TL;DR

• Google's Quantum AI research team dropped a bomb demonstrating that the elliptic curve cryptography (ECC) protecting Bitcoin, Ethereum, could be broken with fewer than 500,000 physical qubits which is a ~20x reduction from prior estimates.

• Running an AI agent? Check how Vitalik secures his personal setup with privacy and security as first class use cases.

• With typical rigor and detail ZachXBT blasts Circle documenting over $420M in compliance failures.

• Catalysis is ramping up their vault security posture before their mainnet launch, partnering with Guardrail for on-chain monitoring.

• Another week in crypto: Drift gets hacked for $285M.

• depthfirst lands an $80M Series B round led by Meritech Capital and unveiled dfs-mini1, its first in-house security model targeting smart contract vulnerabilities.

• Lastly, my Web3 x402 project launched this week! More to come on how I built an agentic cloud storage application with wallet-native API authentication that accepts Circle USDC stablecoins on Coinbase Base L2. I might have been slightly overshadowed by The Linux Foundation formally Launching the x402 Foundation. Not to worry; big things are happening!

Q1 2026 Protocol Exploits Topped $169M Across 55 Incidents

CD Security’s quarterly report counts only protocol-level losses (no phishing or rugs). January carried most of the total; Step Finance ($40M), Truebit ($26.4M), and Matcha ($16.8M) were among the largest. The firm says most incidents mapped to known bug classes. Logic flaws accounted for the most events by count, but there were also a handful of private-key and wallet failures. This contrasts Q1 2025, when the Bybit exchange hack for $1.46B dominated key-loss statistics. (CD Security)

Vitalik Documents a Local Privacy-oriented LLM Stack

Buterin outlines his personal setup for running AI agents with privacy and security as first class use cases. He uses local LLM inference via llama-server, sandboxed execution with bubblewrap, and a human-confirmation firewall for all outbound communications, including email, Signal, and Ethereum transactions. For tasks where local models fall short, he proposes ZK-API calls, mixnets, and TEE-based inference to minimize data exposure to remote providers. Teams evaluating AI for incident response or code review can treat it as a straw-man architecture next to default SaaS assistants. (Vitalik.eth)

ZachXBT Alleges Weak Circle Responses on Illicit USDC Flows

The investigator alleges $420 million-plus in problematic flows since 2022 and fifteen cases where Circle moved slowly, backing the claims with screenshots and chain narratives. Treat the material as allegations until Circle or regulators respond; either way, it feeds stablecoin compliance and Travel Rule scrutiny.

Google Quantum AI Show Faster Shor-style Attacks

Uma Roy reviews Google's latest work where their quantum group used Succinct’s SP1 zkVM, reporting a roughly 20× more efficient Shor implementation aimed at the secp256k1 curve behind Bitcoin and Ethereum. (Uma Roy on X)

Catalysis Partners with Guardrail for Contract Monitoring

Catalysis provides scalable vault-native protection and the team announced Guardrail-backed alerting across mainnet contracts and pitched always-on monitoring as a complement to audits. Catalysis is ramping up their security posture before launch. One more example of vendors bundling live on-chain monitoring. (Catalysis on X)

Yeah, Vaults are Kind of a Big Deal

Matt Hougan (Bitwise): "Vaults are the most important innovation in asset management since the invention of ETFs"

(The Big Whale)

North Korea Linked to $285M Drift Protocol Heist on Solana

The TRM Team reports that on April 1, 2026, North Korean hackers drained approximately $285 million from Drift Protocol—the largest decentralized perpetual futures exchange on Solana—in roughly 12 minutes, marking the largest DeFi hack of 2026. The attack combined social engineering of multisig signers into pre-signing hidden authorizations, a zero-timelock Security Council migration, and a fabricated token (CarbonVote) inflated via wash trading to manipulate Drift's oracles. On-chain staging began March 11, three weeks before execution, with stolen funds bridged to Ethereum within hours. (TRM)

Drift Protocol — Incident Background Update

Total 2026 hack events: 55

The total amount of money lost this year: $435,250,414

Australia Passes Framework for Digital-asset Platforms

Reporting on the Corporations Amendment (Digital Assets Framework) Bill 2025 centers on Australian Financial Services Licence duties for exchanges and custodians, plus transition time to come into compliance. Analysts read the bill as clearer segregation and disclosure rules for intermediaries, in line with other jurisdictions regulating platforms first. (CoinDesk)

DOJ and CFTC Sue Three States to Block Prediction Market Crackdowns

Jonathan Stempel reports that the Trump administration filed lawsuits against Arizona, Connecticut, and Illinois on April 2, 2026, to prevent the Democratic-led states from regulating prediction market operators including Kalshi, Polymarket, Crypto.com, and Robinhood. The CFTC argues that state cease-and-desist orders and Arizona's criminal charges against Kalshi unlawfully infringe on federal exclusive authority over national swaps markets. State officials pushed back, with Connecticut's AG calling the suits a recycling of industry arguments already rejected by district courts. (Reuters)

depthfirst Raises $80 million Series B

depthfirst, an applied AI lab focused on securing software against AI-era threats, announced an $80M Series B round led by Meritech Capital, bringing total capital raised to $120M less than 90 days after emerging from stealth. Alongside the funding, the company unveiled dfs-mini1, its first in-house security model targeting smart contract vulnerabilities, outperforming frontier models at 10x–30x lower cost. The platform, already adopted by Fortune 500 companies and fast-growing firms like ClickUp and Supabase, uses AI to reason across entire software systems, identify real risk, and deliver developer-ready fixes. (depthfirst)

Google Quantum AI: Quantum Threat to Bitcoin & Ethereum

Published: March 29–30, 2026 | Google Quantum AI, with Justin Drake (Ethereum Foundation) & Dan Boneh (Stanford)

This is arguably the most impactful paper this year on the state of quantum security for crypto. Google Quantum AI, co-authored with the Ethereum Foundation and Stanford, published a whitepaper demonstrating that the elliptic curve cryptography (ECC) protecting Bitcoin, Ethereum, and virtually every major cryptocurrency could be broken with fewer than 500,000 physical qubits, a ~20x reduction from prior estimates.

• Ecosystem affected: Bitcoin, Ethereum, and all ECC-based blockchains

• Threat model: Shor's algorithm can be "primed" using fixed curve parameters precomputed ahead of time; once a public key is exposed, the remaining computation takes ~9 minutes

• Critical implication: Bitcoin's average block time is 10 minutes, meaning a sufficiently powerful quantum computer would have an estimated 41% probability of deriving a private key before a Bitcoin transaction confirms

• Ethereum note: Ethereum's 12-second deterministic block time creates a very different and more acute quantum vulnerability surface than Bitcoin

• Mitigation focus: The paper outlines post-quantum migration strategies, emphasizing urgency for both Bitcoin and Ethereum to adopt quantum-resistant cryptographic standards

  (Quantum AI - Google)

TL;DR

• Google's Quantum AI research team dropped a bomb demonstrating that the elliptic curve cryptography (ECC) protecting Bitcoin, Ethereum, could be broken with fewer than 500,000 physical qubits which is a ~20x reduction from prior estimates.

• Running an AI agent? Check how Vitalik secures his personal setup with privacy and security as first class use cases.

• With typical rigor and detail ZachXBT blasts Circle documenting over $420M in compliance failures.

• Catalysis is ramping up their vault security posture before their mainnet launch, partnering with Guardrail for on-chain monitoring.

• Another week in crypto: Drift gets hacked for $285M.

• depthfirst lands an $80M Series B round led by Meritech Capital and unveiled dfs-mini1, its first in-house security model targeting smart contract vulnerabilities.

• Lastly, my Web3 x402 project launched this week! More to come on how I built an agentic cloud storage application with wallet-native API authentication that accepts Circle USDC stablecoins on Coinbase Base L2. I might have been slightly overshadowed by The Linux Foundation formally Launching the x402 Foundation. Not to worry; big things are happening!

Q1 2026 Protocol Exploits Topped $169M Across 55 Incidents

CD Security’s quarterly report counts only protocol-level losses (no phishing or rugs). January carried most of the total; Step Finance ($40M), Truebit ($26.4M), and Matcha ($16.8M) were among the largest. The firm says most incidents mapped to known bug classes. Logic flaws accounted for the most events by count, but there were also a handful of private-key and wallet failures. This contrasts Q1 2025, when the Bybit exchange hack for $1.46B dominated key-loss statistics. (CD Security)

Vitalik Documents a Local Privacy-oriented LLM Stack

Buterin outlines his personal setup for running AI agents with privacy and security as first class use cases. He uses local LLM inference via llama-server, sandboxed execution with bubblewrap, and a human-confirmation firewall for all outbound communications, including email, Signal, and Ethereum transactions. For tasks where local models fall short, he proposes ZK-API calls, mixnets, and TEE-based inference to minimize data exposure to remote providers. Teams evaluating AI for incident response or code review can treat it as a straw-man architecture next to default SaaS assistants. (Vitalik.eth)

ZachXBT Alleges Weak Circle Responses on Illicit USDC Flows

The investigator alleges $420 million-plus in problematic flows since 2022 and fifteen cases where Circle moved slowly, backing the claims with screenshots and chain narratives. Treat the material as allegations until Circle or regulators respond; either way, it feeds stablecoin compliance and Travel Rule scrutiny.

Google Quantum AI Show Faster Shor-style Attacks

Uma Roy reviews Google's latest work where their quantum group used Succinct’s SP1 zkVM, reporting a roughly 20× more efficient Shor implementation aimed at the secp256k1 curve behind Bitcoin and Ethereum. (Uma Roy on X)

Catalysis Partners with Guardrail for Contract Monitoring

Catalysis provides scalable vault-native protection and the team announced Guardrail-backed alerting across mainnet contracts and pitched always-on monitoring as a complement to audits. Catalysis is ramping up their security posture before launch. One more example of vendors bundling live on-chain monitoring. (Catalysis on X)

Yeah, Vaults are Kind of a Big Deal

Matt Hougan (Bitwise): "Vaults are the most important innovation in asset management since the invention of ETFs"

(The Big Whale)

North Korea Linked to $285M Drift Protocol Heist on Solana

The TRM Team reports that on April 1, 2026, North Korean hackers drained approximately $285 million from Drift Protocol—the largest decentralized perpetual futures exchange on Solana—in roughly 12 minutes, marking the largest DeFi hack of 2026. The attack combined social engineering of multisig signers into pre-signing hidden authorizations, a zero-timelock Security Council migration, and a fabricated token (CarbonVote) inflated via wash trading to manipulate Drift's oracles. On-chain staging began March 11, three weeks before execution, with stolen funds bridged to Ethereum within hours. (TRM)

Drift Protocol — Incident Background Update

Total 2026 hack events: 55

The total amount of money lost this year: $435,250,414

Australia Passes Framework for Digital-asset Platforms

Reporting on the Corporations Amendment (Digital Assets Framework) Bill 2025 centers on Australian Financial Services Licence duties for exchanges and custodians, plus transition time to come into compliance. Analysts read the bill as clearer segregation and disclosure rules for intermediaries, in line with other jurisdictions regulating platforms first. (CoinDesk)

DOJ and CFTC Sue Three States to Block Prediction Market Crackdowns

Jonathan Stempel reports that the Trump administration filed lawsuits against Arizona, Connecticut, and Illinois on April 2, 2026, to prevent the Democratic-led states from regulating prediction market operators including Kalshi, Polymarket, Crypto.com, and Robinhood. The CFTC argues that state cease-and-desist orders and Arizona's criminal charges against Kalshi unlawfully infringe on federal exclusive authority over national swaps markets. State officials pushed back, with Connecticut's AG calling the suits a recycling of industry arguments already rejected by district courts. (Reuters)

depthfirst Raises $80 million Series B

depthfirst, an applied AI lab focused on securing software against AI-era threats, announced an $80M Series B round led by Meritech Capital, bringing total capital raised to $120M less than 90 days after emerging from stealth. Alongside the funding, the company unveiled dfs-mini1, its first in-house security model targeting smart contract vulnerabilities, outperforming frontier models at 10x–30x lower cost. The platform, already adopted by Fortune 500 companies and fast-growing firms like ClickUp and Supabase, uses AI to reason across entire software systems, identify real risk, and deliver developer-ready fixes. (depthfirst)

Google Quantum AI: Quantum Threat to Bitcoin & Ethereum

Published: March 29–30, 2026 | Google Quantum AI, with Justin Drake (Ethereum Foundation) & Dan Boneh (Stanford)

This is arguably the most impactful paper this year on the state of quantum security for crypto. Google Quantum AI, co-authored with the Ethereum Foundation and Stanford, published a whitepaper demonstrating that the elliptic curve cryptography (ECC) protecting Bitcoin, Ethereum, and virtually every major cryptocurrency could be broken with fewer than 500,000 physical qubits, a ~20x reduction from prior estimates.

• Ecosystem affected: Bitcoin, Ethereum, and all ECC-based blockchains

• Threat model: Shor's algorithm can be "primed" using fixed curve parameters precomputed ahead of time; once a public key is exposed, the remaining computation takes ~9 minutes

• Critical implication: Bitcoin's average block time is 10 minutes, meaning a sufficiently powerful quantum computer would have an estimated 41% probability of deriving a private key before a Bitcoin transaction confirms

• Ethereum note: Ethereum's 12-second deterministic block time creates a very different and more acute quantum vulnerability surface than Bitcoin

• Mitigation focus: The paper outlines post-quantum migration strategies, emphasizing urgency for both Bitcoin and Ethereum to adopt quantum-resistant cryptographic standards

  (Quantum AI - Google)