Crypto Security and Regulation Roundup, DeFi Exploits and Wallet Updates

Crypto markets and policy did not move in a vacuum this week. On one side, the security environment in decentralized finance continued to produce major incidents tied to bridges, rollup infrastructure, and MEV-related trading. On the other, regulators in the United States and the European Union advanced proposals and rules that could reshape how transactions are processed, especially for centralized exchanges and custodial services.

Separately, a wallet application update brought a set of product changes, including expanded token and transaction display features and additional third-party trading providers. While these updates do not directly address protocol-level vulnerabilities, they influence user workflows around custody, routing, and compliance controls.

DeFi exploits: multiple incidents across bridges, rollups, and MEV

Aztec Connect and other deprecated bridge components targeted

The week’s most notable theme was how attackers continued to find value in systems that were already in decline. According to the roundup, Aztec Connect was drained twice via distinct exploits. The first incident involved an alleged $2.1 million outflow, described as linked to a privacy-focused rollup bridge that had been deprecated in 2023. A separate incident was then described as pulling an additional $2.15 million from another private rollup bridge, reportedly deprecated in 2022.

From an industry perspective, these cases underline a recurring challenge in DeFi security: “deprecated” does not always mean “fully unreachable” for every integration, contract dependency, or edge-case flow. Even when a product is scheduled for retirement, interfaces that remain technically exploitable can continue to create attack surfaces.

Taiko exploit described as forged proof verification

The roundup also described an incident on Taiko tied to chain-state verification. It characterizes the issue as attackers submitting forged message proofs that were accepted as valid by Ethereum mainnet.

The described impact included roughly $1.7 million drained in USDC and ETH, alongside nearly 2 million TAIKO tokens. If accurate, the incident highlights a critical class of risk for layer-2 and bridging systems, where correctness depends on verification logic. Even when verification is meant to protect downstream execution, weaknesses in proof-handling can create outsized consequences.

MEV bot manipulation: “fake wrapped assets” and simulated profitability

Beyond bridges and rollups, the roundup points to a case involving an MEV bot on Ethereum, identified as Jaredfromsubway.eth. The description focuses on attackers tricking automated trading logic by creating fake wrapped assets and liquidity pools that simulated a profitable sandwich trade.

The roundup states that approximately $7.5 million was siphoned through permissions already granted to the bot. In practice, MEV strategies often rely on pre-approved token allowances and on fast transaction execution. This incident, as summarized, fits a broader pattern where adversaries attempt to make an automated system believe in a profit opportunity that exists only in a simulated environment.

Illinois adopts a digital asset transaction tax plan

Regulation in the United States also featured in this week’s roundup. It describes Illinois’ passage of a $55.9 billion state budget that includes the Digital Asset Privilege Tax Act. The plan, as outlined, would impose a 0.2% transaction-level levy on crypto activity starting January 1, 2027.

The described scope focuses on digital asset brokers, including exchanges and custodians that exchange, transfer, or store crypto for Illinois customers. The summary also notes registration requirements and felony charges for noncompliance. Additionally, the roundup references concerns raised by the Crypto Council for Innovation, describing the tax as among the most punitive in the country and warning about precedent effects.

For businesses, a transaction tax at the protocol or transaction level can change unit economics. For users, it may ultimately influence which services offer custody and routing into and out of regulated intermediaries.

EU rules target cash, identity checks, and privacy-asset access via on/off-ramps

On the European side, the roundup summarizes a set of incoming rules affecting cash payments, identity verification, and the ability of regulated providers to handle certain transactions.

It describes a proposed cash cap in the EU: cash payments above €10,000 would be prohibited for goods and services. It also states that cash transactions over €3,000 would trigger mandatory identity verification. For regulated crypto service providers, the roundup notes identity checks on transactions of €1,000 or more and indicates that anonymous accounts are banned.

Crucially, the roundup frames privacy assets as not being outright criminalized for self-custody ownership, but it says the rules would restrict regulated intermediaries from touching privacy coins in certain contexts. It also emphasizes that peer-to-peer onchain transfers between self-custody wallets would remain outside the regulation’s reach, while on-ramps and off-ramps would face tighter constraints.

If these provisions are enacted as described, the immediate operational impact likely falls on exchanges, custodians, and payment providers, which may have to implement stricter routing, monitoring, and customer identification workflows. Over time, this could affect liquidity, pricing, and availability of certain assets through centralized channels.

Wallet and app update: UTXO address generation and expanded trading options

Alongside security and policy, the roundup includes a wallet product update labeled v5.39. While it is not a security incident response, it signals how mainstream crypto apps are adapting their user experience around transaction visibility and third-party trading providers.

MoonPay Trade, Apple Pay via Mercuryo, and provider controls

The roundup states that MoonPay Trade was added to the provider lineup, with features such as filtering between centralized exchanges and decentralized exchanges and the ability to rate providers after a swap. It also notes iOS support for purchasing crypto using Apple Pay through Mercuryo.

UTXO dynamic address generation and Solana history visibility

The update also reportedly includes dynamic address generation for selected UTXO networks, producing a new address for each incoming transaction. It further describes Solana transaction history appearing in the app.

Tangem Pay improvements and card management changes

Separately, the roundup mentions improvements to Tangem Pay, including the ability to reissue and rename a Tangem Pay card and adjust daily spending limits. It frames these changes as making real-world spending more flexible for users operating a self-custody setup.

What this week signals for security and compliance risk

Across the items summarized, a few themes stand out for industry watchers.

• Security risk persists after deprecation. Protocol retirement does not automatically close all pathways, especially where contracts remain technically accessible.
• Verification systems remain high-value targets. The Taiko incident description points to the importance of proof correctness and end-to-end validation across chains.
• Automation increases the stakes of trust assumptions. MEV bots can be exploited by adversaries who design fake liquidity and permissions-aware execution paths.
• Regulation is converging on intermediaries. U.S. and EU measures described in the roundup emphasize identity checks and transaction handling controls by exchanges, custodians, and regulated providers.

For users, the practical takeaway is not only to monitor security headlines, but also to understand how evolving compliance rules can change access paths and the reliability of on/off-ramps. For builders, the incidents reinforce the need for rigorous decommissioning plans, continuous audit coverage for legacy components, and stronger guardrails around automated trading logic.