Everything you need to know about the crypto crash – Protocol

From layoffs to bankruptcies, the blockchain economy is facing a reckoning.
Here’s how the crash has affected consumers, employees and investors.
The crypto market has shed $2 trillion over the past seven months, a stunning meltdown that has upended the once fast-growing industry. The crash has triggered layoffs at exchanges and lenders, account freezes that have left customers in the cold and even bankruptcies at some overleveraged firms.
Here’s how the crash has affected consumers, employees and investors, and gave new energy to efforts by regulators to rein in a digital-assets market that SEC Chair Gary Gensler has called the Wild West.

Consumers feel the sting

As crypto prices continued to fall, some companies limited or froze withdrawals and trades, citing conditions they compared to bank runs. Critics and regulators pounced on these moves, saying they showed a lack of protections for investors and a surfeit of risk by some companies that lent out customer assets and promised sky-high rewards.

June 12: Celsius halted withdrawals, swaps and transfers after facing a liquidity crisis. The firm was hurt badly by the Terra collapse and a drop in the value of staked ether, or stETH.

June 13: Binance, the world’s largest crypto exchange, halted bitcoin withdrawals for several hours. The exchange blamed a “stuck transaction.”

June 17: Babel Finance, another cryptocurrency lender, froze withdrawals. The firm blamed the pause on “unusual liquidity pressures.” Also, Finblox tightened withdrawal limits and paused reward distributions. The staking platform is backed by Three Arrows Capital and was impacted by the hedge fund’s liquidity crisis.

June 23: Coinflex, a crypto lender and futures platform, paused withdrawals, citing “extreme market conditions.”

July 1: Crypto lender Voyager suspended withdrawals, deposits and trading. The firm received a $200 million revolving line of credit and 15,000 bitcoins from FTX CEO Sam Bankman-Fried’s firm Alameda Research.

July 4: Vauld, a crypto lender particularly popular in Southeast Asia and India, paused withdrawals. Nexo offered to acquire the company on July 5, saying it would prioritize restarting withdrawal capabilities post-acquisition.

July 14: CoinFlex began allowing customers to withdraw 10% of their account balances, excepting the company’s flexUSD stablecoin.

July 20: Crypto exchange Zipmex halted withdrawals, citing “volatile market conditions.” The company did not say when withdrawals could resume.

July 22: Zipmex resumed withdrawals but continued to restrict deposits, transfers and trades.

Employees lose jobs

Crypto hiring spiked 73% from 2019 to 2021, according to LinkedIn, and well into 2022, some companies maintained aggressive hiring plans. But Coinbase reversed plans to triple its workforce this year, rapidly retrenching and ultimately resorting to layoffs. Not everyone is cutting back: Binance, Kraken and Ripple are among the firms that are still hiring.

June 1: Brazilian crypto exchange 2TM laid off more than 80 employees, blaming “rising interest rates and inflation.”

June 2: Gemini, the crypto exchange run by brothers Cameron and Tyler Winklevoss, laid off 10% of its staff. In a letter to employees, the brothers said the cuts were due to “turbulent market conditions that are likely to persist.”

June 10: Crypto.com cut 5% of its staff, or 260 people. CEO Kris Marszalek said in a tweet that the company needed to “ensure continued and sustainable growth.”

June 13: BlockFi said it would cut 20% of its staff, blaming the “dramatic shift in macroeconomic conditions.”

June 14: Coinbase announced it would lay off 18% of its workforce to ensure that it stays “healthy during this economic downturn.” The company had previously halted hiring and rescinded job offers.

July 3: Celsius cut around 150 employees, or a quarter of its staff. The cuts came three weeks after the lender paused all withdrawals from its platform.

July 5: Institutional crypto trading platform Bullish.com cut around 30 staff members. A spokesperson told the Block the company is still hiring for “strategic roles.” Also, eToro slashed 6% of its employees, or around 100 workers. The company also officially called off its SPAC merger with blank-check company FinTech Acquisition Corp.

July 14: NFT marketplace OpenSea laid off 20% of its workforce, promising generous severance and benefits.

July 21: Cryptocurrency exchange Blockchain.com said it would cut 25% of its workforce. The firm is shuttering its Argentina office and pausing expansion in several other countries.

Investors’ losses mount

The crypto crash forced a wave of consolidation on the industry, with rapid-fire dealmaking aimed at salvaging weaker firms.

The meltdown of Terraform Labs’ UST and luna tokens sent shockwaves through the industry, affecting big firms which had bet on the tokens, including Three Arrows Capital, one of the largest crypto hedge funds.

Soon after, stETH, a token on the Lido network that was once considered a safe bet on the new version of Ethereum 2.0, started to lose its peg. That caused further distress in the market. Firms that had reportedly invested in stETH included Three Arrows, Celsius and Alameda Research.

After those two events, Three Arrows had a liquidity crunch and stopped answering margin calls. That sent further ripple effects throughout the industry. Three Arrows had borrowed from a number of large players in the crypto industry — and it’s unclear to what extent that borrowing was collateralized.

Counterparties of 3AC such as Voyager, prime broker Genesis Trading and BlockFi took heavy losses as a result of working with Three Arrows, just when those firms needed cash the most. Many in the industry are wondering if other crypto lenders, hedge funds or brokerages will be next.

Sam Bankman-Fried’s firms, FTX and Alameda, moved to support companies like BlockFi and Voyager. In some cases the infusions weren’t enough: Voyager filed for bankruptcy despite FTX’s support.

June 22: Voyager obtained a revolving credit line from Sam Bankman-Fried’s Alameda group of $200 million and 15,000 bitcoin.

June 29: Officials in the British Virgin Islands reportedly ordered crypto hedge fund Three Arrows Capital, which Voyager Digital said defaulted on loans worth more than $600 million, to liquidate.

July 1: BlockFi agreed to a deal with FTX that gave the exchange an option to buy the remaining shares of the company for up to $240 million. The crypto lender was once valued by investors at around $5 billion.

July 2: Three Arrows filed for Chapter 15 bankruptcy in New York.

July 4: CoinShares said it would acquire Napoleon Asset Management for an undisclosed sum. CoinShares acquired Napoleon Group in December.

July 5: Crypto lender Nexo agreed to buy fellow lender Vauld after Vauld users withdrew nearly $200 million, causing a liquidity crisis. Nexo hired Citi in June to advise on acquisitions. Also, Uprise reportedly lost 99% of funds shorting luna during its price crash. The firm uses AI-enabled automatic trading strategies, and was hurt by short-lived pumps to luna’s price.

July 6: Michael Moro, CEO of Genesis Trading, confirmed the company took major losses after Three Arrows Capital was unable to meet a margin call. The loans had a weighted average margin requirement of more than 80%, and Genesis had to immediately sell collateral. Also, Voyager Digital filed for bankruptcy. FTX is a major creditor.

July 8: Blockchain.com told shareholders it faced $270 million in losses from exposure to Three Arrows Capital.

July 13: Celsius filed for bankruptcy.

July 14: In a bankruptcy court filing, Celsius revealed its liabilities outweighed its assets by $1.2 billion.

Regulators move in

Regulation is coming down the pike globally, seemingly sooner rather than later.

June 7: The highly anticipated Responsible Financial Innovation Act was introduced by U.S. Sens. Cynthia Lummis and Kirsten Gillibrand; it carved out definitions of various digital assets, contained tax provision clarifications and proposed dividing oversight between the CFTC and SEC.

June 8: New York’s Department of Financial Services issued new guidelines requiring stablecoins to be backed by reserves.

June 16: Multiple states opened investigations into Celsius’ move to freeze withdrawals.

June 30: The EU Parliament and Council reached a provisional agreement on the Markets in Crypto-Assets bill, another move toward finalizing it. The bill, known as MiCA, would introduce a clearer regulatory framework for crypto companies, including sustainability disclosures and stablecoin regulation. The EU’s new transfer-of-funds rules are also set to enforce anti-money laundering and know-your-customer requirements, where crypto companies will have to collect information and personal data for all transactions.

July 4: Tharman Shanmugaratnam, chair of the Monetary Authority of Singapore, said that the financial watchdog is “carefully considering” some additional safeguards for consumer protection, including “placing limits on retail participation, and rules on the use of leverage when transacting in cryptocurrencies.”

July 8: Federal Reserve Vice Chair Lael Brainard urged in a speech in London that the “regulatory perimeter” be extended to include crypto, citing recent market turbulence.

July 12: Vermont financial regulators warned Celsius customers that the crypto lender was likely to be “deeply insolvent.” Also, California regulators said they were investigating “crypto-interest account” providers and urged consumers to file complaints.

As crypto prices continued to fall, some companies limited or froze withdrawals and trades, citing conditions they compared to bank runs. Critics and regulators pounced on these moves, saying they showed a lack of protections for investors and a surfeit of risk by some companies that lent out customer assets and promised sky-high rewards.
June 12: Celsius halted withdrawals, swaps and transfers after facing a liquidity crisis. The firm was hurt badly by the Terra collapse and a drop in the value of staked ether, or stETH.
June 13: Binance, the world’s largest crypto exchange, halted bitcoin withdrawals for several hours. The exchange blamed a “stuck transaction.”
June 17: Babel Finance, another cryptocurrency lender, froze withdrawals. The firm blamed the pause on “unusual liquidity pressures.” Also, Finblox tightened withdrawal limits and paused reward distributions. The staking platform is backed by Three Arrows Capital and was impacted by the hedge fund’s liquidity crisis.
June 23: Coinflex, a crypto lender and futures platform, paused withdrawals, citing “extreme market conditions.”
July 1: Crypto lender Voyager suspended withdrawals, deposits and trading. The firm received a $200 million revolving line of credit and 15,000 bitcoins from FTX CEO Sam Bankman-Fried’s firm Alameda Research.
July 4: Vauld, a crypto lender particularly popular in Southeast Asia and India, paused withdrawals. Nexo offered to acquire the company on July 5, saying it would prioritize restarting withdrawal capabilities post-acquisition.
July 20: Crypto exchange Zipmex halted withdrawals, citing “volatile market conditions.” The company did not say when withdrawals could resume.

July 22: Zipmex resumed withdrawals but continued to restrict deposits, transfers and trades.
Crypto hiring spiked 73% from 2019 to 2021, according to LinkedIn, and well into 2022, some companies maintained aggressive hiring plans. But Coinbase reversed plans to triple its workforce this year, rapidly retrenching and ultimately resorting to layoffs. Not everyone is cutting back: Binance, Kraken and Ripple are among the firms that are still hiring.
June 1: Brazilian crypto exchange 2TM laid off more than 80 employees, blaming “rising interest rates and inflation.”
June 2: Gemini, the crypto exchange run by brothers Cameron and Tyler Winklevoss, laid off 10% of its staff. In a letter to employees, the brothers said the cuts were due to “turbulent market conditions that are likely to persist.”
June 10: Crypto.com cut 5% of its staff, or 260 people. CEO Kris Marszalek said in a tweet that the company needed to “ensure continued and sustainable growth.”
June 13: BlockFi said it would cut 20% of its staff, blaming the “dramatic shift in macroeconomic conditions.”
June 14: Coinbase announced it would lay off 18% of its workforce to ensure that it stays “healthy during this economic downturn.” The company had previously halted hiring and rescinded job offers.
July 3: Celsius cut around 150 employees, or a quarter of its staff. The cuts came three weeks after the lender paused all withdrawals from its platform.
July 5: Institutional crypto trading platform Bullish.com cut around 30 staff members. A spokesperson told the Block the company is still hiring for “strategic roles.” Also, eToro slashed 6% of its employees, or around 100 workers. The company also officially called off its SPAC merger with blank-check company FinTech Acquisition Corp.
July 14: NFT marketplace OpenSea laid off 20% of its workforce, promising generous severance and benefits.
July 21: Cryptocurrency exchange Blockchain.com said it would cut 25% of its workforce. The firm is shuttering its Argentina office and pausing expansion in several other countries.

The crypto crash forced a wave of consolidation on the industry, with rapid-fire dealmaking aimed at salvaging weaker firms.
The meltdown of Terraform Labs’ UST and luna tokens sent shockwaves through the industry, affecting big firms which had bet on the tokens, including Three Arrows Capital, one of the largest crypto hedge funds.
Soon after, stETH, a token on the Lido network that was once considered a safe bet on the new version of Ethereum 2.0, started to lose its peg. That caused further distress in the market. Firms that had reportedly invested in stETH included Three Arrows, Celsius and Alameda Research.
After those two events, Three Arrows had a liquidity crunch and stopped answering margin calls. That sent further ripple effects throughout the industry. Three Arrows had borrowed from a number of large players in the crypto industry — and it’s unclear to what extent that borrowing was collateralized.
Counterparties of 3AC such as Voyager, prime broker Genesis Trading and BlockFi took heavy losses as a result of working with Three Arrows, just when those firms needed cash the most. Many in the industry are wondering if other crypto lenders, hedge funds or brokerages will be next.
Sam Bankman-Fried’s firms, FTX and Alameda, moved to support companies like BlockFi and Voyager. In some cases the infusions weren’t enough: Voyager filed for bankruptcy despite FTX’s support.
June 22: Voyager obtained a revolving credit line from Sam Bankman-Fried’s Alameda group of $200 million and 15,000 bitcoin.
June 29: Officials in the British Virgin Islands reportedly ordered crypto hedge fund Three Arrows Capital, which Voyager Digital said defaulted on loans worth more than $600 million, to liquidate.
July 1: BlockFi agreed to a deal with FTX that gave the exchange an option to buy the remaining shares of the company for up to $240 million. The crypto lender was once valued by investors at around $5 billion.
July 2: Three Arrows filed for Chapter 15 bankruptcy in New York.
July 4: CoinShares said it would acquire Napoleon Asset Management for an undisclosed sum. CoinShares acquired Napoleon Group in December.
July 5: Crypto lender Nexo agreed to buy fellow lender Vauld after Vauld users withdrew nearly $200 million, causing a liquidity crisis. Nexo hired Citi in June to advise on acquisitions. Also, Uprise reportedly lost 99% of funds shorting luna during its price crash. The firm uses AI-enabled automatic trading strategies, and was hurt by short-lived pumps to luna’s price.
July 6: Michael Moro, CEO of Genesis Trading, confirmed the company took major losses after Three Arrows Capital was unable to meet a margin call. The loans had a weighted average margin requirement of more than 80%, and Genesis had to immediately sell collateral. Also, Voyager Digital filed for bankruptcy. FTX is a major creditor.
July 8: Blockchain.com told shareholders it faced $270 million in losses from exposure to Three Arrows Capital.

July 14: In a bankruptcy court filing, Celsius revealed its liabilities outweighed its assets by $1.2 billion.
Regulation is coming down the pike globally, seemingly sooner rather than later.
June 7: The highly anticipated Responsible Financial Innovation Act was introduced by U.S. Sens. Cynthia Lummis and Kirsten Gillibrand; it carved out definitions of various digital assets, contained tax provision clarifications and proposed dividing oversight between the CFTC and SEC.
June 8: New York’s Department of Financial Services issued new guidelines requiring stablecoins to be backed by reserves.
June 16: Multiple states opened investigations into Celsius’ move to freeze withdrawals.
June 30: The EU Parliament and Council reached a provisional agreement on the Markets in Crypto-Assets bill, another move toward finalizing it. The bill, known as MiCA, would introduce a clearer regulatory framework for crypto companies, including sustainability disclosures and stablecoin regulation. The EU’s new transfer-of-funds rules are also set to enforce anti-money laundering and know-your-customer requirements, where crypto companies will have to collect information and personal data for all transactions.
July 4: Tharman Shanmugaratnam, chair of the Monetary Authority of Singapore, said that the financial watchdog is “carefully considering” some additional safeguards for consumer protection, including “placing limits on retail participation, and rules on the use of leverage when transacting in cryptocurrencies.”
July 8: Federal Reserve Vice Chair Lael Brainard urged in a speech in London that the “regulatory perimeter” be extended to include crypto, citing recent market turbulence.
July 12: Vermont financial regulators warned Celsius customers that the crypto lender was likely to be “deeply insolvent.” Also, California regulators said they were investigating “crypto-interest account” providers and urged consumers to file complaints.
Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.
Don’t know what to do this weekend? We’ve got you covered.
Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety’s first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.
This week is all about magic: “Light & Magic” on Disney+ takes us behind the scenes of Disney’s special effects unit; “The Swimmers” reminds us how magical life can be; and “Never Have I Ever,” Mindy Kaling’s Netflix comedy, invokes the magic of “Gilmore Girls,” but for Gen Z.
Mindy Kaling’s Netflix comedy “Never Have I Ever” is a bit like this Generation Z’s “Gilmore Girls”: It’s witty, sweet and acutely aware of what it means to grow up as a teenager today — which also means it’s more raunchy and a lot less white than Lorelai and Rory’s sheltered small-town world. The third season premieres on Netflix today, and if the critics are to be believed, it’s going to be brilliant.
You won’t find any hard-hitting investigative journalism in “Light & Magic,” a six-part documentary about Disney’s special effects unit — Industrial Light & Magic — produced by Disney for Disney’s very own streaming service. Still, if you’re a “Star Wars” fan, VFX geek or even just interested in how some of Hollywood’s biggest blockbusters have been made, this is a great oral history about the most influential gang of movie magic wizards. Plus, watching the entire show gives you a great idea of how far Hollywood has come, all the way from the miniature models built for the first “Star Wars” to the virtual production sets of “The Mandalorian.”
Julie Otsuka’s “The Swimmers” is one of those novels that seems to be about nothing in particular, as it casually talks about the lives of a group of swimming pool attendees who have little in common but their shared love for laps. Then it zooms in on one of those swimmers and suddenly becomes about everything: life, aging, memories and the fragility of it all. I almost gave up on this book a few dozen pages in because it seemed too inconsequential, but I’m so glad I stuck with it. Because just like doing all those laps you set out to swim, it’s ultimately immensely rewarding.
Formerly known as BoxVR, FitXR has been a popular fitness app on the Quest for some time. Boxing is still a key part of the app’s workout regimen, but players can now also opt for dance or high-intensity interval training to get their blood pumping. This week, FitXR introduced a mobile companion app that helps you track and follow through on your workout goals, find new classes and even review detailed stats about past workouts. If that sounds like serious business, don’t worry: The VR workouts themselves are immersive and fun enough to make breaking a sweat feel like a game.
A version of this story also appeared in today’s Entertainment newsletter; subscribe here.
Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety’s first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.
Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime
Chris Stokel-Walker is a freelance technology and culture journalist and author of “YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars.” His work has been published in The New York Times, The Guardian and Wired.
Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.
That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.
Many identity thefts and online scams, however, net perpetrators even less: just a few hundred dollars. For just $25, cybercriminals can purchase a cloned VISA or Mastercard, plus its PIN. That card data opens a treasure trove for criminals, including locally purchasing gift cards, or other fencible commodities such as electronics and jewelry sold off at a discount.
“Criminals have two primary goals: making money and staying out of harm’s way,” says Nick Biasini, head of outreach at Cisco Talos. Cybercrime provides an attractive avenue for both. “The inherent risk associated with committing cybercrime-fueled fraud is far lower than selling drugs or other types of crime. Additionally, the margins are far better. A criminal can turn a small investment into big profits simply from buying stolen information and using it to commit some form of fraud. During the pandemic unemployment fraud has been a lucrative favorite of criminals. Plus by keeping the monetary values lower they are less likely to draw the attention of state and federal authorities.”
A growing problem for local law enforcement
Cyber criminals can attack virtually anyone from virtually anywhere, and cybercrime as a service, where the non-technically minded can hire tools to hack accounts without any specialist knowledge, has become commonplace. Even organized crime syndicates in Spain and Italy are getting into the game.
Federal authorities, usually alerted by IC3, put their scarce resources toward solving large-scale crimes. They work with financial institutions or corporations most impacted by specific breaches. This means the majority of crimes – with their far smaller paydays – tend to fly under the radar.
A look at the data
But some companies are tracking the rise of small-scale cybercrime. Cisco Talos analyzes data to spot trends that help its incident response team alert customers to potential cybersecurity attacks, and then respond and recover to breaches rapidly.
It has found while drug felonies over the last eight years dropped drastically, before stabilizing during the pandemic, cybercrime has shot up. From 2015 to 2021, the number of reported cybercrimes nearly tripled, and losses soared nearly fivefold.
“Criminals today have a far better technical understanding then they did five or ten years ago,” says Biasini. “Additionally, it shows how they really understand inherent risk, it’s just safer to commit fraud and cybercrime than it is to sell drugs. As an added bonus, they also have become proficient in cryptocurrencies, providing alternative avenues for purchasing illicit goods and money laundering.”
Source: New York Police Department
Source: IC3 2021 Internet Crime Report
An evolving challenge
If this trend continues, the emerging wave of cybercrime will look less like epic breaches and more like scamming citizens out of their tax return or signing them up for fraudulent unemployment benefits. Those two crimes already rank in the top five of identity theft types for 2021, with unemployment scams leading the pack.
How, then, can we expect local law enforcement to possibly keep up? After all, they’re already busy policing and prosecuting what most people consider ‘real world’ crimes. Cybercrime is an entirely different problem. It requires pouring over data both from the criminal themselves and the victims they target with their fraud, trying to somehow build a solid, forensically sound case.
“Cisco Talos has always worked closely with local, state, and federal law enforcement organizations to help them succeed in their tasks,” says Biasini. “We are always willing and able partners to help take cybercriminals off the streets. We provide law enforcement with information we uncover during our investigations and oftentimes lend our people, processes, and technologies to help investigations already underway.”
One solution is for local law enforcement to identify staffers in their ranks with an aptitude for online sleuthing. Cybercrime units are perfect for people who have a research bent, because digital detective work is a big part of the job.
Another alternative forces are pursuing is recruiting young people from computer science programs, or tasking high schools with helping train up a new generation of defenders with the mentality and skills to turn what today is a sideline for police into a mainline function. It’s already happening worldwide: in the UK, a $7 million government program led to the creation of cybercrime units in every police force in England and Wales.
And we’re seeing it here too in the United States. Several organizations have stepped up as resources for law enforcement. Every state has at least one agency devoted to helping police fight cybercrime. And the National Computer Forensics Institute offers courses, both in-person and virtual, to train basic and advanced examiners, first responders, and prosecutors and judges.
It’s all in the aim of trying to crack down on small time cybercrime, preventing the small leaks that turn into a torrent of losses that we know about from thousands of years of history.
People have been swindled since before man created monetary systems. These aren’t new crimes; just new ways to commit them. But as cybercrime increasingly goes small-time, those on the front lines will need new and more effective ways to fight it.
Read the detailed blog on the shifting trends in small time cybercrime in Nick’s blog here. Click here to get to know Cisco Talos, the industry-leading threat intelligence group fighting the good fight.
Chris Stokel-Walker is a freelance technology and culture journalist and author of “YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars.” His work has been published in The New York Times, The Guardian and Wired.
Moses, a former FBI tech leader and one-time AWS customer, thinks Amazon’s culture of ownership helps him secure AWS because executives are taught that they are directly responsible for the security of their services.
“That mental model, that starting from scratch building and continuing to do so and never wavering … that model is why we are the most secure.”
Donna Goodison (@dgoodison) is Protocol’s senior reporter focusing on enterprise infrastructure technology, from the ‘Big 3’ cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.
AWS customers are used to hearing about the cloud provider’s “shared responsibility” model when it comes to security, which means that while AWS promises customers it won’t allow its servers and networks to be compromised, customers still have to do the work of securing their own applications. Inside the company, however, the buck stops with the head of each service offered by AWS.
“Service leaders are responsible for the profit/loss, success/failure and, most of all, the security,” said CJ Moses, AWS’ chief information security officer (CISO) since January. “There are no excuses or finger pointing, so leaders don’t leave security success to chance, but rather actively own it.”
Moses, who has worked at AWS for nearly 15 years, previously led the technical analysis of computer and network intrusion efforts for the FBI’s cyber division and was a computer crime investigator as a special agent with the Air Force Office of Special Investigations. At AWS, he spent more than five years running and building its secure government offerings, including AWS GovCloud and the U.S. Intelligence Community cloud under its Commercial Cloud Services (C2S) contract.

Now as CISO, Moses is responsible for security across AWS’ cloud platform, leading product design and development, security engineering and strategy. He hosts a weekly security review meeting with AWS CEO Adam Selipsky and his senior vice presidents and select vice presidents.
“This meeting is the mechanism that enforces the culture that security is ‘job zero’ at AWS,” Moses said. “People are held accountable for resolving open issues, and strict timelines are adhered to for resolution.”
Moses also holds weekly application security review meetings with all of AWS’ service team owners. New services will not launch if there are any known security issues open, he said, but delaying a launch is very rarely required.
“Our security teams are deeply engaged with new services and new feature development from the beginning,” he said in a recent interview with Protocol. “A highly collaborative, as opposed to oppositional, culture when it comes to security reinforces the trust between service teams and security teams.”
This interview has been edited and condensed for clarity.
What are your duties as CISO?
It really comes down to making sure that we have the right tools, techniques, processes and people in place from the start, shifting as far left as we possibly can — meaning that security is part of the design of the things that we’re making. And not only security in mind from the design standpoint, but the protections that you can put in place, detective or otherwise.
If you have a scanner that’s running across your code after it’s already been written, that means that you didn’t catch it in the design or the initial coding phase. Every possibility that you can have to move further and closer to where code is being written by individuals or even further into the design phase means [reduced overhead], both from a development time as well as from a security perspective, to the overall process. Finding an issue after something’s gone into production and is public, and you have a CVE and all of that process, it’s very expensive to then mitigate that and to patch. We’ve moved as far to the left as we can and mechanized things.

One of the things this year that we found is that moving a lot of the code analysis straight into — before there’s ever even security reviews officially — the builder space, into the developer environments that they use, so that things are getting fixed before security officially would kick in and do reviews of the software. The good part of that is the developers are then catching it as it happens and then changing it is an education for them. They’re like, “Oh, it caught that I did this. This is an anti-pattern that I shouldn’t do,” and then they don’t do it again. And the percentages of increased capacity, if you will, is huge there because, once again, further left that we can shift stuff.
My goal, in the fullness of time, would be to put our operations or responsive operations out of business. It’s not a real possible goal, but as much as we can to move things to the left so that we’re finding them earlier, remediating them when they can be most impactful and people learn from that so that you don’t have them happen again, the better situation we’ll be in across the board.
[The] last thing that any software development engineers like to do is repetitive, boring stuff. And the more that we can make it an automated process earlier on, the less impactful it is to their timelines of developing and deploying innovative new services or features. So far, the feedback from the teams themselves is positive. And that’s really what I like is that you’re making a security impact, but you’re also making the developers and the teams themselves that are trying to build new capabilities for AWS users, you’re making them happy. It goes back to … making security the path of least resistance.
What is AWS’ security strategy? Microsoft seems to be throwing things at customers all the time, and Google Cloud has said it wants to provide end-to-end security.

Overarchingly, we’ve always wanted to work backwards from the customer. We don’t want to tell the customer what they need to do. We actually want to work backwards from them to understand what their needs are. And we’re hearing from customers on a regular basis that … they see our cloud as being the most secure cloud there is. But they also want the ease of use to be able to be secure in the cloud as well. [At the AWS re:Inforce conference last month, vice president of AWS platform Kurt Kufeld] announced a lot of features and functionalities moving towards making it even easier, rather than only having these services that you can put together in order to have a comprehensive environment — to pull those services together into solutions that meet business needs without having to have a lot of the work in the customer space.
What you’ll see from us more going forward, and you have kind of seen already, is creation and bringing together of security services on top of the normal AWS services that we have in order to create that “easy-button” experience of being able to deploy and operate in AWS and do so in a fashion that is the path of least resistance. It’s make it easier for our customers to be innately secure when operating in the space.
Many times we get asked from customers to share our threat intelligence with them. Obviously, at scale, it’s very difficult to pick up the phone and call a million-plus customers to say this is what we’re seeing. As threat intelligence — things we learn by operating in the space — is found, we’re pushing those things directly as near real time as we possibly can into the services we’re offering to customers. GuardDuty, as a threat detection service, is an obvious one; Security Hub and others, as part of that, are there. The idea is that as we’re finding stuff, there shouldn’t be the lag or delay to our customers of taking that intelligence that we’ve gathered or that experience … and pushing it into those products.

So these days, when I get asked, “Will you engage in a threat intel sharing agreement,” I say, “Turn on GuardDuty — just turn it on and use it.” And then all of the back-end process of sharing and then figuring out how you get it in your system and your own network, it’s just not there anymore. You don’t need to do that. We’re going to do it for you. The model that works going forward is automation mechanizing. And that’s, from our big picture, continuing to move down that path of having AWS be not only the most secure, but the simplest to be secure by default.
AWS isn’t always known for being the easiest service to use.
I know. But the reality is that we are the blank canvas that allows you to create the Mona Lisa. And what we want to do now is to be able to allow you still to paint the Mona Lisa, but in this case to be able to do so in a secure fashion.
You bring up the simplicity. I think that you’ll see across AWS that the focus is to continue down the path of being the most capable cloud provider in the world, to have the most ubiquitous security and other capabilities, at the same time, increasing the simplicity of being able to do so. There’s a huge capability that we have there, and we’ve focused on having all the features and all the building blocks for so many years.
There was no other cloud provider that’s ever had that kind of capability built from day one by the paranoid group that we have, with the expertise, that have been chasing hackers around the world.
There has been a transition. Security Hub is a good example specific to the security space, trying to cordon in to where it makes it easier for the security professional to be able to go to one place and see the alerts and things of that nature without having to go to consoles for each of the different offerings. And you’ll see more and more of that over time across AWS, not only in [the] security space, but overall — being able to focus those services towards solutions. That’s one of the things that you see a lot of our ecosystem is strong at. You have providers that are our partners that are taking our services, putting them into very easy-to-use, press a button to provide a solution across the board.

You mentioned customers saying that AWS is the most secure cloud. Do you believe that and why?
I have no doubt in my mind that it is. I came from the FBI to AWS because I was a potential customer. Back when AWS was one region, five services, the security that AWS had day one was the log-in password and user ID from the bookstore — from Amazon’s website. We had a business need at the FBI that we were supporting, and it was a counterterrorism effort, and we had essentially what they call big data today — mining that big data, basically looking for the needle in the needle stack in order to keep bad things from happening to good people. We had a lot of vendors that were out there that wanted to support and did support us. The “gotcha” was that no matter how much of the same stuff we bought, we never were able to make that scale function or that step function [for] Friday at 4:30, [when] the digital truck would back up with more data. And you want the definition of “keeping yourself up at night”? That’s the job, because you know that if you don’t find that needle that bad things are going [to] happen to good people, and it’s going to be your fault.
When EC2 was launched by AWS [in 2006] … the idea of saying, “OK, I can use 1,000 computers for an hour rather than having one computer for 1,000 hours” — the time to value is huge. So we [at the FBI] had some meetings with [AWS chief evangelist] Jeff Barr … and said, “Hey, this is the mission we have, you guys have this,” and they were like, “We want to be able to do that, but we’re not in a position today. We don’t have the infrastructure, the security, the background, all of the features that you’re going to need to do that kind of business on top of us.” The discussion went on for six or eight months and subsequently [former AWS CEO] Andy Jassy, a visionary that he is, said, “Hey, there’s only one way we’re ever going to get to that business, and it’s having people like you join us, bring us into the enterprise out of just individual developers and startups, build those capabilities and take us forward.”

The security story was very weak [on] day one. A handful of us — (former AWS CISO) Steve Schmidt, myself, Andrew Doane and Eric Brandwine — joined in late 2007, and our job was the dedicated utility computing team — the DUC team, also known as the feds [because] you had a bunch of us coming from the FBI. We weren’t given a distinctive thing we had to do other than move us towards the enterprise. We thought about the mission that we had previously and how we could build from scratch the environment that we needed to have in order to be able to do the highly secure work that we were doing. We were paranoid, but we were paranoid for good reason because we did know, in our previous lives, that they were out to get us. So we came into AWS with that mentality and built from scratch day one that foundation. There was no other cloud provider that’s ever had that kind of capability built from day one by the paranoid group that we have, with the expertise, that have been chasing hackers around the world. Built it from bare bones.
Talk about shifting left. We shifted left 15 years. Started with EC2, rewrote basically EC2. The virtual private cloud that’s spoken of today, we created VPC, and it was our first product. We went from being dedicated utility computing to virtual private cloud. We wrote the underpinnings — the virtual network overlay protocol — so we run our own protocol on the network in order to be able to maintain isolation between all of our customers. We started with that and then grew, work, scale, created.

The security culture that you see today is based upon us taking our security mindset and Amazon’s ownership culture, jamming them together in the idea that you have single-threaded owners that own their business beginning to end and including security as part of that, such that at the end of the day, there’s no finger-pointing. If EC2 has a security issue, the owner of EC2 knows it’s their responsibility. It’s also my responsibility to enable them and make sure it doesn’t happen. So we share that responsibility, but straight up, they know that is theirs to own, and they’re going to be the ones … answering to that. That mental model, that starting from scratch building and continuing to do so and never wavering … that model is why we are the most secure. Other cloud providers have created capabilities that really are add-ons to things later on. We started from scratch, built not only the underpinnings of the technology, we built the culture, and every one of the service teams thereafter were built on the security culture that we have created at AWS.
To this point, I think that we’ve represented ourselves pretty well. There’s been a lot of threats and adversaries and other things out there, and we have the longest track record of operating on the internet with all of those things attacking us. Not to mention, we’ve won some pretty big contracts with government entities that are known for being able to identify what is secure and what is not.
What’s the biggest threat to cloud security right now and how do you stay ahead of all these bad actors?
You have to think of it this way: Humans are behind everything that happens. And in cyber threat, you look at it from the standpoint of every threat that comes at you, every adversary there is, there’s actually a human on the other side of that keyboard. I learned this very, very near and dear to my heart chasing hackers around the world.
During the [buildup to] Russia invading Ukraine … you could actually see, from threat intel, known ransomware actors in Russia that were essentially extorting money from people to restore their infrastructure. During that buildup, all of a sudden they went from being ransomware to just “delete everything.” The humans’ intent behind the scenes changed. So from a threat-actor perspective, you have to understand the adversaries and then … put in the protections in order to be able to not only … prevent, but in the case of anything that gets past the prevention, to detect them.

Understanding how those actors act and types of things that they do is important to understanding how you get in front of [it]. Don’t look at what’s going on today, look at what’s going to happen not only tomorrow, look … into the future and build the capabilities there. The idea that we are thinking that far in advance, understanding the long game, allows us to get in front of those threats.
What are the biggest security mistakes that you see enterprise customers repeating?
I don’t think that there’s huge trends and things that customers or enterprises are making. Essentially it comes down to that customers need to be focused on making sure that they’re doing the things that are within their control within the cloud or within the environments. Customers have to take responsibility for that which they have access to. We have created all kinds of tools — access analyzers and other things like that — in order to enable them.
The focus going forward is to be able to establish more and more guardrails. The ability to block all your S3 buckets from not being able to be accessed from the internet is a good example of one of those controls. And as we go forward, you’ll see more and more capabilities like that that you can add from an executive governance level that’ll allow those guardrails to be in place to allow customers to be able to have their developers have that ability to be free and do the innovation that they need to do while also putting the controls in place across the board.
Donna Goodison (@dgoodison) is Protocol’s senior reporter focusing on enterprise infrastructure technology, from the ‘Big 3’ cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.
The OCC is facing calls to pull guidance allowing banks to conduct some crypto-related business.
Lawmakers including Sens. Elizabeth Warren and Bernie Sanders fear crypto could introduce systemic risk to banking without strict guardrails.
As efforts to pass federal crypto legislation are maybe, finally picking up steam in Washington, so, too, is the debate about how traditional banks should approach the sector.
A group of progressive senators including Elizabeth Warren and Bernie Sanders are calling on a federal banking regulator to pull Trump-era guidance that gives banks limited clearance to engage in crypto-related business.
In a Wednesday letter addressed to the Office of the Comptroller of the Currency, the senators pushed forward an ongoing debate over the role banks should play in the crypto ecosystem. Banking industry groups say the regulated institutions can bring stability to the volatile sector. But the lawmakers fear crypto could introduce systemic risk to the broader banking system without strict guardrails.
“In light of recent turmoil in the crypto market … we are concerned that the OCC’s actions on crypto may have exposed the banking system to unnecessary risk,” reads the letter, which was also signed by Sens. Sheldon Whitehouse and Dick Durbin.

Warren circulated a draft version of the letter within the Senate Banking Committee last week, as first reported by Bloomberg and American Banker. The letter calls on the regulator to withdraw previous guidance and start a more comprehensive process “that adequately protects consumers and the safety and soundness of the banking system.”
The OCC’s current guidance was published in late 2020 and early 2021. It gives federally chartered banks clearance to provide crypto custody service, hold cash reserves backing stablecoins and use blockchain technology and stablecoins to verify bank-to-bank payments.
When asked about news reports on the letter, an OCC spokesperson on Tuesday sent Protocol previous comments from acting OCC head Michael Hsu describing the agency’s “careful and cautious” approach to crypto.
Hsu defended the agency’s approach in a comment to Bloomberg when the outlet reported, on Aug. 3, that Warren was circulating a letter calling for the OCC to pull the guidance.
“I think we’re doing a pretty good job. See exhibit A: a whole bunch of stuff just happened, and the banking system is in pretty good shape, knock on wood. I think part of that is the actions we’ve taken,” Hsu told Bloomberg.
The senators cited the bankruptcies of firms Celsius and Voyager, which ran crypto-lending businesses that operated outside of the OCC’s purview. Still, the bankruptcies make “clear that stronger protections are necessary to mitigate crypto’s risks to the financial system and consumers,” the letter reads.
Hsu is a self-described crypto skeptic and promised to review the crypto-related guidance when he took leadership of the OCC in May 2021. The guidance was published under Hsu’s predecessor, Brian Brooks, who is now CEO of crypto company BitFury.
The agency said in November it would keep the provisions in place, with the added caveat that banks must apply to the OCC for a non-objection before engaging in any crypto activity.
But, in the senators’ view, that change does not go far enough.
A banking industry trade group recently argued that limiting banks’ participation in crypto is counterproductive to protecting consumers. A Monday letter from the American Bankers Association to the Treasury Department noted banks are facing restrictions that mostly keep them out of digital assets, while there is still little regulation for non-banks involved in crypto.

“The combination of these two approaches — inaction on the one hand to bring into the regulatory perimeter non-bank crypto companies, and limitation on the other of banks’ ability to engage responsibly in the digital asset market — creates an environment that makes it nearly impossible for responsible financial innovation to occur in this space,” wrote Brooke Ybarra, senior VP of innovation and strategy at the ABA.
The association was responding not to Warren and Sanders’ letter, but to a comment process the Treasury launched in July. The department sought input on, among other things, crypto’s potential impact on markets and major financial institutions, as directed by President Joe Biden’s executive order in March. Biden’s order is built around the idea that the U.S. needs to take a “whole-of-government” approach to regulating crypto.
Banks are not a monolith, and some are more skeptical of crypto than others. Some institutions have explored using blockchain technology for things like settling money transfers. Some are providing services holding custody of crypto assets or customer cash for crypto companies.
OCC-chartered crypto custodian Anchorage Digital said that lawmakers should be focused on bringing more crypto businesses within view of regulators, when asked about the letter.
“If we truly want to protect consumers, we need to pave a workable path forward for regulated institutions to provide crypto services, which was the very intent of the OCC’s guidance,” Anchorage general counsel Georgia Quinn told Protocol.
Warren has certainly voiced support for bringing stricter regulation to crypto as a whole. But consumer protection groups, which generally align with Warren, have flagged crypto’s entry into the traditional banking system as being of particular concern. They say there needs to be clarity beyond the current guidance.
“We don’t really know much about how exposed banks are to crypto risks or how regulators are weighing in,” said Mark Hays, a senior policy analyst on fintech at Americans for Financial Reform. “Given the recent crash, we should, and it would be better if regulators started from first principles and applied the full suite of banking regulations from the outset rather than take the ‘maybe, maybe not’ approach currently in play. “

The senators’ letter calls on the OCC to take up a new process with the Federal Deposit Insurance Corp. and Federal Reserve to clarify how the banks they oversee can engage with crypto. The letter also includes a series of questions about how many OCC-regulated banks are engaging in crypto activities.
The OCC, FDIC and Federal Reserve released a joint statement late last year promising further clarity would come for banks on crypto in 2022 — but guidance since then has been limited. The FDIC recently put out a statement warning banks they must monitor how the crypto firms they partner with advertise the availability of deposit insurance. That concern, plus Warren and Sanders’ attention, could be a signal of additional action coming.
Along with Biden’s executive order, there are several bills aimed at regulating various parts of the industry in the Senate, including one filed in early August that would give the Commodity Futures Trading Commission larger oversight of the industry. While the banking industry is not the focus of those bills, they could help influence how bank regulators approach crypto.
“Just having clarity between what’s a security token and a non-security token would be very helpful,” said Gary DeWaal, chair of Katten Muchin Rosenman LLP’s financial markets and regulation practice. “Over time, once you have a key regulator and in place at the federal level, you’ll have better standards on custody, better standards on cybersecurity — that will benefit the banking regulators, too.”
Plex’s new “Discover Together” feature adds a social feed to the popular streaming app.
The company is adding a social feed that lets people share and discuss their viewing activity, ratings and watch lists.
Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety’s first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.
Media center app maker Plex is giving its users a new way to talk to each other: The company is adding a social feed in its app that lets people share and discuss their viewing activity, ratings and watch lists with friends.
The new feature makes Plex just the latest company looking to add a social networking layer on top of its streaming platform. Doing so requires walking a fine line between appealing to people’s willingness to share and valuing their privacy, all while actually improving the core service. It’s something other services in both music and TV have struggled with before, but Plex has a few built-in advantages over some of its competitors.
Plex soft-launched its new “Discover Together” feature as an opt-in beta test on Wednesday. People who join the beta can automatically share their watch list, ratings and watch history with friends via a new social feed integrated into the app. Friends can use this feed to share movie recommendations with each other, start group chats and add any title that catches their interest to their own personal watch list.

The intention behind the new feature is to give people another way to find the streaming content they love, Plex chief product officer Scott Olechowski told Protocol. “It’s something that really doesn’t exist in these ecosystems at all,” he said.
That’s not for lack of trying. Roughly a decade ago, companies like Hulu and Spotify tapped Facebook to help them add a social layer to their streaming services. Automated activity feeds were supposed to help people find the content their friends loved, but ended up being more of a nuisance, if not a borderline-creepy act of oversharing.
Hulu and others have unceremoniously ditched their automated social activity feeds, but that hasn’t stopped others from trying to make entertainment more social. A number of social TV apps unsuccessfully tried to bring Foursquare-like check-ins to video viewing. Spotify has refocused its efforts around playlists as well as the creation of social moments like Wrapped, and allowing subscribers to share both on third-party platforms.
Facebook itself tried to use its social graph to turn Facebook Watch into a service with TV-worthy content — only to pull back on content investments soon after. And a number of new apps and services like ZinBin and Scener are trying to offer content discovery through a social lens.
Plex’s key differentiator is that it is already a social app — just one without profiles and feeds. Before adding ad-supported video, live TV feeds, Tidal subscriptions and more, Plex was primarily known for allowing people to run their own media servers, which they could share with small groups of friends. These servers were and are being used to stream all kinds of content, including DVR recordings, legally ripped CDs, home videos and, yes, also pirated movies and TV shows.
To launch its new social discovery feature, Plex is tapping into that core audience of server owners first. Once a Plex server owner opts into the test, they can automatically share their watch list, ratings and watch history with friends. If these friends find the feature useful, they can invite their own friends and grow the network organically.

One reason to start with server owners was that Plex didn’t want to leave newcomers forced to rebuild their social graph from scratch, product management director Ricardo Castro told Protocol. “It’s very important for us to bring the entire network on together,” Castro said. “We wanted to start with a collection of features that would be immediately valuable to the people that already have friendships.”
Much of Plex’s new social features are being powered by people’s past ratings and viewing. The company’s apps have been collecting this type of data locally for years; Plex recently began to collect this data on an opt-in basis, and it has since gathered nearly half a billion related data points, according to Olechowski.
To get people to trust Plex with this data, the company is not storing any indication of where or how people may have consumed a particular movie or show. A Plex user may have streamed a title on Netflix and then marked it on their watchlist as played, streamed it from Plex’s ad-supported video library, seen it in a theater or streamed it from someone’s server — the resulting data looks the same to the company and anyone using Plex’s new social feed. People can also edit their watch history at any point or decide not to share it with anyone at all.
The company is also taking some cues from other social networks, both in terms of best practices and pitfalls. This includes a conscious decision against endless scrolling. “It shouldn’t feel like this endless stream of content that you can never finish,” Castro said. “We wanted it to feel more personal, and less like an endless fire hose of content coming at you.”
Plex does have plans to expand its social features over time, which could eventually include public profiles and the ability to follow celebrities on the platform. However, Olechowski stressed that the company sees these features as value-additive, and not revenue-generating on their own. “We’re not trying to build a social network to build a business around a social network,” he said. “It’s really designed to solve a problem, not just to consume your time.”

Update: This post was updated on Aug. 10 to clarify some of the Discover Together functionality.
Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety’s first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.

source