Fintech Daily Digest

European Central Bank (ECB) President Christine LaGarde signaled an acceleration of the pace of its digital euro project. She also gave an October 2025 deadline to "put to reality this digital euro" after "campaigning enough with all the stakeholders - meaning the European Parliament, European Council, European Commission [to] complete the legislative process, without which we will not be able to move. The crypto press has taken October 2025 to be a prospective digital euro launch date, but that seems very unlikely to me. Surely "put to reality" means something more like preparing to pilot the new central bank digital currency (CBDC)?

"I cannot figure out why the Safe cold wallet, even though it is a web based application connecting to the internet, qualifies as a cold wallet. Bybit used a Safe wallet. Safe is an Orwellian term, like Liberty, Patriot, Truth. The wallet UI was hosted on a AWS S3 bucket a database in the Amazon cloud. All the postmortems point to the hacking of this UI with stolen Safe S3 credentials, leaked many months ago. Cold wallets are not for timely transactions as it takes a while for such multisig wallets to bridge between a disconnected wallet and the internet. Cold wallets can be as simple as a piece of paper with your private key or hardware cold wallets. Of course the bridging point is where it is most vulnerable. Maybe Safe was used because for people on the move like the Bybit CEO and his two co-signers, a wallet such as Safe is convenient. Calling it cold is a stretch."

Crypto agility describes the capabilities needed to replace and adapt cryptographic algorithms for protocols, applications, software, hardware, and infrastructures without interrupting the flow of a running system to achieve resiliency. This draft NIST Cybersecurity White Paper (CSWP) provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional discussion.

Multi-signature wallet provider Safe said that February 2025's $1.4 billion Ethereum heist from Dubai-based centralized exchange Bybit stemmed from a compromised developer laptop. The investigation's key findings highlighted a high-level Safe developer's workstation being compromised on February 4 when it interacted with a malicious docker project, or lightweight application. From there, the hackers were able to bypass multi-factor authentication on Safe's Amazon Web Services account, "hijacking" active AWS session tokens to do so. A Wayback Machine snapshot shows that two weeks after the initial compromise, malicious JavaScript was inserted on the Safe website, leading to the Bybit exploit on February 21.

Congressman and Majority Whip Tom Emmer reintroduced his Anti-CBDC Surveillance State Act, to prevent the Federal Reserve from issuing a retail central bank digital currency (CBDC), unless it is issued on an open, permissionless, and private network.

Magyar Nemzeti Bank (MNB) published a white paper on its Student Safe central bank digital currency (CBDC) pilot project, which was launched in ... and phased out in February 2025. The aim was to create a CBDC environment that is not only secure and regulated, but also flexible and user-friendly. The Student Safe offered free of charge and secure digital payment solutions to support the financial inclusion of 8-14 year olds. It provided users with the opportunity to learn the theory and practice of digital finance basics through a combination of quizzes and mobile banking functions. Going forward, the MNB will examine possible motivations and emerging use cases that could be relevant to the Student Safe user base or to another group of consumers.

The National Bank of Hungary (MNB), working with eight Hungarian banks and eleven insurers, developed a distributed ledger technology (DLT) based home insurance scheme, to coordinate data sharing about mortgage insurance policies. The paperless and transparent data transfer will reduce administrative work and reconciliations. Data sharing will be General Data Protection Regulation (GDPR) compliant, so the homeowners will have to provide consent, and only the insurer and the bank will have the right to see the data, and not the central bank. https://www.mnb.hu/sajtoszoba/sajtokozlemenyek/2025-evi-sajtokozlemenyek/blokklanc-alapu-digitalis-csatorna-a-bankok-lakasbiztositok-kozt-csokkennek-az-ugyfelterhek

The Bank of Israel (BOI) published a paper on its preliminary digital shekel (DS) ecosystem design thinking for public and professional community feedback. It covers the basic and advanced user journey, architecture and technical issues, and various aspects of policy, rules, and regulation. A prospective DS will be a universal means of payment that would be free for private users (for businesses, the costs of using it are expected to be significantly lower than existing digital payments). The DS will support offline payments, allowing payments even in situations without network connectivity. Anonymous payments would be possible but in limited amounts. Access to personal identifiable information about user DS balances and activities will not be available to the BOI, but they will be to payment service providers, like with existing digital payment methods.

"The GENIUS Act tries to mitigate credit risk on stablecoins by declaring their property of the investor vis-a-vis custodians, and prioritizing the investors' claims vis-a-vis creditors of the issuer. But neither is really a fix, and the truth is that absent a government guaranty, there's no way around this problem. No matter how much stablecoins are prioritized in bankruptcy, bankruptcy is a slow process, and time is money. And there are limits to how far stablecoins can be prioritized in bankruptcy without rendering the bankruptcy system unworkable. (Making stablecoins the property of the investors is no help in an issuer bankruptcy because all the investor gets is a digital token that is worthless without the redemption right, and that's just a bankruptcy claim; this is different than in the custodian bankruptcy scenario.) The only real way to ensure 100% timely repayment is a government backstop, but that's not something the industry wants (because it goes with regulation)." (Adam Levitin)

U.S. President Donald Trump named Bitcoin (BTC), Ethereum (ETH), XRP, Solana (SOL) and Cardano (ADA) as five assets to be included in a U.S. strategic crypto reserve. The initial announcement made on Truth Social excluded BTC and ETH ("A U.S. Crypto Reserve will elevate this critical industry... which is why my Executive Order on Digital Assets directed the Presidential Working Group to move forward on a Crypto Strategic Reserve that includes XRP, SOL, and ADA. I will make sure the U.S. is the Crypto Capital of the World. We are MAKING AMERICA GREAT AGAIN!). However, in a later post they were added ("I also love Bitcoin and Ethereum!"). https://truthsocial.com/@realDonaldTrump/posts/114093946326587357

The Bank of Ghana (BOG) expects to launch its retail central bank digital currency (CBDC) in 2025 (contingent on an act of parliament), with offline payments a key function the central bank is confident in delivering. Kwame Oppong, head of fintech and innovation, pointed out that the "technology for offline payments has been around since the 1990s, but the challenge was to ensure that the requirement of frequent reconnection and re-syncing was not obstructive. That means the experience is not truly like offline payments. We wanted to create an instrument that allows people to live off-grid and use it as they would use cash."

I report this Iraqi News story about the Iraqi central bank issuing CBDC just for the record because it's second-hand information (not directly from the Iraqi central bank) and it's odd in that it describes the CBDC replacing paper notes in transactions with central banks. Prior to this, the only evidence I have ever found of Iraq researching CBDC was a 2022 Arab Monetary Fund (AMF) report.

The Bybit security breach is turning out to had been a supply-chain attack, which is way worse than initially anticipated. While most crypto hacks exploit phishing or hacked workstations, this attack was executed directly through a supply chain compromise of Safe {Wallet}'s UI infrastructure, enabling attackers to manipulate transactions at the source. The attackers breached Safe{Wallet}'s AWS S3 storage and injected malicious JavaScript directly into its UI. This means _every_ Safe user could had been affected. https://docsend.com/view/s/rmdi832mpt8u93s7

Meme coins typically are purchased for entertainment, social interaction, and cultural purposes, and their value is driven primarily by market demand and speculation. In this regard, meme coins are akin to collectibles. Meme coins also typically have limited or no use or functionality. Given the speculative nature of meme coins, they tend to experience significant market price volatility, and often are accompanied by statements regarding their risks and lack of utility, other than for entertainment or other non-functional purposes. It is the [U.S. SEC Division of Corporate Finance] view that transactions in the types of meme coins described in this statement, do not involve the offer and sale of securities under the federal securities laws.

"The US Securities and Exchange Commission has agreed in principle to drop its lawsuit against crypto firm Consensys. The suit claimed that aspects of MetaMask violated securities laws. According to Ethereum co-founder and Conensys founder Joseph Lubin, the SEC has agreed to file a motion effectively ending the case, and the conclusion of the litigation is still subject to final approval from the commission."

The Central Bank of the Russia has postponed the launch of the digital ruble from July 2025 to a later date to be determined. According to Governor Elvira Nabiullina the central bank needs more time to work out all the details in the pilot and hold all consultations with banks on the economic model that is most attractive to customers. 15 banks, 1,700 citizens and about 30 companies have taken part in the pilot that started in August 2023.

Bybit was largely following best practices by storing only as much currency as needed for day-to-day activity in warm and hot wallets, and keeping the rest in the multisig cold wallets. Transferring funds out of cold wallets required coordinated approval from multiple high-level employees of the exchange. But no matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets.

Banco Central do Brasil (BCB) published a technical report on the first phase of the Drex wholesale central bank digital currency (CBDC) pilot that focused on testing the use of tokenized deposits. The platform used was a private, permissioned version of the Ethereum blockchain. The pilot involved the participation of 16 financial institutions, which were selected from a pool of 36 candidates. The pilot tested a range of use cases, including the issuance and transfer of tokenized deposits, as well as the settlement of transactions involving tokenized government bonds. BCB found a tough "trilemma" between privacy, programmability, and oversight. Advanced cryptography (like zero-knowledge proofs) can hide transaction details to protect user privacy, but this also makes it hard for regulators to monitor illicit activity or even for the system to run complex smart contracts. The next phase of the pilot program will focus on advancing privacy while allowing pilot participants to suggest more use cases.

The U.S. Securities and Exchange Commission (SEC) has closed its investigation into crypto exchange Gemini, adding to a growing list of firms that have escaped the regulator's scrutiny for now. In a February 26, 2025 notice shared by Gemini co-founder and president Cameron Winklevoss, the SEC said it had concluded its investigation and "based on the information we have as of this date," the regulator will not recommend an enforcement action. The SEC charged crypto lending firm Genesis Global Capital and crypto exchange Gemini with offering unregistered securities through Gemini's "Earn" program on January 12, 2023.

"Lazarus Group isn't an occasional player in the hacking world; it is frequently the prime suspect in major crypto heists. The North Korean state-backed group has siphoned billions from exchanges, tricked developers, and bypassed even the industry's most sophisticated security measures."