact that because there isn't as much computing power behind it, the risk of somebody wanting to do a 51% attack and then rolling back the blockchain so it is then having a different ledger take over. It's really up to the companies to do a risk assessment as far as the business need for the private blockchain. So doing a risk assessment of why they are going to be doing that, and then what security protocols they're going to have on top.

Simon Williams:

And Meredith, when you mentioned the less severe risks for public blockchain because of the infrastructure, breadth and depth, and then the inability to easily roll back a blockchain, you're talking about how the consensus mechanism works on a public blockchain and its immutability. Just for those less familiar with blockchain concepts, Meredith could you give us a bit more detail on those and how that works?

Meredith Fitzpatrick:

Sure. So for consensus, I mean, blockchain is distributed ledger technology. There are computer nodes all throughout the world, especially for the bigger blockchains like Bitcoin and Ethereum. There are nodes throughout that are coming to a consensus as far as what is the most up-to-date version of this ledger. And there's a number of different mechanisms in which that they can do this. So Bitcoin, they use a proof of work model. Ethereum and a number of other ones, use a proof of stake model. But the security in that, is essentially, just the sheer volume of nodes that an attacker would have to take over in order to execute a 51% attack. And then enter in a different version of the ledger. Just at this point with the maturity of these, it's never say never, but it's pretty darn close to impossible.

On the flip side, when it comes to private blockchains, maybe that infrastructure doesn't have the breadth and depth of the various nodes. Maybe volume-wise, it isn't as large. But the companies - certainly they have a lot more control over which systems are going to be supporting this. Who has access to it. What are the sign-off requirements. And things of that nature. So I would say on the whole for both, it's still pretty darn secure. It's just the companies need - especially for internal ones -they just need to put a little bit more thought into who has identity and access management . Who has access, who has permissions to do what, and things of that nature.

Simon Williams:

Thanks, Meredith. That's really helpful.

From a regulatory point of view, regulators are increasingly taking a tech-neutral approach in terms of private blockchains and public blockchains. Provided that, of course, all the relevant risks are covered off.

I wanted to touch on culture. So for some, there's a perception that digital natives come from a very fast moving tech startup unregulated culture. Whereas some might see traditional finance as much more (small 'c') conservative and slow moving. What is your perception of that and how collaborations could be impacted by those - perhaps - differing cultures coming together?

Meredith Fitzpatrick:

Sure. I think like most things, the truth lies somewhere in the middle. There's certainly stereotypes of the fintech and crypto industry being the Wild West and being a very startup - like growth and revenue first, compliance second. And then there might be perceptions on the other side of traditional finance being these big behemoth bureaucracies where things move very slow. Both in my time in the government, and now at FRA, we've worked with both pretty extensively. And I think there are a lot of misconceptions that the two sides have of the other. And the truth really lies somewhere in the middle. I think if you were to look at the earlier days of crypto, I mean, there certainly is a reason why it has the reputation that it does. But I don't think that's an accurate reflection of the way that things are working now.

Yes, there definitely were lots of examples of startups that exploded in growth. And either had no compliance and no governance functions, or maybe the compliance and governance functions did not mature as fast as they should have compared to the growth of the industry. But I think right now, if you were to look at the small, medium, larger types of cryptocurrency platforms. And I think especially now where a lot of them are trying to either re-enter the U.S. Or traditional financial institutions are coming into the mix. I mean, it is the norm - and it is expected now in this industry - that you do have a mature compliance programme. And you do have mature governance structures. And I think a lot of these companies really are trying to do the right thing. I think especially now, where it's just very widely known in the industry, blockchain intelligence companies can look at all of your on-chain behaviour. Law enforcement agencies, they can also look at your on-chain behaviour to see if dirty money is clearly going in and out of your platform.

I think that that is really appreciated in the industry. And then there's not wanting to get away from the goal of all this. Which is to create a safer financial infrastructure.
We've also worked with some crypto platforms that are really on the bleeding edge of technology. Maybe product wants to move faster than governance and compliance does. And I think we've had some really thoughtful conversations and working sessions with companies that are trying to do that- recognising these are their resources. What's the most important compliance changes they can make? Or if this is a limited compliance budget, what are the most impactful things that they can do?

So yes, they do tend to move a lot faster than banks, which can make TradFi players uneasy. But I do think they understand the need to do a risk assessment. They understand, if we're adding in a new product line or significantly changing our technology, that we then need to assess what are the new risks that are going to be entering in. The regulators know that too. And the regulators are going to - I think with the entering of TradFi into this space - the regulators are going to be expecting these crypto companies to really mature to meet the level for the compliance and governance functions of their TradFi counterparts.

Simon Williams:

Thanks, Meredith. That's a really interesting perspective.

Just adding to that in terms of the culture point and regulation. Traditional finance is one of the most highly regulated sectors in the world. In contrast, digital natives have usually been lightly or unregulated. Cryptoasset regulation is fast-changing, and regulation will be a big culture shift for digital natives. So digital natives are becoming part of the highly regulated financial services mainstream. For example, under the UK's proposed regime, cryptoasset activities in the UK will essentially be subject to the same standards as traditional financial services. So firms wishing to carry out regulated cryptoasset activities will be required to obtain UK Financial Conduct Authority - FCA - authorisation.

Traditional finance and digital natives culturally start from very different regulatory places. The regulation of collaboration brings them closely together, and will be a big culture jump for both. Likely more so than direct regulation alone.

Domestic regulation also needs to be considered in the context of international regulation. Each major financial centre aspires to be the digital asset jurisdiction of choice. All of them are at different stages of implementing regulatory regimes. Whilst there's a commonality of approach in some respects, naturally there are many differences too. Regulatory variances can offer jurisdictions a competitive advantage. However, digital assets are 'everywhere and nowhere'. Regulatory divergence penalises globally regulated financial institutions and is also susceptible to regulatory arbitrage.

The FSB and IOSCO have recently published their thematic reviews of digital assets regulation. And this shows that the landscape is still very fragmented with much regulatory work to be done. And regulators themselves are not immune from the international regulatory challenge. For example, the European Commission and the European Central Bank are currently grappling with the potential commercial and systemic risks of a dual EU and non-EU issued fully fungible stablecoin. And this theme has also been flagged by the international regulatory bodies. For example, the recent European Systemic Risk Board report.

So, in time, we expect standards for regulatory equivalence and even passporting. And these will come via international trade agreements and initiatives such as the UK-U.S. Financial Regulatory Working Group.

I think it's also useful to talk about Common Standards. It's widely accepted that common international standards are important for sound, stable, and well-functioning financial systems. Although it's not surprising that common standards are still developing for the nascent DLT sector, Basel's Working Paper 44 illustrates the scale of the problem, whereby even fundamental concepts such as definitions of permissionless/ permissioned, and public/private blockchains are still under debate. Industry recognises the problem and is actioning solutions. The compliant setting of universal common DLT standards should be treated as a priority by regulators, trade associations and industry alike.

So, overall, I think that regulation is a game changer for digital natives. For some, it has brought the cryptoasset sector's reputation in from the cold. And at the same time, it has enabled regulators now to contemplate TradFi/ DeFi collaboration.

As with all things DLT, there are so many other things that we could discuss today, but unfortunately we are at time. So that brings us to the end of today's podcast. Thanks very much Meredith for your great insights in this episode two. And of course to your colleague, Tom in episode one.

Thank you to you for listening to our podcast. We hope you found it informative.

If you would like further information on any of the topics raised, please do reach out to your usual Ashurst contact, to me or to any of the other contacts listed in the podcast description. Please also feel free to share the podcast with interested colleagues. As a reminder, if you've not yet caught episode one, there is a link to it in the podcast description.

If this is the first time you've come across Ashurst's podcasts, please take a look on our channel for other podcasts of interest and subscribe for notifications of new content. For other digital assets content, please see www.ashurst.com/digitalassets for our thought leadership. That is ashurst.com/digital assets, all one word. And the link is also in the podcast's description.

And all that remains is for me to say goodbye. Goodbye.