Cybersecurity in Fintech: We’re Entering the Systemic Risk Era
Last weekend, hackers stole $290 million in cryptocurrency in a matter of hours. By Monday, nearly $9 billion had fled the platform where the stolen funds ended up. By Tuesday, experts were still arguing about whose fault it was.
If you didn't see this in your news feed, you're not alone. Crypto hacks have a way of getting buried- they feel abstract, the numbers are hard to contextualize, and the technical explanations tend to lose people fast. But this one is worth understanding, because it's not really a crypto story. It's a story about what happens when financial systems move faster than security, and AI is about to make both of those things dramatically faster.
What Actually Happened
Here's the simple version: A group of hackers, believed to be affiliated with North Korea's Lazarus Group (the same outfit linked to some of the largest financial thefts in recent history) found a weakness in how one cryptocurrency platform was configured. They exploited that gap to steal $290 million worth of crypto tokens in a single transaction. Then they did something clever: they deposited those stolen tokens into a separate lending platform called Aave (essentially crypto's version of a bank) and used them as collateral to borrow hundreds of millions more in different assets.
Aave's own software wasn't hacked. Nothing in its code was broken. But when word got out that $290 million in stolen, now worthless tokens were sitting inside the platform as collateral, users panicked. And when people panic in a financial system, they all try to withdraw at once. Nearly $9 billion left Aave over the following 48 hours.
You've heard this dynamic before. It's a bank run. It just happened on the internet, over a weekend, with no FDIC and no bailout available.
Why a Configuration Mistake Cost $290 Million
The technical detail at the center of this hack is worth a moment, because it illustrates something important about how security actually fails in the real world.
The stolen funds moved through what's called a "bridge": software that transfers assets between different blockchains, the way a wire transfer moves money between different banks. For that transfer to be legitimate, it needs to be verified. The platform that got hacked, Kelp DAO, had set up their bridge to require only a single verifier to approve a transaction. One checkpoint. Industry guidance explicitly recommends multiple independent verifiers, so that compromising one doesn't compromise everything.
The attackers found that single verifier, corrupted the information it was seeing, and used it to approve a fraudulent transaction for $290 million. The system worked exactly as it was designed. The design was the problem.
This is how most major security failures actually work: not a genius hacker cracking unbreakable code, but someone finding the door that was left unlocked and walking through it. The genius is in knowing which doors to check.
North Korea Has a Side Hustle
It's worth pausing on the "North Korea" part of this story, because it's not a metaphor.
The Lazarus Group is a real, state sponsored hacking operation that the U.S. government has linked directly to the North Korean government. It's believed to function, in part, as a revenue generator for a country under heavy international sanctions; a way to fund operations (including, reportedly, nuclear weapons development) when traditional financial channels are blocked.
This same group is suspected of stealing $285 million from a different platform just three weeks earlier, in April. That's roughly $575 million in a single month, from two attacks using two structurally different methods. They are fast, adaptive, and getting better.
The fact that a nation state is treating cryptocurrency platforms as an ATM is not a crypto specific problem. It's a sign of how thin the walls between digital finance and geopolitical risk have become.
The Other Story: An AI Too Dangerous to Release
At almost the same time this hack was unfolding, a separate story was circulating in tech circles that didn't get nearly enough attention.
Anthropic, one of the leading AI companies, built an AI model called Claude Mythos Preview that turned out to be extraordinarily good at one specific thing: finding security vulnerabilities in software. Not just good. So good that Anthropic decided it was too dangerous to release to the public.
Instead, they announced something called Project Glasswing: a controlled rollout to roughly 50 vetted organizations (Microsoft, Apple, JPMorganChase, CrowdStrike, etc.) who would use it exclusively for defensive security research.
Why was it too dangerous to release openly? Because the same capability that lets it find vulnerabilities for defenders lets it find vulnerabilities for attackers. In testing, Mythos had uncovered thousands of security flaws across major operating systems and browsers, including a bug that had been sitting undetected in widely used software since 1998. It could take a set of vulnerabilities in the Firefox browser and turn them into 181 working attack paths. Anthropic's previous best model could manage two.
To understand why that matters: security researchers currently find vulnerabilities the hard way, one at a time, through years of expertise and manual effort. A tool that can do this systematically, at scale, in hours, that changes the math entirely. For defenders, it's a superpower. For attackers, it's a superpower.
Anthropic made a judgment call that the risk of it being misused outweighed the benefit of open access. Whether you agree with that call or not, the fact that they had to make it tells you something about where we are.
These Two Stories Are the Same Story
Here's why I think these two events, happening in the same week, are worth reading together.
The Kelp DAO hack is a story about financial infrastructure moving faster than the security practices designed to protect it. DeFi platforms, the crypto equivalent of banks, are being built and interconnected at a pace that outstrips anyone's ability to fully audit what they're building. The vulnerabilities aren't always cutting edge. Sometimes they're just the door someone forgot to lock.
The Mythos story is a preview of what's coming next. AI is going to be used by both sides of the security equation. Defenders are going to use it to find vulnerabilities faster, patch systems more thoroughly, and respond to attacks in real time. Attackers are going to use it for exactly the same things, but pointed in the other direction: finding misconfigurations, generating convincing social engineering at scale, automating the search for unlocked doors.
The gap between those two capabilities (who gets access to the best tools, and when) is going to determine a lot about how secure our financial systems are over the next decade.
What This Means Beyond Crypto
You might be thinking: I don't own any crypto. Why does this affect me?
A few reasons.
First, the same dynamics at play in DeFi (interconnected systems, third party integrations, configuration risk) actually exist in traditional finance. Every time your bank connects to a payment app, every time a fintech startup plugs into a financial API, every time a new product launches on aging infrastructure, there's a bridge somewhere with assumptions baked into it. Those assumptions can be wrong.
Second, the North Korea angle matters at a systemic level. When a nation state is actively, successfully stealing hundreds of millions of dollars per month from financial platforms, that's not a contained problem. It creates pressure on the entire ecosystem: regulatory, competitive, reputational.
Third, AI is going to change the attack surface for everyone. The rise of AI powered tools means that both the scale and sophistication of attacks is about to increase, regardless of whether you're in crypto or conventional finance. The organizations that are thinking about this now, not after the first incident, are the ones that will be positioned to handle what's coming.
The Bottom Line
A $290 million theft and a too dangerous to release AI model might seem like niche tech stories. But they're really about something much more fundamental: the systems we're building to move and store value are becoming more complex and more connected faster than our ability to secure them.
That gap between what we can build and what we can protect, is the defining security challenge of the next decade. And right now, it's widening.