Last week we were in Almaty, Kazakhstan, in a conference room organized under the OSCE‘s Economic and Environmental Activities mandate, helping the financial intelligence units and tax authorities of Central Asian states build their digital asset frameworks. The architecture outside the window was Soviet brutalist. The questions in the room were surgical.
Central Asian regulators do not have the spectator option that Brussels and Washington have historically exercised. They watch what the UAE did, what Singapore is doing, and they understand with complete clarity that regulatory frameworks are either destinations or detours for capital. Nobody in that room was debating whether digital assets were real. They were asking how you tax a cross-border transaction that touches three jurisdictions before it reaches a wallet, how you build a crime typology framework for an asset class that moves faster than any legislation that has ever chased it, and what “adequate supervision” means when the underlying infrastructure is borderless by design. These are the right questions. They are also, notably, ahead of what most Western legislative bodies are currently managing to discuss.
I landed home to find the week had kept itself busy without me. Fannie Mae had changed its underwriting standards for the $4.1 trillion U.S. mortgage market. The OCC had published a final rule that every major bank had been staging behind for months. Drift Protocol had lost $285 million on the worst possible calendar day and had to say so publicly. And Anthropic had accidentally published 512,000 lines of source code for its flagship AI coding assistant, at which point someone immediately weaponized the chaos to push a remote access trojan through the npm supply chain.
Four stories. Each one would have been the headline in any previous year of this industry’s existence.
(We published two deep dives in the fortnight since Week 12. The first covered the Resolv Labs exploit in full forensic detail: the 18 audits that never examined the AWS console, the SERVICE_ROLE as an unconstrained single signing key, the TeamPCP supply chain operation running simultaneously, and the Morpho and Fluid contagion cascade. The second covered the Anthropic Claude Code leak and the supply chain attack that used it as cover. If you are building anything that touches off-chain key management, AI agent infrastructure, or developer tooling, both are required reading. Together they describe the attack surface the industry is not yet treating seriously.)
The rest of the world kept building this week. Here is what happened.
Fannie Mae Changed Its Underwriting Standards. When the Government’s Mortgage Arm Moves, the Legitimacy Debate Is Over.
On March 26, Fannie Mae began accepting BTC and USDC as collateral for down payments on conforming mortgages, through a product built with Coinbase and Better Home & Finance. No forced sale. No capital gains trigger. No margin calls. The only liquidation event is 60-day payment delinquency, identical to a standard mortgage.
Fannie Mae backs 25% of all U.S. single-family mortgage debt. That is $4.1 trillion. When Fannie changes its underwriting standards, the entire mortgage industry updates its guidelines within a reporting cycle, because the entire mortgage industry wants to sell loans to Fannie Mae. This is not a fintech experiment. This is the U.S. government’s housing finance infrastructure declaring, in legally binding underwriting policy, that Bitcoin is real collateral.
Fannie Mae does not update its underwriting standards to make a philosophical point. It updates them when the risk model clears. The model cleared. Every wealth manager who spent the last three years explaining to clients why they could not use Bitcoin as collateral for anything has a new answer, and the tax arbitrage alone, keeping the asset, borrowing against it, retaining upside exposure, and avoiding the capital gains event on the way in, is worth the headline. The private-banker playbook has just been extended to anyone who qualifies for a conforming mortgage.
JPMorgan accepted BTC/ETH as institutional loan collateral in October 2025. The CFTC approved crypto as margin collateral in December. Sixteen assets received permanent commodity status on March 17. And on March 26, the entity that underwrites a quarter of American homes said: real collateral. The collateral question is closed. Anyone still treating it as open is working from an outdated document.
The OCC Published Its Final Rule on April 1. The Banks Were Not Scrambling. They Were Ready and Waiting.
On April 1, 2026, the OCC published its final rule permitting all national trust banks to offer crypto custody. Live. Not proposed. Not in comment period. Live.
The interesting thing about April 1 is who looked unsurprised. Citi had confirmed on March 29 that its full-scale Bitcoin custody and wallet infrastructure would embed digital assets into the same institutional framework managing $30 trillion in traditional client assets. BNY Mellon CEO Robin Vince stated the day before that big banks would bridge crypto and traditional finance, leveraging $50 trillion in asset custody scale to capture institutional ETF flows. BNP Paribas launched six MiFID II-compliant crypto ETNs for French retail on March 30, structured as debt instruments specifically to sidestep the PSD2 custody licensing requirement while still capturing retail demand. Regulatory architecture studied carefully enough to find the gap, and the gap used immediately.
Kraken Financial had already received its Federal Reserve master account on March 4: first digital asset bank in U.S. history with direct Fed payment system access. SoFi is the first nationally chartered bank with direct crypto trading and its own fully reserved stablecoin, SoFiUSD. The regional players sprint on retail. The G-SIBs build the custody layer. Neither group waited for a Senate floor vote.
That is the sentence worth sitting with. The regulatory certainty was not the trigger. It was the permission slip for what was already decided. The banks building custody frameworks in March 2026 intend to be the infrastructure when the CLARITY Act formalizes what everyone is already doing. On March 30, the Senate Banking Committee confirmed its bipartisan compromise: passive yield on stablecoins prohibited, activity-based rewards permitted, markup scheduled for late April. The DOL entered the same week with a proposal opening 401(k) plans to crypto investments. The House Financial Services Committee held a dedicated tokenization hearing on March 25, where Nasdaq and DTCC executives testified for continuous, 24/7 blockchain-native settlement. When the clearinghouses testify in Congress in favour of rebuilding themselves on blockchain rails, the question of “if” was resolved some time ago.
Mastercard Sold a $3.2 Billion Mistake at a Loss and Bought the Right Thing Instead.
In 2019, Mastercard paid $3.2 billion for the Nets real-time payments unit. By March 2026 it had engaged bankers to sell it at a projected loss: $370 million in annual revenue, $100 million in EBITDA, a persistent drag on a company running 57.6% operating margins. Nets was the payments equivalent of buying a regional bus company in 2015 on the thesis that local transport was strategic infrastructure. The thesis was defensible. The product stopped being the point.
The same week, Mastercard announced it was acquiring BVNK for up to $1.8 billion, structured as $1.5 billion upfront with a $300 million earnout. BVNK processes an annualized $30 billion in volume, operates across 130 countries, holds 25+ global licenses, and is the connective tissue between stablecoin rails and traditional fiat settlement. Coinbase had reportedly offered $2 billion for BVNK four months prior. Mastercard got it for less. Draw your own conclusions about negotiating position when the strategic buyer is also the only regulated network connecting every major bank.
The contingent structure is the tell. They are not buying the company as it currently exists. They are paying for the roadmap. The lesson from Nets is not that real-time payments were a bad idea. It is that you bought the regional rail when the global highway was being built in the adjacent field. BVNK is the on-ramp to the highway. Mastercard decided it would rather own the on-ramp than spend another decade watching someone else charge the toll.
Mastercard also unveiled “Verifiable Intent” this week, co-developed with Google, backed by IBM and Checkout.com: a cryptographic proof-of-authorization framework for AI agent transactions. Visa is betting on verifying who the agent is. Mastercard is betting on verifying what the consumer intended. McKinsey projects the agentic commerce market at $3 to $5 trillion by 2030. The race to own the trust layer of that market is now a direct competition between the two networks that currently own the trust layer of every other payments market. Choosing the wrong protocol standard at this stage will be expensive. The Betamax comparison is available if you need it.
Anthropic’s Leak Revealed the Blueprint for the Machine Economy. We Covered It. Here Is the One-Paragraph Version.
On March 31, Anthropic accidentally shipped the entire source code for Claude Code via a missing .npmignore entry. Not a hack. A build error. 84,000 GitHub stars and 82,000 forks before the DMCA notices arrived. We published a full deep dive and if you have not read it, read it. The short version for this newsletter: the leak contained KAIROS (Claude transitioning from tool to autonomous background agent), autoDream (memory consolidation running while the user is idle), and ULTRAPLAN (30-minute dedicated Opus 4.6 planning sessions), which together are the most complete public blueprint for production-grade autonomous software agents that exists. It also contained Undercover Mode, which instructs the model to strip all AI attribution from open-source contributions and, in the code’s own words, “not blow your cover.” The open-source community’s response was not charitable. That last line is doing more work than it appears.
The security advisory from the deep dive stands: if you installed or updated Claude Code between 00:21 and 03:29 UTC on March 31, a compromised axios dependency carrying a remote access trojan was in circulation during that window. Rotate your secrets. Audit your environment. The chaos of the leak was the attack window, and the pattern, high-profile noise as cover for supply chain credential harvesting, is the same pattern documented in the Resolv forensics. Both deep dives. Same architecture of failure.
Wall Street Is Rebuilding Itself on New Rails. The Disruption Narrative Got the Destination Right and the Mechanism Wrong.
On March 27, the DTCC, which processed over $3.7 quadrillion in securities transactions in 2024, received SEC approval to launch a production-grade tokenization service for U.S. Treasuries in 2026. The NYSE announced a 24/7 on-chain trading platform for fractional shares and instant settlement in the same week, with BNY Mellon and Citi providing tokenized deposit support.
When the clearinghouses testify in Congress in favour of rebuilding themselves on blockchain infrastructure, the debate has moved from “if” to “who owns the new version.” The answer is: them. The crypto idealists who spent a decade predicting that DeFi would displace the clearinghouses are going to watch the clearinghouses build on the same rails. The chains win the settlement layer. The clearinghouses win the distribution. Both things are simultaneously true.
Franklin Templeton arrived at the same destination by a different route. On April 1, the $1.7 trillion asset manager launched Franklin Crypto, a dedicated division built from its acquisition of 250 Digital (a CoinFund spinoff), explicitly targeting pension funds, endowments, and sovereign wealth. Not retail. Not passive ETF wrappers. Active management of digital assets at institutional scale. ETFs were the entry point. Corporate treasury allocations were the second layer. A dedicated active management division inside a traditional giant is the third, and it is the one that makes digital assets a permanent asset class rather than a line item in an innovation budget.
BlackRock is targeting $500 million in annual digital asset revenue within five years. Its IBIT holds 784,062 BTC. Strategy holds 761,068 BTC. Strategy acquired 40,332 BTC in late March alone. Two entities are racing openly to be the largest Bitcoin holder on the planet, both buying into a geopolitical crisis that is suppressing prices. That is not speculation. That is a supply shock building in slow motion, and the institutions building custody infrastructure are the ones who will service both sides of the trade when it resolves.
VARA Became the First Jurisdiction to License Regulated Retail Crypto Derivatives. This Is What Decisive Regulation Looks Like.
On March 31, VARA enacted Version 2.1 of its Exchange Services Rulebook: regulated crypto derivatives, perpetuals, futures, and options, retail access at 5x maximum leverage, mandatory suitability assessments, margin monitoring, forced liquidation mechanisms, and insurance funds. Real capital requirements. Enforceable consequences.
Dubai is now the first major jurisdiction on earth to explicitly license retail crypto derivatives within a regulated perimeter. The offshore venues offering 50 to 100x leverage are not competing in the same category. They are operating in a universe that is actively contracting as institutional capital migrates toward frameworks with actual rules. VARA has licensed over 85 companies. It suspended KuCoin’s licenses in March for misrepresenting its regulatory status and providing unlicensed services to Dubai residents. That enforcement is the credibility that attracts the capital that builds the ecosystem. Not the press releases. The removal notices.
The UAE’s federal VASP law (Decision No. 4/R.M/2026) went live simultaneously: eight licensed activities, capital floors from AED 500,000 to AED 4 million, explicit bans on privacy tokens and algorithmic stablecoins. One federal perimeter above DIFC, VARA, and ADGM. Dubai moved from 22nd to 7th in the Global Financial Centres Index in three years. Meanwhile, the ECB’s March 23 keynote acknowledged that Europe’s €4 billion in DLT-based fixed income since 2021 is hitting a fragmentation ceiling and that a wholesale digital euro is a prerequisite for scale. The ECB has been studying the digital euro since 2020. VARA wrote a derivatives rulebook in 2026. Infrastructure is built by people who make decisions rather than people who commission consultations about decisions.
SwissBorg Got MiCA Approval. June 30 Is Eleven Weeks Away and It Is Not a Suggestion.
On April 4, SwissBorg received MiCA authorization from France’s AMF: custody, portfolio management, order execution, and transfer services across the EU. Migration from its Estonian entity to the French-regulated structure follows.
This is the first clean approval from the approaching deadline wave and it is showing the industry precisely what preparation looks like in regulatory timelines. The French PSAN transitional period ends June 30, 2026. Luxembourg passed DAC8 implementation unanimously on March 22: from January 1, 2026, all European exchanges must gather detailed user data for sharing with tax authorities, with automatic inter-EU data exchange starting in 2027 on 2026 data. The ESMA and EBA Level 2 Regulatory Technical Standards published in March define the exact capital adequacy, suitability, and operational separation requirements that will determine which applications clear and which return to the back of the queue.
The firms receiving approvals in April had documentation in progress since Q1 2024. The firms filing now have narrow windows. The firms still asking about the process in May will not be licensed in June.
If your MiCA application has not started, we built micahub.net specifically for this moment. It is the fastest structured path to getting your books, governance, and license framework in order before the deadline closes. The SwissBorg approval shows what the prepared application looks like. June 30 is not a soft target, and there will be no extension. Reach out.
Hong Kong Missed Its Own Deadline. The Capital Does Not Wait While You Review Your Review.
Hong Kong committed to issuing its first HKD stablecoin licenses by end of March 2026. On April 1, the HKMA register of licensed stablecoin issuers was blank. HSBC and the Standard Chartered-Animoca Brands joint venture, in sandbox since 2024, ungranted. Officials cited AML/KYC depth, reserve verification, and contingency planning requirements.
These are legitimate concerns. Singapore also has legitimate concerns and managed to launch Project BLOOM, its cross-border stablecoin corridor with Thailand, on March 28, while finalizing its own licensing framework. South Korea ended its nine-year corporate crypto ban, allowing listed companies up to 5% of equity capital in the top 20 cryptocurrencies. Japan’s FSA proposed on April 5 reclassifying crypto under the Financial Instruments and Exchange Act: securities-grade disclosure, insider trading provisions, bank participation under risk conditions. Australia passed its Digital Assets Framework Act on April 1, AFSL licensing equivalence for exchanges and custodians.
The Asian regulatory map moved decisively this fortnight. Hong Kong issued a statement. When HSBC and Standard Chartered have been in sandbox since 2024 and the approval register is blank in April 2026, the question shifts from “when?” to “where is the capital staging in the meantime?” Singapore, Seoul, and Tokyo are answering the question with legislation. The window for regional hub status does not stay open across multiple missed self-imposed deadlines, and the capital already knows where the unlocked doors are.
Drift Said This Is Not an April Fool’s Joke. The Pattern Behind It Is Now Three Incidents Old.
On April 1, 2026, Drift Protocol lost $285 million. The team posted publicly: “This is not an April Fool’s joke. We are experiencing an active attack.” Somewhere, the universe was keeping score.
Not a smart contract exploit. Not a code vulnerability. An attacker socially engineered 2 out of 5 multisig signers into approving transactions they did not understand. Two human beings, with the right credentials and the wrong mental model of what they were signing, were the entire security perimeter between users and nine figures. The DRIFT token fell 25%. Fifth-largest DeFi exploit in history. Worst possible calendar timing.
We published a complete forensic breakdown of Resolv two weeks ago. The Drift architecture is the same failure mode with a human at the centre rather than a cloud credential. In the Resolv case: a single externally owned account, no on-chain mint cap, an AWS KMS environment that existed outside the scope of eighteen security audits, and a credential harvesting operation (TeamPCP’s compromised Trivy supply chain) running in parallel on the same weekend. In the Drift case: a multisig with no signer verification protocol, no transaction simulation requirement, and no anomaly detection on outgoing approvals. In the Claude Code case: a supply chain attack running inside the noise window of the leak, targeting the same category of developer credentials.
Three separate incidents. Three separate vectors. The same architecture of failure: the cryptography is sound, the off-chain infrastructure is the target, and the human beings controlling the keys are the weakest link in a system designed as though they were the strongest. The industry has spent a decade perfecting on-chain security culture. The dominant attack surface has quietly migrated to cloud environments, supply chains, and the humans holding signing authority. In 2025, $3.4 billion was stolen from crypto in total. The consistent cause is not the code.
DeFi does not have a code problem. It has an HR problem, specifically the problem of nine-figure treasury management being governed by a security model that would fail a bank’s entry-level compliance audit. The institutionalization of the asset class will not solve this automatically. It will expose it, expensively, until the industry decides to close the gap on purpose.
What Nobody Is Actually Connecting: The Iran War Is a Direct Threat to AI Chip Production and the Timeline Is Running.
Everyone is covering oil at $100 to $140 per barrel. Nobody is covering the helium.
Qatar’s Ras Laffan Industrial City, disrupted by the conflict in early March, is simultaneously the world’s largest LNG export facility and the source of approximately one-third of global industrial helium supply. Helium is extracted as a byproduct of natural gas processing. That processing is currently disrupted. There is no emergency production ramp: helium is a byproduct, not a primary product, and cannot be synthesized or substituted in the applications that matter.
Those applications include: cooling wafers during the etching process, maintaining the controlled environments required for extreme ultraviolet lithography, and servicing cryogenic systems at 2nm and 3nm fabrication nodes, the nodes that produce Nvidia’s Blackwell and Rubin series and every other GPU currently in structural global shortage. TSMC and Samsung were reported in late March to be holding three to six months of inventory. Liquid helium has a shelf life of 35 to 48 days in specialized containers. It cannot be stockpiled like copper. Do the math on when current inventories run out if the Ras Laffan disruption persists. The answer points toward a hard production ceiling on AI chips sometime between May and June 2026.
The United States entered this conflict with Israel’s strategic priorities providing the map, and is now the country most exposed to both the resulting oil shock and the AI hardware supply chain disruption that war created. For a conflict fought largely on someone else’s behalf, the blowback is landing with impressive precision on American soil.
In an administration where Truth Social posts on oil prices and ceasefire timelines have moved markets faster than official press releases, a supply chain threat that directly impacts Nvidia, TSMC, and Samsung valuations and has not yet reached mainstream financial media is precisely the category of non-public, sector-specific intelligence that the current Washington political economy has demonstrated a particularly refined appetite for. The next wave of interesting trading patterns may not be in oil futures.
South Korea’s HBM situation compounds this. SK Hynix and Samsung produce the High Bandwidth Memory inside every major AI GPU. South Korean industrial electricity prices have risen 39 to 55% year-to-date due to the conflict’s energy market impact. HBM3e was already sold out for the year before March. These cost pressures are now flowing through the supply chain to U.S. tech companies funding data center buildouts on private credit. The Iran war’s impact on Bitcoin mining costs shows up on a spreadsheet this week, specifically mining costs at $88,000 per coin against a sub-$72,000 spot price, with a -7.76% difficulty adjustment on March 28 and the sector announcing over $40 billion in AI infrastructure pivots to compensate. Its potential impact on AI chip production timelines shows up in your infrastructure roadmap assumptions for 2027. The oil chart is the obvious headline. The helium shortage is the one that will matter more at a three-year horizon.
The AI agent payment stack is now at its TCP/IP moment. Eight competing protocols are live: Stripe’s MPP, OpenAI’s ACP, Google’s AP2 and UCP, Visa’s Trusted Agent, Mastercard’s Agent Pay, Coinbase’s x402, and MoonPay’s Open Wallet Standard (MIT-licensed, with PayPal, Ripple, Ethereum Foundation, and Solana Foundation as contributors across eight chain families). Only Stripe spans the payment rail, commerce layer, blockchain infrastructure (Tempo, $500M at $5B valuation), stablecoin acquisition (Bridge, $1.1B), and wallet layer (Privy, 75M wallets) simultaneously. China UnionPay deployed its Smart Agent Payment Protocol on April 3 and completed five production-system validation transactions. The Anthropic Claude Code leak revealed, in documented source form, what the agent architecture looks like at production scale: KAIROS, autoDream, ULTRAPLAN. The blueprint for the machine economy was accidentally published on March 31. USDC settled 98.6% of 140 million AI agent payments over the previous nine months. The currency of that economy has an early leader.
OpenFX raised $94 million at a $500 million valuation on March 31, led by Accel, Atomico, Lightspeed, and Pantera: stablecoin-powered FX targeting the MXN, BRL, COP, and ARS corridors where traditional rails run 2 to 5 business days at 50 to 150 basis points. Annualized volume from $4 billion to $45 billion in one year. When geopolitical volatility is exposing the fragility of correspondent banking, OpenFX is demonstrating the replacement at pace.
Our Take.
The real Week 12 was titled “The Map Was Drawn on Tuesday. The Territory Caught Fire on Saturday.” The SEC and CFTC delivered legal clarity on March 17. The Resolv exploit followed four days later. Week 13 delivered the same argument in three simultaneous data points: the OCC rule went live, Fannie Mae accepted Bitcoin as mortgage collateral, and on the same day, Drift lost $285 million and Anthropic accidentally published its autonomous agent architecture while a supply chain attacker used the noise as cover.
Regulatory clarity is a necessary condition for institutional adoption. It is not a sufficient one. The institutions arriving now will find infrastructure that secured its smart contracts and left its cloud layer as an unexamined assumption. The gap between where institutional custody standards sit and where key management at many protocols currently sits is the single most important addressable security problem in the industry. It will close. The question is whether it closes proactively or through a sequence of progressively larger incidents.
The Fannie Mae decision is the cleanest statement of where we actually are. The entity that underwrites a quarter of all American homes does not change its underwriting standards speculatively. It changes them when the risk model supports the decision. The model supported it. That is a statement about permanence, not experimentation. You do not revise a $4.1 trillion book’s collateral standards for a concept you expect to be gone in five years.
The Kazakhstan conversations add the dimension that most Western analysis misses. The Central Asian regulators building digital asset frameworks on limited resources and real urgency are asking sharper questions than most of their Western counterparts, because they cannot afford to get it wrong and cannot afford to wait. The map continues to be drawn in Brussels and Washington. The territory is increasingly being built in Almaty, Abu Dhabi, and Singapore. The builders who understand this early have options the others will not. The gamblers come and go. The builders go everywhere.
The Cointegrity Perspective.
This is the space we operate in. Not the April Fools’ timing of a nine-figure DeFi exploit. Not the oil charts. Not the GitHub star count on a leaked source map. The structural layer: OCC final rules, Fannie Mae underwriting changes, VARA rulemaking, a leaked autonomous agent architecture that tells you more about the machine economy’s infrastructure than any analyst report, and helium supply chains connecting drone strikes in Qatar to Nvidia production ceilings in May that the payments industry has not yet priced into its roadmaps.
The week had two registers. The loud one: $285 million stolen on April Fools’ Day, Bitcoin between $64,000 and $72,000, a viral GitHub repository, and Anthropic managing a crisis on a day when nobody could tell what was a joke. The quiet one: a $4.1 trillion mortgage book declaring Bitcoin real collateral, a federal custody rule going live, the world’s clearinghouse receiving Treasury tokenization approval, VARA becoming the first jurisdiction to license regulated retail derivatives, and an accidentally published source map revealing the complete blueprint for the autonomous software agent Anthropic had been building in private.
The loud register gets the tweets. The quiet register builds the decade.
If you are building in this space, in licensing, infrastructure, payments, custody, or navigating any of the regulatory frontiers covered in this issue, this is what we do. The infrastructure is the story. Everything else is weather.
Related internal resources: Bitcoin, Ethereum, Stablecoin, Blockchain.