On the same day of May 9, 2026, warning lights in the cryptocurrency industry lit up simultaneously at three seemingly dispersed coordinates: on one end, Payward, as the parent company of Kraken, submitted an application to the Office of the Comptroller of the Currency (OCC) to establish the federally regulated Payward National Trust Company, aiming to incorporate digital asset custody and trust services under the national trust company license, based on already obtaining the Wyoming SPDI license; on the other end, cross-chain infrastructure provider LayerZero Labs publicly apologized on platform X, admitting that in dealing with a security incident over the past three weeks involving an internal RPC attacked by the Lazarus Group, an external RPC being DDoS attacked, and the contamination of the DVN data source, there was insufficient information disclosure and communication; on the same day, the Estonian Financial Supervisory Authority (FSA) issued an investor warning to BB Trade Estonia OÜ, the operator of Zondacrypto, based on Article 9(1) of the MiCA framework, pointing out that their failure to publicly disclose the TeamPL token white paper violated disclosure requirements. Regulatory licenses, white paper information disclosure, and infrastructure security were simultaneously pushed into the spotlight by regulators and project parties, and the tightening regulation combined with security risk incidents is collectively reshaping the survival boundaries of the cryptocurrency industry: on one side, leading institutions are actively embracing federal and regional unified regulatory frameworks in an attempt to "shell" their business with licenses and rules, while on the other side, small and medium platforms and key infrastructures are being exposed one by one for their shortcomings in compliance documents, technical configurations, and risk communication, making the internal hierarchical differentiation and red lines of regulations within the industry unprecedentedly clear on this day.
Kraken Parent Company Races for Federal Trust License
On the same day when the regulatory boundaries were redrawn, Kraken's parent company Payward chose to move closer to the federal level. Public information shows that Payward has applied to the OCC to establish Payward National Trust Company, aiming to obtain a national trust company license to provide digital asset custody and trust services under federal regulations for institutional and individual clients. Compared to the previously acquired Wyoming Special Purpose Deposit Institution (SPDI) license, this step indicates that their custody business no longer remains confined to a single state-level license system, but rather attempts to construct a more complete compliance infrastructure under a "state-level SPDI + federal national trust company" dual framework.
From the perspective of industry observers, this type of multi-license arrangement is not merely about having another "signboard," but rather about laying a compliance track that can be accepted by institutional investors for custody and trust services: on one hand, connecting to the federal regulatory context through the OCC license helps demonstrate to large institutions and high-net-worth clients that their custody framework, risk isolation, and fiduciary responsibilities are under higher-level regulation; on the other hand, it complements the Wyoming SPDI license while also leaving operational space for potential future regulatory rules. For Kraken, this application itself is a statement—against the backdrop of tightening regulations and licenses becoming a threshold, it hopes to be seen first as a compliant custodian and fiduciary, rather than just a trading platform relying solely on spot matching business.
LayerZero Admits Oversight: Cross-Chain Security Under Scrutiny
In contrast to Kraken's compliance narrative through licensing, LayerZero was compelled to explain past security incidents with a statement of apology. The team acknowledged on X that its internal RPC was attacked by a group identified as the Lazarus Group, while external RPC providers simultaneously faced DDoS attacks. Under this double blow, the underlying data source used by DVN was contaminated. LayerZero emphasized that the core logic of the protocol was not directly breached, but also revealed glaring details: it had allowed DVN to handle high-value transactions under a 1/1 configuration and later admitted a lack of sufficient oversight regarding the content protected by DVN. For an infrastructure that prides itself on being a "secure cross-chain," this exposes systemic risks at its weakest configuration parameters.
Worse still, this incident is not isolated. Some sources link the KelpDAO rsETH vulnerability on April 18, 2026, with LayerZero's DVN-related RPC issues, although this attribution is still just one source's claim, and specific losses and causal chains have yet to be fully confirmed, it is enough to shift the focus from "who the hacker is" to "how fragile the cross-chain infrastructure really is." A compromised RPC and an external node overwhelmed by DDoS attacks are enough to leave DVN "guarding" assets on erroneous data while the project party inadequately communicated over the three-week period, further amplifying distrust. For infrastructures operating on multi-chain networks, this incident serves as a reminder to all teams: the risk pathway may begin with an internal RPC call, but what truly determines reputation is whether they are willing to clarify configuration oversights, regulatory failures, and potential impacts promptly after issues arise.
MiCA Takes Action: Estonia Names Zondacrypto
Unlike the soft constraints of project parties to "clarify" during security incidents, disclosure obligations once enshrined in regulation become hard law enforcement. Also on May 9, the Estonian Financial Supervisory Authority (FSA) issued an investor warning to BB Trade Estonia OÜ—the operator of the cryptocurrency trading platform Zondacrypto—citing very specific direct reasons: the company offers TeamPL cryptocurrency services on its website but failed to publicly disclose the white paper for that token as required. The regulatory document cites Article 9(1) of the EU MiCA framework: cryptocurrency asset white papers must remain publicly available while that cryptocurrency asset is still held by the public, rather than just being "posted" during the initial issuance or launch and then removed. This action is also seen as one of the typical enforcement cases regarding cryptocurrency asset disclosure provided by Estonia following the implementation of MiCA.
For small and medium platforms like Zondacrypto, this means the compliance pressure has expanded from "whether to apply for licenses" to "whether to continuously provide sufficient information for every token." In the context of MiCA already becoming the unified regulatory framework of the EU, if platforms continue to adhere to past practices of simply listing long-tail tokens as products without synchronously verifying whether the white papers exist or are publicly available, they may end up being named in regulatory documentation like BB Trade Estonia OÜ. From an investor's perspective, writing the continuous public availability of white papers into Article 9(1) effectively ties information rights and risk recognition capabilities together: users can review the project structure, rights design, and main risks anytime, rather than being forced to rely on marketing copy or second-hand interpretations. Under such rules, "whether there is a compliant white paper, whether it is always verifiable" becomes the first threshold for judging the fundamental risks of a token.
Compliance Routes Diverge: Leaders Rush for Licenses, SMEs Receive Warnings
On the same day, two messages stood at opposite ends of the compliance spectrum: on one side, Payward continued "charging into regulation," applying to the OCC to establish Payward National Trust Company, putting digital asset custody and trust services into a federal-level regulatory framework, following its acquisition of the Wyoming SPDI license; on the other side, BB Trade Estonia OÜ, the operator of Zondacrypto, was issued an investor warning by the Estonian FSA for not publicly disclosing the TeamPL token white paper on the website, being directly pinpointed on the MiCA disclosure red line. The former actively adds licenses to portray itself as "an insider in the regulatory system," while the latter reveals the fundamental compliance shortcoming of not having the most basic documents externally available when regulators come knocking.
The multi-license layout brings not only an expansion of business scope but also a reconfiguration of discourse power. From state-level SPDI to seeking an OCC national trust company license, Payward is fundamentally transmitting the same signal to institutional clients and regulatory bodies: essential custody and fiduciary functions can operate under higher prudential requirements; backed by federal regulatory identity, it is easier for Payward to be viewed as "a dialogue partner within the system" when interfacing with large institutions and participating in regulatory discussions. In contrast, the MiCA framework has already embedded the continuous public availability of white papers into Article 9(1). When the FSA issued a warning to BB Trade Estonia OÜ based on that, it also serves as a reminder to other small and medium platforms: disclosure obligations, internal governance, and technical systems are no longer "cost items that can be economized," but rather critical entry thresholds akin to life-and-death lines. In this wave of regulatory elevation, large platforms with compliance resources have the opportunity to stack licenses into a protective moat, while smaller players that fail to keep up are more likely to be fixed on the high-risk label side.
Under Dual Pressure of Regulation and Security, Who Will Survive?
The three pieces of information appearing on May 9, 2026, lay out new exam questions for the industry: on one side, Payward submits its application for a national trust company license to the OCC, awaiting review decisions, representing the acceleration of the compliance framework’s implementation; on the other side, LayerZero, in its apology, acknowledges that DVN once processed high-value transactions under a 1/1 configuration, and that both internal and external RPCs were attacked, exposing weaknesses in communication and security within cross-chain infrastructure; concurrently, the Estonian FSA, relying on Article 9(1) of MiCA, issued a warning regarding white paper disclosures to BB Trade Estonia OÜ, signaling that more member states will accelerate their enforcement pace under unified rules. Moving forward, whether Payward can obtain approval for federal custody and trust qualifications, how LayerZero can turn security rectifications and information disclosures into "verifiable processes," and the intensity and pace of MiCA’s implementation in different jurisdictions will directly reshape the survival order of platforms and infrastructures. For project parties and users, choosing a custodian, trading platform, or cross-chain infrastructure will mean that whether regulatory status is clear, disclosure is continuously verifiable, and whether security governance has mechanisms instead of mere verbal promises will no longer be just "bonus points," but rather critical thresholds determining whether it is worth entrusting assets and trust. In this period of dual pressure, those that can provide clear answers on licenses, disclosures, and security governance will be the ones to survive.
Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin on-chain: https://aicoin.com/hyperliquid
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
