Weekly Top Stories - 11/21/25

In this week’s newsletter, Christopher Rosa examines crypto’s ironic dependence on centralized services in light of the Cloudflare outage; Thad Pinakiewicz breaks down the significance of new bank supervision guidance from the Federal Reserve; and Lucas Tcheyan critiques the International Consortium of Investigative Journalists’ well-intentioned but myopic reporting on “dirty money” in crypto. 

Cloudflare Outage Exposes Risks of Centralized Infrastructure 

At 11:28 UTC on Tuesday, Nov. 18, a Cloudflare configuration error triggered a widespread internet outage. As Cloudflare’s network failed to deliver core traffic, users saw error pages on many popular sites. Popular mainstream sites, including ChatGPT, X, Discord, Canva, Notion, and Shopify were affected. On the crypto and DeFi side, Coinbase, Dune, BitMEX, DeFiLlama, Arbiscan, and Kraken also reported issues with their frontends. Together, these services reach billions of monthly users, so the disruption was widely felt. Ironically, Downdetector, which allows users to track site outages, also relies on Cloudflare, making it hard to check the status in real time. 

According to Cloudflare, a database change pushed multiple entries into the feature file used by its Bot Management service, which controls bot access to customer sites. The pattern first looked like a major DDoS attack due to intermittent errors, but the team later identified the faulty source file as the root cause. 

Cloudflare says all systems were back to normal at 17:06 UTC on Nov. 18, after core traffic largely recovered by 14:30 UTC. This came only weeks after an AWS incident on Oct. 20 in the cloud computing giant’s US East 1 region, where domain name service (DNS) problems for DynamoDB endpoints cascaded across services. Together, these outages highlight how dependent the internet is on a few providers and why teams should double down on practical resilience, such as multiple content delivery networks (CDNs), staggered rollouts with automatic rollback, and circuit breakers with cached fallbacks. 

OUR TAKE:

First, it is important to understand how the internet works and the place of providers like AWS and Cloudflare within it, and how widespread reliance on them raises centralization risk. 

The internet, a distributed set of computers that can transmit information to each other, was born out of the U.S. government’s ARPANET in 1969. At the time, computers were connected using very nascent protocols, if any, to transmit information only among a small group of machines. In the late 1970s, the TCP/IP protocol was introduced, defining a common set of rules that let computers from different networks communicate. In the early 1990s, Tim Berners-Lee invented the World Wide Web, which introduced URLs, HTTP, and the web browser, making the internet accessible to the public. The dot-com boom accelerated adoption and produced many of the services we use today. Amazon’s AWS now provides the compute, storage, and databases behind many sites, while Cloudflare operates as a content delivery and security layer. As more traffic consolidates on a few platforms, the chance that a single failure will have a widespread impact increases. These platforms take a once decentralized ecosystem and funnel it into one bottleneck that, if it breaks, causes mass outages. 

This week’s outage is more than a temporary inconvenience; it is a critical reminder that the global internet relies on highly centralized systems. Cloudflare provides DDoS protection, traffic routing, and DNS, edge computing, human-versus-bot verification, and a global content delivery network (CDN). It is also used by about 20% of websites, so problems at Cloudflare ripple widely across the web. Many organizations choose providers like Cloudflare to avoid having to build and operate these capabilities themselves or hire dedicated security and engineering teams to develop and maintain in-house systems.   

Nobody forces companies to depend on Cloudflare; the protocols are open, and you can run your own infrastructure. Yet convenience turns centralization into the default. Defaults become dependencies, and dependencies become single points of failure. Centralization grows not through force or capture, but by making alternatives look unreasonable. The email ecosystem shows the pattern: you could run your own mail server because the protocol is open, but Gmail’s spam filters and reputation systems make self-hosting so difficult by comparison that most people never consider it, and they choose Gmail because it is easier ... until Gmail goes down. Then everyone wishes they had alternatives. 

Binance’s CZ posted three words during the downtime: “Blockchain kept working.” In DeFi, the impact was felt mostly on the frontends of the venues mentioned above. The Cloudflare bug disrupted HTTP traffic, which affected websites and APIs. Core blockchain infrastructure is decentralized by design and continued to process transactions, but several popular exchange frontends were unavailable, leaving users unable to open or close positions in a volatile market.  Blockchain validators communicate over peer-to-peer networks and typically do not route through Cloudflare, so they kept producing blocks unless an individual operator had an unusual setup. As CZ noted in a follow-up post, there is still a real dependency: “Most blockchain nodes run in one of the cloud providers... so it still depends on ‘the internet.’”  

If the internet fails, everyone fails with it. Zeros and ones still have to traverse fiber and multiple network hops, whether operators run their own nodes or use hosted services. We cannot remove the internet as a point of failure, but operators can reduce risk by decentralizing their setups and avoiding single-vendor dependencies. 

DeFi must learn its lesson and lean on its core strength, decentralization. (It’s right there in the name.) Validators already model the right path: they run their own nodes, communicate directly with one another, and typically avoid single vendors, so the chains kept producing blocks even as many frontends failed. By contrast, when apps centralize reads and writes through a few providers such as Infura and Alchemy, the ecosystem inherits the fragility that can take major parts of the internet offline. The harder path is to operate your own remote procedure call (RPC) endpoint, diversify providers and regions, publish alternative front ends, and design for graceful degradation, but that is how you earn durability.  

As John F. Kennedy put it, “We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard.” DeFi must choose the hard path now, because durability is built, not bought. – Christopher Rosa 

Fed to Banks: Focus on Real Risks, Not Paperwork 

This week, the Federal Reserve announced new supervisory principles intended to loosen bank oversight, refocusing supervision on “material financial risks” and de-emphasizing process, procedure, and documentation. Under the new framework, the Fed is giving greater weight to quantifiable threats to financial firms—bad loans, liquidity stress, poor governance—versus administrative or procedural deficiencies. The memo emphasizes that examiners should not “become distracted by excessive attention to processes, procedures, and documentation.” 

While many points were addressed in the memo, there are a few that we think are the most important to the market. The first of which are the changes to the MRA (matter requiring attention) and MRIA (matter requiring immediate attention) notices the Fed gives to banks with the most glaring regulatory lapses. MRAs and MRIAs get immediate attention from bank risk management departments and kick off a lengthy process of updating procedures, writing policies, and addressing any deficiencies outlined in the MRA/MRIA. Hopefully, you, reader, have not had to experience an MRA (God forbid an MRIA) because it is a notoriously frustrating and maddeningly inefficient process. Banks’ responses to MRAs and MRIAs are all internally driven; they are told of the deficiency in the MRA/MRIA by the Fed, but not how to remedy it. It is very typical for the process to include multiple iterations back and forth between bank risk departments and Fed examiners. Frequently, the first response by banks is not deemed to remedy the MRA/MRIA, and maddeningly, no feedback is given by the Fed on what was insufficient in the plan, nor any direction on how to improve it. This memo seeks to put an end to that, stating:  

“Examiners and other supervisory staff will no longer be permitted to communicate MRAs and MRIAs in vague or overbroad language… Instead, they will be required to communicate MRAs and MRIAs with sufficient specificity so that a person of ordinary intelligence can readily know what the deficiency is underlying an MRA or MRIA and what a non-deficient state would be.”

Further, the memo also gives banks leeway to determine via their own audit departments whether MRAs/MRIAs have been resolved, rather than the Fed’s supervisory staff. Taken together with a reintroduction of supervisory observations as an option before issuing an MRA, this memo vastly reduces the regulatory burden of the MRA/MRIA process for banks. 

The second point in the memo we think is significant to cover is the changing tone on the treatment of liquidity available to banks from the Federal Home Loan Banks (FHLBs). FHLB liquidity is available to member banks via “advances,” which are loans against high-quality collateral that the banks post to their FHLB. These loans are similar in kind to liquidity available from the Fed’s discount window, cheap with an implied government backstop (the FHLBs are government-sponsored enterprises). The memo says: 

“[S]taff should not discourage or prohibit firms from taking into account liquidity available from the Federal Home Loan Banks (FHLBs) in managing their liquidity or performing their internal liquidity stress tests.” 

Allowing FHLB undrawn capacity to count toward banks’ liquidity stress tests, primarily the restrictive LCR (Liquidity Coverage Ratio), would loosen bank liquidity requirements and spur credit creation. FHLB advances have been an important source of funds for banks in times of stress, particularly in the 2008 global financial crisis and in the 2023 U.S. banking crisis.  

OUR TAKE:

Deregulatory actions coming out of the Trump administration are nothing to be surprised by. Trump’s first term in office saw a surge in bank consolidations and mergers as the grip on the regulatory reins was loosened. Trump’s second term is more of the same on the bank regulatory front, with the time for bank mergers to be consummated at a multi-year low, and deregulatory guidance such as this week’s memo. 

On the one hand, as someone who has spent time on bank trading desks and as a risk manager here at Galaxy, seeing the updates to the MRA process gives me hope for rational reform. MRAs are important regulatory tools, but the process of dealing with supervisory staff can be unnecessarily frustrating and opaque when clear articulable paths to resolution are easily possible. The frustration of building a risk management policy to handle an MRA and sending it to regulators, only to be told that the response is insufficient, without any details on what is insufficient, is maddening. From that lens, this is a positive change.  

On the other hand, there is an important balance to be struck between the risk-taking appetite of banks with the risk management directives of regulators. Regulators do need the tools and the access to do their jobs and prevent private risk-taking from becoming a public finance problem. Reducing duplicative effort by letting bank audit teams determine if MRAs/MRIAs are resolved, rather than Fed examiners, certainly streamlines the regulatory process. But, removing the Fed’s say on whether the MRA/MRIA is resolved does expose the public to the varying quality of bank audit teams, versus a cohesive Fed examination staff.  

From crypto’s point of view, this is a day late and a dollar short. FHLB advances featured prominently in Signature Bank’s contentious forced closure by the NYDFS. Signature had, according to FHLB-NY officials, an “adequate” liquidity position and billions in undrawn borrowing capacity at the FHLB-NY on Friday, March 10, 2023, and staff “were operating under the expectation that the bank would be open for business on Monday.” Nic Carter did fantastic reporting on this aspect of the 2023 banking crisis in his Operation Chokepoint 2.0 journalism. Signature had enough liquidity by the FHLB’s estimates, and by the contentions of its board member Barney Frank (of the Dodd-Frank Act), to survive the deposit outflows. But over the weekend, the NYDFS determined otherwise, putting the bank into receivership. If undrawn lines from the Federal Home Loan Bank System (FHLB) had been counted in the liquidity tests for a crypto-friendly bank like Silvergate, could its failure have been avoided? Barney Frank would likely say yes:  

“[The bank] was solvent but not liquid. We could have become liquid with temporary funds from the Fed, which others later received… I think we were shot to encourage the other [banks] to stay away from crypto.”

Interestingly enough, this change in regulation may interplay well with the GENIUS Act and the pressures that stablecoins put on the traditional banking system. GENIUS-compliant stablecoins can purchase liquid federal government-issued assets. While FHLB debt (used to fund advances) does not qualify, it could be a good addition to the permitted portfolio composition. The FHLBs typically borrow from money market funds, and constrained market capacity in the past prevented them from providing more advances to SVB. If GENIUS-compliant stablecoins can purchase FHLB debt for their reserves, it may serve as a perfectly suited tamper to stablecoin-facilitated bank deposit flight. If GENIUS-compliant stablecoin funds can participate in the FHLB market, they can help bridge the bank financing gap caused by outflows from bank deposits that they themselves are predicted to create. 

While it may irk some of my more libertarian-minded peers in crypto, regulators do have a place in markets. They exist to take away the punch bowl from the party before it gets too rowdy, and to protect the public from excessive private risk-taking. Like regulating the rampant fraud in the meat industry of the 1900s, which featured fun unregulated sausages filled with chemically treated rotten beef, sawdust, and dead rats, there are excesses and asymmetries in the financial markets that also need to be tamed for the public good. Finding the appropriate balance between protecting the public and encouraging investment is hard, but the most important things in life are. I will leave you with Fed Governor Barr’s comments on the memo: 

“It is both natural and appropriate to regularly assess supervisory approaches and tools over time. After periods of crisis, regulators logically strengthen oversight to prevent a recurrence. After periods of relative stability, there is often pressure to lower the guardrails put in place. Adjustments can be constructive, but they must be made with foresight and care to preserve the hard-won resilience of the financial system.”

—Thad Pinakiewicz 

Extra! Extra! Journos’ Big-Number Claim Misses the Bigger Picture 

On Monday, the International Consortium of Investigative Journalists published a series of reports, “The Coin Laundry,” highlighting blockchains’ use in illicit finance, stories that were later republished by major outlets, including The New York Times. 

The reporting alleges that $28 billion in illicit funds flowed through major crypto exchanges, including Binance, OKX, ByBit, and others, over the past two years. The investigation also claims that funds linked to North Korean hackers, Southeast Asian scam networks, and crypto-to-cash brick and mortar operations were deposited on these platforms—even after U.S. sanctions and penalties targeted some of the entities involved. 

The series further suggests that exchanges have financial incentives to overlook criminal activity, citing fee revenue as a motive, and criticizes what it calls the Trump administration’s weakening of crypto crime enforcement. Overall, the report frames large exchanges as key facilitators in a global laundering network, portraying crypto as a channel for illicit finance. 

The investigation followed a prior ICIJ project called “Cyprus Confidential” that exposed how offshore financial networks, shell companies, and lax compliance regimes—particularly on the Mediterranean island—enabled sanctioned individuals and politically exposed persons to move funds undetected through the traditional banking system. Analysis for the crypto series relied on Chainalysis data, supplemented by public blockchain records and additional forensic work done by ICIJ reporters and expert consultants. 

OUR TAKE:

As has been the case with much of the public reporting on crypto and illicit finance, the coverage overstates the scale of the issue, understates the progress made to mitigate it, and ignores the fact that traditional financial systems, despite having access to much more sophisticated KYC/AML mechanisms, still grapple with much, if not greater, levels of illicit activity. 

Taking the article’s headline figure of $28 billion in illicit inflows at face value, that represents just 0.52% of total exchange inflows for BTC, ETH, USDC, and USDT across 2024 and YTD 2025—a amount that rounds to statistical noise when compared with over $5.3 trillion in total inflows, and would be even less significant if all tokens were included. 

Leading onchain analytic firms like Chainalysis and TRM Labs independently corroborate this. Chainalysis’ 2024 crypto crime trends report estimates that 0.14% of total onchain transaction volume was illicit, a significant decrease from 2023’s 0.61%. Similarly, TRM labs showed that despite a 56% year-over-year increase in overall transaction volume from 2023-2024 to $10.6 trillion, illicit volume dropped by 24% to $45 billion, accounting for 0.4% of overall crypto transactions. The ICIJ’s $28 billion headline represents a sliver of the 2%–5% of global GDP ($800 billion to $2 trillion) the United Nations estimates is laundered annually through traditional banks. 

The difference is not merely numerical. It’s also structural. Traditional finance still moves illicit capital through opaque, permissioned intermediaries; crypto’s transparency makes those flows visible and traceable by anyone with an internet connection. (Onchain sleuths like ZachXBT don’t have to file subpoenas.) Paradoxically, reports like those conducted by the ICIJ are possible precisely because blockchain data is open. That visibility has already driven enforcement success, not evasion. Some might argue that if anything, blockchains are too transparent for law-abiding consumers or regulated institutions, which may help explain the recent uptick in interest in privacy protocols like Zcash. 

Critics who suggest regulation has weakened miss a more fundamental transformation. The GENIUS Act, which passed both chambers of Congress with veto-proof majorities, and Europe’s MiCA framework have turned stablecoins—the core settlement asset of crypto markets—into the most regulated form of digital money on earth. They are, as Galaxy Head of Firmwide Research Alex Thorn has previously written, “boringly safe” and “auditable” by design, built for transparency, not regulatory arbitrage. 

Still, while the reporting fails to contextualize the relatively small scale of illicit crypto activity relative to traditional finance, it highlights a valid point: the industry must continue balancing the permissionless design that defines crypto with the controls needed to limit its abuse. Striking that balance will be an increasingly difficult challenge as new regulatory regimes like the pending U.S. market structure bill come into view, but it’s also essential for sustaining trust and integrating digital assets into the broader financial system. – Lucas Tcheyan 

Charts of the Week

This week, Galaxy Research released its Q3 State of Leverage Report, covering crypto-based lending, digital asset treasury companies, and perpetual futures. Through Q3, onchain borrowing reached an absolute all-time high of $40.99 billion and an all-time high share of the crypto-backed lending market of 66.88%. Onchain borrowing continued its momentum into the first week of the fourth quarter, reaching a daily all-time high of $43.82 billion on Oct. 7. Since then, in the wake of the Oct. 10 flash crash, the amount of onchain borrows has collapsed 27.4% to $31.83 billion as of Nov. 19. 

Still, onchain stablecoin interest rates are trending above the Federal Reserve’s Effective Fed Funds rate. The spread between Fed Fends and the weighted average stablecoin borrow rate on lending applications, such as Aave and Compound, sits at 181 basis points (bps) as of Nov. 19 with a 30-day average of 160 bps. The widening spread has been supported by a rate cut from the Fed and a slight tick higher in onchain rates. 

Other News

• ⛽U.S. regulator OCC says banks can hold certain cryptos to pay gas fees 

• 🦑Kraken confidentially files for IPO, raises $800m for $20b valuation 

• ✅Trump's CFTC Pick Selig clears hurdle on way to confirmation vote 

• 🔐Vitalik Buterin unveils Kohaku, a privacy-focused framework for Ethereum 

• 🔍First public Bitcoin Core audit finds no critical vulnerabilities  

• 📄Figure Technology files to offer series A blockchain stock (on Provenance) 

• 🪟MegaETH to open pre-deposit window for USDm stablecoin next week 

• ⛰️New Hampshire introduces bitcoin-backed municipal bond