A moment from @MehowHacks at the Capital Summit panel.

Every fortress needs allies. If you're part of one of the communities below, you're eligible for an exclusive role and special rewards inside our Discord. Join Now discord.gg/americanfortress

Wallet drainer bots don't hack your wallet. They get you to hand it over yourself. The attack flow: 1. Fake site mimics a legitimate protocol (Uniswap, OpenSea, Coinbase) 2. User connects wallet - standard action, feels safe 3. Site requests a transaction signature, looks routine 4. Signature approves a drainer contract to move all assets 5. Wallet emptied. Funds gone. Irreversible. Dark web discussions about drainer malware rose 135% between 2022 and 2024. The tooling is commoditized. The barrier to launching a campaign is near zero. The attack doesn't exploit code. It exploits the fact that users can't verify what they're actually signing.

Hear from our CEO @MehowHacks who made crypto private, quantum-proof, compliant, and actually usable without mixers at @proofoftalk on June 2nd. Register for the workshop with the link below.

Tornado Cash was sanctioned in 2022. Four years later, the compliant privacy alternative is still missing. What moved in: readability tools that publish your entire financial history (ENS), and privacy tools that put users on regulators' radar. Neither works for someone who needs both privacy and a clean compliance record. The gap is still open.

What "privacy by default" actually means in practice: — Your wallet generates a new address for every transaction automatically — Your balance is never visible to people you haven't transacted with — Your transaction history can't be traced back to a single permanent identifier — Compliance is built in, not bolted on afterward None of this requires a separate privacy coin. None of it requires a mixer. None of it requires the user to do anything differently than they do today. That's what "default" means. It just works. Invisibly.

🏺 Tessa Hunt and the Golden Sands is LIVE — exclusively at Jackpotter! 🔥 The 10 random users will each receive 10 Free Spins RT Tag a friend Jackpotter Username to enter! Be the first to spin! 👇 🎮 jackpotter.com/games/tessa-h…

Smart contract security has always been asymmetric. Defenders need to find and fix every vulnerability. Attackers need just one. AI coding agents didn't create that asymmetry. They industrialized it. The industry kept betting on better audits. The attack side just got a machine that never sleeps.

Decentralization is the most overused word in crypto. Most "decentralized" identity systems can still see: — Who you registered as — Which wallet that name maps to — Every transaction tied to that wallet That's not decentralization. That's a directory service with a marketing budget. The bar should be: once a name is registered, the issuer has no way to see who you're transacting with, what you're sending, or what your balance is. What happens at registration and what happens after it are two different questions. Most systems fail both. The better ones at least solve the second.

Every privacy protocol protects the sender. Nobody protected the recipient. Until us. @MehowHacks on why that changes everything 👇

There's an attack vector most of crypto isn't tracking yet. AI recommendation poisoning. An attacker embeds hidden prompt instructions in a webpage. An AI agent reads the page during its normal workflow. The agent's memory gets silently altered, and from that point, every recommendation it makes is skewed toward whoever planted the instructions. Microsoft documented 50 live examples across 31 companies in 14 industries in 60 days of research. If your portfolio decisions or due diligence run through an AI assistant, assume the inputs can be manipulated. The recommendation is only as trustworthy as what the agent read to make it.

Why isn't more institutional capital on-chain yet? Exposure. Not regulation. Every wallet address is a permanent public identifier, and every transaction lands on the same ledger. Trading strategies, supplier relationships, treasury movements, anyone with a block explorer can read all of it. No CFO signs off on broadcasting that data live. Until on-chain transactions match the discretion of traditional banking rails, institutional liquidity stays in crypto-native venues. The privacy gap is the adoption gap.

Arbitrum holds $16B in TVL, that’s 40% of the entire L2 market. Variational, USDai, GMX. The deepest DeFi stack in the L2 world. Every position on it is completely visible: your size, entry, counterparty. Anyone with a block explorer can see exactly what you're doing before you do it. Not anymore. AmericanFortress™ beta is live on Arbitrum. Now you can send to @name, hide your balance, and stay compliant. No mixer. @arbitrum x @AmericanFort_io

AI agents are already transacting on-chain. The numbers are ahead of the narrative. In one 14-week beta: 1,000 users deployed 9,500 agents running 187,000 autonomous transactions. Stablecoin volume hit $46 trillion annually, up 106% year-over-year. McKinsey projects agentic commerce reaches $3–5T by 2030. Crypto settles in under 500ms at a fraction of a cent. No other rail comes close. The agent economy is already here. The infrastructure hasn't caught up. If you're building products, protocols, or agent frameworks, assume your next user category isn't human.

An AI agent got tricked into draining its own wallet, without touching a single line of code. An attacker sent a free NFT to Grok's connected wallet. The NFT quietly escalated the wallet's permissions. The attacker then posted a Morse code message on X, Grok decoded it, treated it as a legitimate command, and transferred $174,000. If you're connecting an AI agent to a wallet: any token it receives and any text it reads online is a potential instruction. The bar for "input validation" just moved.

The largest social engineering attack in crypto history didn't exploit a single line of smart contract code. Months of relationship building. One moment of misplaced trust. $285M drained from Drift Protocol. 76% of all 2026 crypto losses trace back to North Korea, and almost none of them involve a code exploit. What this means for everyone else: the next major attack on your protocol, fund, or team won't come through your audit reports. It'll come through a LinkedIn message, a recruiter call, or a coffee meeting that lasts six months. Treat unsolicited contact the way you treat unsolicited code.

The average user has 1 wallet they consider "their main one." That wallet has been doxxed to: — their cex — their dex — their friends — their browser — their isp — anyone who paid for the data The headstone is already engraved.

KYC was never the problem in crypto. The real problem? No KYC is tied to the actual transaction. You verify someone once. Then trust everything they send. Forever. @MehowHacks on what we did instead 👇

Genuine question for the timeline: What's the most underrated security risk in crypto right now? Not the obvious ones, the ones nobody's talking about yet.

24h left to mint dTelecom Origin ID. Tier 1 access up to 2X points boost in the $2.6M airdrop. Mint 3 = 1 month @dMeetApp Pro sub. Window's closing — front-row won't come back. Mint ↓ opensea.io/collection/dtelec…