₿leeding ₿inary

There have been a few key changes in crypto market structure. I've written about this topic before but I found myself carrying some stale epistemological baggage about how the market used to be versus what it is at the moment, so thought I'd share. 1. More coins than ever before and the barrier to creating new coins has never been lower. 2. More competition for the hot ball of money (AI, semis, tech, even commodities) and instruments like 0DTE options - all of which are very attractive to normies. 3. Change in participant type and sophistication - ETFs, more tradfi shops, suits etc. 4. Normie flows that used to concentrate around a few CEXes and a limited token set have been fragmented by the infinite listings and existence of the trenches. There are fewer normie flows, they're spread too thin, and it's difficult to come back to the casino if you get dumped on for holding longer than 15 seconds. The main attractor to crypto used to be outsized, long-lasting, and well-distributed trend and momentum effects that were easy to access because there weren't that many venues or coins. That's basically up only/alt season i.e. multi-month periods that were responsible for a disproportionate amount of a crypto trader's lifetime P&L. A rising tide lifting all boats is an overused but appropriate analogy - it didn't really matter what coins you bought. If you got the broader market conditions right, you'd enjoy significant uplift and basically get bailed out even if you made bad picks. In the current paradigm you can't afford to make bad picks. To be precise: in previous cycles if you got the conditions right but the assets wrong, you'd still make money but underperform. In the current cycle (even from the most recent BTC run) if you got conditions right but the assets wrong, you got shafted. So asset selection went from a nice-to-have enhancer to one of the main drivers of returns, even if BTC is going up. That's a pretty significant departure from what we've dealt with in the past This type of dispersion is a symptom of the market maturing. I think that's a net good thing and is likely to incentivise more intelligent token design, less ghost chain VC slop etc. But that's a forward-looking view, and at the moment we're trapped in this awkward transition phase where the old rules don't really apply but we haven't figured out a new framework yet e.g. top N coins by market cap are still mostly shit vs quality. Maybe I'm wrong and everything changes and we go back to the market-wide altseason paradigm when conditions are right. This could all be cyclical, but I think that's less compelling than before given the dispersion we saw on the way up too vs just to the downside. I think it's a good time (especially with other markets and asset classes going crazy) to revisit where crypto sits in the speculative stack and how to approach it as the market is changing. Cheers.

The US government told a 23-year-old math student in 1995: "Your code is a weapon. You need an arms license to share it." He sued them. Won. Then built the encryption protecting every message you've ever sent. 🤯 Meet Daniel J. Bernstein 🇺🇸 > Born in New York, 1971. > Finished high school at 15. PhD in Math from UC Berkeley at 24. > 1995: wrote new encryption code to protect people online. > US government classified it as a military weapon. > Required an arms export license ~ like selling missiles ~ just to publish it. > He filed a lawsuit against the United States government. > Fought for 4 years through federal courts. > Won in 1999. Court ruled: writing code = free speech. 🚀 > One lawsuit. Changed internet privacy law forever. > Then got to work. > Designed Curve25519 ~ the math locking your private messages. > Designed ChaCha20 ~ the code scrambling your internet traffic. > Designed Ed25519 ~ the signature securing your logins online. > Built qmail ~ an email server almost nobody has ever hacked. > Signal. WhatsApp. SSH. WireGuard. Tor. > All of them. His math. Your privacy. > Puts $1,000 of his own money on the line for any bug in his code. > No interviews. No fame. > Still a math professor in Chicago. Just ships code. He didn’t seek power or profit ~ he shipped protection. Absolute Legend 🐐

Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: https://t.co/7rQnioRa8A Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web. Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more. Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive. Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out. Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it. It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source. Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

The White House just dropped a new “counterterrorism strategy” that quietly expanded the definition of terrorist by lumping cartels, ISIS, "left-wing extremists"… and "anarchists" into the same “threat” category. The first page of text ends with the phrase: “We Will Find You and We Will Kill You.” That is printed above the president’s signature. The language in the document is broad and open-ended. Once political labels become national security threats, the target can change overnight. This is how mission creep starts: Today it’s cartels. Tomorrow it’s dissidents.

‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed. GrapheneOS is recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments. The audience most likely to read Google's data practices and refuse its terms is now flagged as fraudulent for that exact decision. What happened?: ▪️ Google announced "Cloud Fraud Defense" at Cloud Next on April 22-23, 2026, branding it "the next evolution of reCAPTCHA." Existing reCAPTCHA customers were auto-migrated. ▪️ When the system flags traffic as suspicious, the old click-the-bus puzzle is gone. Users get a QR code instead. ▪️ Scanning the QR code requires Google Play Services running on the device. Internet Archive snapshots show this requirement has been live since at least October 2025, silently rolled out for 7 months before anyone noticed. ▪️ No Play Services = no QR scan = locked out. The bigger picture: ▪️ Google already tried this in 2023. It was called Web Environment Integrity (WEI), and it would have let Google decide which devices were "real enough" to access the web. Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature. ▪️ reCAPTCHA runs on millions of websites. Every developer who keeps using it is now, by default, telling deGoogled Android users they're not welcome...

WIKILEAKS FOUNDER JULIAN ASSANGE: “Bitcoin is an extremely important innovation, but not in the way most people think. Bitcoin's real innovation is a globally verifiable proof publishing at a certain time. The whole system is built on that concept, and many other systems can also be built on it. The block chain nails down history, breaking Orwell's dictum of 'He who controls the present controls the past and he who controls the past controls the future'.”

People in the future will tell tales in hushed whispers of the ancients that could once speak to each other in a room without THE MONITOR observing their every move. The future folk dare not speak too loudly for fear of being DEHUMANED and removed from the Social Grid. Rumor has it that Thomas was dehumaned, but nobody has seen him since ration day. We told him not to tell his monitor that he was feeling unhappy. He didn’t listen.

VERCEL GOT HACKED ShinyHunters - the group behind the Ticketmaster breach - is selling Vercel's internal database for $2M on BreachForums here's why every developer should care: - they have NPM tokens and GitHub tokens - Vercel owns Next.js - 6 million weekly downloads - one malicious push = global supply chain attack - Vercel confirmed the breach today, April 19 - they literally DMed the hackers on Telegram asking them to stop rotate your env variables RIGHT NOW

It is truly preposterous, the number of Operating Systems which the new Age Verification laws would technically apply to. From the latest Federal bill (HR 8250): “The term “operating system” means software that supports the basic functions of a computer, mobile device, or any other general purpose computing device.” In other words… FreeDOS would need to implement Age Verification under this bill. An open source MS-DOS clone which doesn’t even have the concept of “users”. Truly insane.

🕵️How about a Friday round of "Digital ID Whack-a-Mole"??? 🔨🐁 🚨Illinois House passed HB5511, the Children's Social Media Safety Act yesterday, 82-27. HB 5511 forces operating systems to collect your age and broadcast an age-signal to any app or platform that requests it - and they must request it to comply with the law. Any device that runs an OS will be pulled into this system - so basically that's every single device - from smartphones to desktops. 🧵

The full text for HR 8250, the proposed Federal law which would require all Operating Systems to implement Age Verification, has just been made publicly available. It is short, poorly written, clearly not at all thought out, and almost entirely devoid of specifics. Some key points: - The bill does not specify how age verification would work at all. It states that the Federal Trade Commission would have 180 days to specify the exact mechanism and requirements for Age Verification within the Operating Systems. - The Federal Trade Commission would also specify data storage protection requirements as well as requirements for how the Operating System must provide access to collected user data. - This bill would apply to ALL Operating Systems. Everything from Windows to Linux to embedded systems. Yes, even to a smart refrigerator. The “Operating System” definition is incredibly broad. - The law will be considered in effect 1 year from the date it is enacted. - Violations of the law will be handled under the Federal Trade Commission Act. - It is given the “Short Title” of “Parents Decide Act”. https://t.co/u22o583kH2