As spot bitcoin BTC exchange-traded funds continue to grow and Wall Street wades deeper into crypto, more and more people are able to gain exposure to digital assets through their individual retirement accounts (IRAs).

IRAs offer tax advantages and a range of investment options, including stocks, real estate, commodities and, increasingly, cryptocurrencies. But when it comes to crypto, there’s usually only one investment strategy available: to buy and hold.

It’s a strategy that might work well for assets like the S&P 500, which have long track records of steadily appreciating over longer time frames, but bitcoin is still an extremely volatile asset and other coins even more so.

The idea behind BlockTrust IRA, then, is simple: to manage the crypto positions of its customers in order to take advantage of that volatility and maximize their returns.

“We’re the only company that has an AI tool meshed with traders that put people automatically in cash [when need be]. Then we wait for the right signals, and we buy back in,” Jonathan Rose, the firm’s CEO, told CoinDesk in an interview.

“Where people are scared of volatility and scared of risk, we actually want the volatility and the risk associated with that, because that’s how we actually make our clients money,” Rose said. “We are right a lot more than we are wrong, and that’s how we’re able to beat the benchmark.”

BlockTrust’s secret sauce? Animus Technologies, a fund that provides intelligent asset management solutions for crypto. Animus has servers around the world and quantifies humongous amounts of data — to the point that a European government body has reached out to inquire what exactly they’re quantifying data for, according to Rose.

Animus typically only shares its signals with high net-worth individuals and fund clients, Rose said. In other words, crypto retail participants may now benefit, through their BlockTrust accounts, from the kind of trading mechanisms that previously were only available to quant funds.

The sophisticated strategies are currently only available for bitcoin BTC and ether ETH, but BlockTrust offers exposure to 60 different cryptocurrencies, Rose said. Users of the platform can invest as little as $1,000 for non-managed accounts, or $25,000 if they want a managed account — and trading fees can go as low as 0.4% for the former and 0.14% for the latter.

BlockTrust IRA went live officially in February. In March, the firm had accrued $10 million in assets, and Rose expects it to bring in roughly $100 million before the end of the year.

The company’s early success may also be due to the fact that it’s not just open to U.S. residents, but to people all around the world, as long as they can pass its Know-Your-Customer (KYC) checks. Americans do have the added advantage of being able to use their tax-deferred retirement savings to gain exposure.

Crypto markets are ever changing, and trading strategies that function perfectly for a long time may suddenly become outdated due to shifts in the economic environment or crypto-intrinsic changes — potentially threatening to render Animus’ approach obsolete someday. But Rose isn’t concerned.

“When [the people at] Animus Technologies go to these hedge fund conferences and speak, they always come back with a big grin on their faces, because they’re like, ‘We are so light-years ahead of anyone remotely doing what we’re doing,’” Rose said. “It’s going to take like four to six years for people to even kind of catch up to us.”

Last week’s highly organized breach of cryptocurrency exchange Coinbase (COIN) left behind more questions than answers.

While some hailed Coinbase’s response as a «really great example» in dealing with a crisis, the breach has now caused a potentially massive privacy issue that mirrors the Ledger data breach in 2021 — which led to a spate of real-world robberies as criminals were able to get a hold of names and addresses of crypto holders. Coinbase has already acknowledged that its customers may have lost close to half a billion U.S. dollars as a result of its breach.

Cybercriminals accessed Coinbase user data by bribing and convincing Coinbase support employees to share that data, but this was entirely preventable, according to numerous experts that spoke to CoinDesk.

“A failsafe system would make stealing data technically impossible, but Coinbase clearly didn’t prioritize these measures, leaving the door wide open,” Andy Zhou, co-founder of blockchain security firm BlockSec told CoinDesk.

Allowing these criminals to access personal data, whether through a hack or, in this case, social engineering, is a major blight on an exchange that facilitates billions of dollars worth of volume every day. The breach created a myriad of issues, including user privacy and trust. How could Coinbase, a publicly traded company, allow attackers to steal personal information and money through the front door? And could it have been prevented?

Hackett Communications CEO Heather Dale hailed Coinbase’s response as a “masterclass in communication,” but Coinbase’s method of tackling the issues was simple: throw as much money at it as possible.

The exchange offered a $20 million bug bounty for anyone who reported information that would lead to an arrest or prosecution. It also committed to voluntarily reimbursing impacted users with between $180 million to $400 million.

What happened?

Before analyzing the fallout of the breach, it’s important to understand how exactly the breach occurred at a publicly traded company that spends millions of dollars per month on security infrastructure.

In February, on-chain sleuth ZachXBT reported a rise in thefts involving Coinbase users. He said that it was “a result of aggressive risk models and Coinbase’s failure to stop its users losing $300 [million] per year to social engineering scams.”

The fear of cybercriminals stealing hundreds of millions of dollars became a reality last week when Coinbase published a blog post revealing that account balances, government ID images, phone numbers, addresses and masked bank account details were stolen.

Unlike other hacks and breaches, which involve attackers exploiting a faulty back-end, these attackers went in through the front door—communicating directly with Coinbase employees and buying access to the information via rogue insiders. Coinbase claimed that it fired all responsible employees on the spot, although it did not reveal the method it used to find those responsible in the blog post.

The issue, however, is not confined to crypto. In 2022, digital bank Revolut confirmed that 50,000 sets of customer data were stolen, while one year later, trading platform Robinhood had up to 5 million email addresses leaked. The latter was fined $45 million by the SEC following the breach after it emerged that a portion of customers had their accounts wiped by attackers.

The BBC reported in October that one particular Revolut user lost £165,000 ($220,0000) following a data breach and that the neobank’s fraud detection system prevented £475 million in fraudulent transactions in 2023.

Coinbase competitors Binance and Kraken said they managed to fend off similar social engineering attacks in recent weeks.

Coinbase CEO Brian Armstrong also posted a video on X last week, stating that he received a “ransom note” for $20 million in bitcoin in exchange for these attackers not releasing some information they claimed to have obtained on Coinbase customers.

ZachXBT added on Thursday that the attackers began obfuscating the stolen funds by swapping BTC for ETH on Thorchain, a venue often used by the infamous North Korean hackers Lazarus Group.

‘Major wake-up call’

Andy Zhou, co-founder of blockchain security firm BlockSec, told CoinDesk that Coinbase should have conducted “stricter background checks on employees handling sensitive data » and set up “alarms for weird activity” like someone suddenly downloading thousands of customer profiles.

Zhou added that Coinbase should have implemented several technical solutions. These include strict role-based access, meaning employees only see necessary data, or privacy tools that allow work without exposing raw details (for example, blurring ID photos).

Nick Tausek, lead security automation architect at Swimlane, told CoinDesk that the breach should be a “major wake-up call” for robust insider threat detection.

“As outsourcing scales and operations stretch across time zones, insider threat detection and access governance cannot be afterthoughts. A single insider with the right access, or in this case, the wrong incentives, can punch a hole in even the most fortified security posture. Because, as this breach shows, it only takes 1% of customers breached to make 100% of the headlines.”

However, not everyone is piling onto Coinbase.

Michal Pospieszalk, CEO of MatterFi, said that it “isn’t a Coinbase problem, it’s a systemic vulnerability that’s plagued crypto since day one.”

He argued that the nature of sending crypto without an intermediary means that all platforms are one misstep away from disaster.

Hackers need to engineer a situation that can trick users into sending their funds in an irreversible transaction. In Coinbase’s case, attackers gained access to personally identifiable information from a rogue employee.

The root issue, according to Pospieszalsk, is the problem of users not knowing whether they are sending funds to the right recipient, adding that crypto runs on a “trust me, bro” model of identity verification and that is not sustainable.

What happens next?

Coinbase said it would voluntarily reimburse customers who lost funds during the breach and would continue to work with law enforcement to capture those responsible. But for users, it’s a darker road.

The exchange said in a regulatory filing on Wednesday that the breach impacted 69,461 customers. The filing also noted that the breach occurred in December 2024 and was not discovered by Coinbase until May 15.

These details are out on the internet now, and may even be for sale on the dark web and in shady Telegram groups. After the Ledger breach, customer details were published on Raidforums, a nefarious data-sharing platform, which led to a rise in phishing attempts.

Unfortunately, Coinbase can’t do anything to prevent the sharing of this leaked information, leaving the affected users to attempt to put in as many safeguards as possible. These include changing wallets, changing deposit addresses on exchanges and even changing home addresses to avoid the risk of real-world robberies. Users whose social security numbers were leaked should also lock their credit to prevent identity theft.

It may be cumbersome, but as seen earlier this year during the attempted kidnapping of Ledger co-founder David Balland (and several other individuals over the past few weeks), criminals will not stop until they extract the maximum amount of funds, even if it means inflicting brutal acts of violence.

This also raises a potential legal question: If a Coinbase customer were to be robbed or assaulted due to the data breach, would Coinbase be liable? Ledger failed to escape a proposed class action lawsuit earlier this year, with plaintiffs alleging that Ledger violated its privacy policy and should have had measures in place to prevent the breach.

Crypto researcher Molly White also pointed out that Coinbase changed its user agreement in April, adding two clauses limiting class action lawsuits and requiring lawsuits to be filed in New York, with changes being applied on May 15, the same day the breach was announced.

Coinbase responded to CoinDesk about White’s claims, stating that the exchange had “notified customers well in advance” of the user agreement change and that it had a class action waiver in place for “years.”

Coinbase did not, however, comment on questions related to whether the breach was preventable or how it will safeguard customers who could be at risk of real-world robberies in the future.

Read more: Market Reaction to Coinbase Hack ‘Overblown,’ Say Analysts as SEC Probe Sinks Stock

Tokenized asset platform Centrifuge said it’s expanding services on the Solana blockchain, starting with the $400 million tokenized U.S. Treasury fund managed by Anemoy (JTRSY).

The expansion builds on Centrifuge’s token standard — dubbed «deRWA tokens» — that allows token holders to freely transfer and use tokenized instruments across decentralized finance (DeFi) protocols.

In this case, the deJTRSY token can be swapped, lent, or used as collateral in, enables Solana users to earn yield from short-term Treasuries natively in Solana DeFi platforms, first on decentralized exchange Raydium, lending platform Kamino, and yield aggregator Lulo.

The rollout underlines Solana’s growing momentum in the tokenized RWA space, a red-hot sector that aims to brings traditional financial instruments like bonds, funds and credit onto blockchain rails. It’s a huge opportunity: Boston Consulting Group and Ripple projected that the tokenized asset market could reach $18.9 trillion by 2033.

This week, Solana Foundation partnered with bank-focused blockchain tech firm R3 to bring real-world assets to Solana, while Securitize-issued tokenized fund of Apollo credit assets is also being introduced to Solana-based DeFi protocols.

«Tokenizing assets is just the starting point,» said Bhaji Illuminati, CEO of Centrifuge. «What truly matters is giving real-world assets utility onchain: making them usable across the DeFi stack from day one.»

Read more: Major TradFi Institutions to Pursue Tokenization Efforts on Solana